HttpListener stand-alone site - how to handle authentication?

Question

HttpListener stand-alone site - how to handle authentication?

If you create a standalone webpage around an HttpListener , how can you handle authentication securely? I do not want to use basic authentication because it passes the credentials as plain text. I know digest is another option

  listener = new HttpListener(); listener.Prefixes.Add(url); listener.AuthenticationSchemes = AuthenticationSchemes.Digest; listener.Start();

Is it safe enough and what are the standard / best practices for actually capturing username and password and authentication?

In this situation, by default there is no web.config or hosting environment.

+4

security c # .net httplistener self-hosting

Sean thoman Oct 28 '11 at 18:03

source share

2 answers

I would consider introducing requirements-based security support. You will have to handle security tokens, but the actual user authentication may be “passed on to third-party” external identity providers.

Perhaps you can use the Windows Identity Foundation (WIF) to handle most of the work.

+1

Peter Lillevold Oct 28 '11 at 18:28

source share

Matthew kane · Accepted Answer · 2011-10-31T21:52:15+0000

Using authentication with HttpListener means that Windows performs your authentication for you using the built-in authentication system (i.e. ActiveDirectory). This means that for digest authentication, you need to create domain accounts for your users. Is that what you intended? If you want to do your own authentication, this is a more complicated question. I will not go into how to do this unless you say what you want to do.

HttpListener stand-alone site - how to handle authentication?

More articles: