Security for Microsoft Visual Basic .NET

You should use ASP.NET authentication whenever you have a site that presents, edits, or manipulates information that not everyone should have access to. Some people think that keeping a site’s location secret is a good way to stop intruders from getting access. While this is true to some extent, it is no substitute for authentication—hackers use commonly available programs that sniff out locations of Web sites. So, if your security strategy relies on people not knowing where your site is, it’s definitely time to start thinking about authentication. Obscurity is not security.

Each of the three ASP.NET authentication mechanisms is best suited for a different type of Web application:

• Forms-based authentication Great for applications for which you want to manage the user list yourself or store extra information—such as the contents of a shopping cart or customizations— about the user on the server.

• Windows authentication Great for intranet applications, which have all the users on the same domain as the Web server.

• Passport authentication Great for public sites for which you don’t want to maintain user sign-in names, passwords, etc. It’s also good for maintaining authentication across a number of disconnected Web sites because the authentication is centrally managed by the Microsoft .NET Passport service.