HTTPS for login?

Jan 16, 2008 at 12:46 AM
I recently discovered BlogEngine.NET and instanly fell in love with this elegant, lightweight solution.

However, I am hesitating to run it on an Internet-facing server because authentication is basic plain-text auth.
This is, midly put, extremely irresponsible and just equates with (big time) desaster going to happen.

I'm lazy and don't want to go through the source - yet I could not find a recipe/solution to secure BlogEngine.
Has anyone done this already? also: Has anyone done a source audit with security in mind?
Jan 16, 2008 at 8:31 AM
The forms authentication model in ASP.NET is good enough for most people. I use the SQL memebership provider rather than the XML provider, so at least the passwords are stored in encrypted form. This is quite easy to set up if you have an SQL Server instance.

As far as I know the HTTP protocol has not been hard-coded in the source, so blogengine should work fine over HTTPS if you need that level of security (if you have problems, post the problems here and I'm sure they'll be addressed).

Alternatively, forms authentication allows you to specify your own login page - perhaps you could create a login page in a secure location and run the rest of the app unencrypted to reduce the overhead. (The login page has to be part of the same ASP.NET application though).

Let us know how you get on!
Jan 16, 2008 at 3:28 PM
I wrote a couple of articles about this topic. It's nice to see that someone besides me is worried about clear text authentication...

Have a look at these articles...