Compsoft Flexible Specialists

Compsoft plc

Compsoft Weblog Compsoft Website News Archive Privacy Policy Contact Us  

Thursday, November 09, 2006

Tim Jeanes: Microsoft TechEd (Thursday)

The first session today was on asynchronous ASP.NET. This is something we haven't really needed to use in the past because it's quite a pain and it doesn't improve the individual user's experience at all: if you request a web page then you're going to have to wait for all the information to come back before you can do anything anyway. The downside (that we'd overlooked) is that if the page is slow to load due to waiting for a large database request or a response from an external web service, then that ties up a thread from the pool, potentially preventing other users accessing the site if there's a lot of heavy traffic. This session walked through how to use multi-threading to make applications far more scalable (sometimes over 1000 times more scalable).

I don't think this is something we'll be implementing on every page we build (although practically all our pages query the database), but there are some pages that I think are good candidates for using this kind of methodology: ones that contain images we're pulling from the database or contacting the bank to take customers' payments, especially when these pages are amongst the most frequently-accessed ones.

A Q&A session on squeezing better performance out of .NET code contained a disappointing lack of stuff that I can immediately use, though it did give a few interesting insights into what's going on behind the scenes.

I attended a seminar and subsequent white board discussion that went into quite some depth of how to use Windows CardSpace to authorise users logging onto your website and to take credit card payments for your goods and services. CardSpace is just such a beautiful thing. If you're reading this blog, then the chances are that CardSpace isn't going to help much to protect your identity online. It's all about protecting the identity of people who are using the internet but have no idea what security is, and couldn't tell a phish from a fish. So many times, the speaker's or delegates' mothers were cited: what would my mum do if she visited such a site? How would my mum manage her cards? What would a phishing site be able to do with my mum's card?

The end user will never have to remember a username or password again; they can control exactly what personal information is sent to each site; even if two websites have access to each others' databases, they won't be able to tell that a user uses both those sites; and a user can (if they so wish) maintain a number of different identities for different purposes.

There was a demonstration of how to switch an existing site across to using CardSpace as well as the username/password system that's already in place. It's surprisingly simple: you'd have to add a few lines of HTML to the login page, one GUID column to the user table, and write a bit of easy code to handle the card data you receive. Public code libraries already exist to handle the decryption of the incoming key.

There's additional security for sites that (at present) require rather more security for setting up a user account than just picking a username and password - such as your online bank account. In this case the bank would dish out the virtual card that you then use to sign on. The bank is the only person who holds your details, and they'll never need to know your mother's maiden name.

I think CardSpace really has the power to revolutionise identity on the internet - especially as non-Microsoft systems providers are actively supporting it, and a number of banks are on board for using this as a more reliable method of user authentication.

Labels: , , ,

0 Comments:

Post a Comment

<< Home