C# .NET - Authentication with HttpHandlers Best Practice

Asked By dan scan on 08-Jan-13 12:29 PM
I am creating httphandlers that will need to do some Authentication for them to run.  What is the best practice for this.  I have used forms authentication in standard UI based authentication but not in HttpHandlers.  

Also this has to be generic.  Think API. I was not sure if POSTing a username and password was the best or recommended method.  Is there a security flaw with just having it as part of the form post or not? I know that this is how it is normally done with UI based authentication but I was not sure HTTPHandler methods might open a security hole. 
Robbe Morris replied to dan scan on 08-Jan-13 12:28 PM
A lot of this depends on how your HttpHandlers are being used.  If they are used within a large ASP.NET app, you could just check whether the user is currently authenticated.  If you were using Session, you could check the context.Session["some unique user key"] to see if it is populated and valid.

If other applications are going to use your handlers, then you'll probably want to purchase an SSL cert and include the username/password in the message.  They would be encrypted as they are transmitted over the network.
dan scan replied to Robbe Morris on 08-Jan-13 01:07 PM
The httphandler is going to be used by other applications.  
I figure the apps would make one call with the expected authentication and data for the request.  Data would then be returned in the Response.  

When you speak about SSL Cert do you mean that I should just send the request over https connections (with proper registering etc)? or something special using the cert.  
Robbe Morris replied to dan scan on 08-Jan-13 01:34 PM
Yes, I do mean using it for https calls.  You wouldn't want to transmit authentication values of clear http.

Why are you not creating a more formal WCF Web Service API instead of a generic httphandler?  At least with the WCF service the end clients could create references to the service and get proper classes and methods generated for their code.  Much, much easier to work with.

If other client apps are going to use your API, you've got to account up front for the concept of changing the interface to your API without running the risk of breaking client apps.