Hi,

we have a dnn site with some extra database tables on the database associated with the site. This resides on Windows Azure.

would also like to add facebook sign in etc in the future but that's another story.

im looking to build an iOS app that would talk to those extra tables & was wondering if I could use dnn's authentication mechanism on the iOS app.

basically I want users to be able to log into the dnn site to add their content or do the same from our new iOS app. Same goes for registering. An iOS user could sign up in the app but that also gives them the ability to log into the dnn site using the credentials they created on the app.

thanks in advance for any assistance.

Tango, we are doing a project (iPad app) that have identical requirements as what you are describing as far as authentication is concerned. DNN now provides Digest authentication out of the box, which is a lot safer than Basic authentication. Refer to this blog post by Peter Donker http://www.dnnsoftware.com/community-.... Here's an excerpt from that
----------------------------------------------------------
* Intermezzo: Digest authentication
For the security buffs out there: DotNetNuke now includes its own digest authentication implementation. This is pretty cool. It means we finally have something safer than basic authentication that we can use for these services. In a nutshell the difference comes down to this. Basic authentication sends your login details over to the server in clear text. That is: your username and your password. That is an obvious security risk. The fact is that most sites run this way. Webforms and otherwise. The only way to hide the login details is to go https, but that is a bridge too far for many. Any time you enter your password on a page which is plain old http, you know it is going over the wire. And not as asterisks! So apart from https are there any alternatives? Yes, digest for instance. This authentication mechanism is based on you signing your username and password together with some unique info from the server which the server then verifies. The great thing is that only the signature makes it across. Not the password itself. And of course the signature is different for every time the conversation takes place. Want to know more:

https://en.wikipedia.org/wiki/Digest_...

The great thing about this is that you could now code an app (i.e. like on an iPhone) that stores your password in the device and authenticates you on your DNN site without passing this over the air. That is essential IMO to future mobile development for DNN as mobile device traffic is particularly vulnerable to snooping.
---------------------------------------------------------
But Digest authentication is still vulnerable to certain attacks, such as Man-in-the-middle attacks, so it's not guaranteed to be secure. I'm assuming that's why Cathal is recommending Https only. But it depends on your security requirements. Maybe Digest is secure enough.

Cathal, do you mind elaborating a bit more on these 2 options you mentioned?

"theres a few approaches - you can either send the username/password with each request and use that to create the user who actually does the action, or else you can send it once and use an API method such as UserController.UserLogin to log the user in and set the cookie - this will then be sent on all future requests and allow standard service framework security to apply."

Thanks.
Han

Cathal, I'm glad I asked. I was still under the impression that DNN still supported Digest authentication. I also found this https://dnntracker.atlassian.net/browse/DNN-3330, which is what you were saying about DNN since 7.1.0 no longer supports Digest. Looks like SSL is the way to go for us in our scenario. Thanks.

Han