Winforms app as "offline mode" of the web app

I saw similar questions here, but none of them really addressed my situation, here's the setup:

I have an ASP.NET application with Forms Authentication (SqlMembershipProvider) where users can submit audit findings.

I want to create a lightweight desktop app (let's call it MyApp) (to use Offline) so that users can submit audit findings when they don't have internet connectivity.

Here are the MUST-HAVES:

1. Authenticate the user against my SqlMembershipProvider (anonymous users can't submit audit findings)
2. Only ask the user for credentials ONCE (when s/he op开发者_运维知识库ens MyApp) (I'll have the ability to save the authentication token, but in some cases MyApp will be installed on a laptop that's being used by multiple users, hence I'll have to force users to login every time MyApp is open)
3. Do NOT store password in plain-text (if user is offline when MyApp is opened, I want to save the credentials to authenticate the user whenever connection is available) - not sure if this is possible

Once I get the 3 things above figured out - the rest is easy.

Here's a simple scenario in case the above is confusing:

1. MyApp is installed on the office laptop, that people take along when they travel
2. 2 Users travel to remote area (no internet), and conduct 2 separate audits
3. User 1 opens MyApp, provides his user/pass (see #2 in MUST-HAVES), submits 3 findings (I'll save the findings along with user's credentials to authenticate the user and submit the findings whenever connection becomes available) - see #1 and #3 in MUST-HAVES
4. User 2 opens MyApp, and does the same routine as User 1 did in step 3.
5. 2 days later they come back to the office, internet is available, findings from steps 3 and 4 are submitted to my web-app on behalf of respective users

I've looked into Microsoft Sync framework, but that seemed like an overkill for what I'm doing (and I'm not sure if it can accommodate my MUST-HAVES either).

I'm open to any alternative approaches as long as they would account for my MUST-HAVES.

Thank you for your help.

There's a tough problem hidden here. The use case of multiple users entering reports on the same laptop suggests that users must authenticate before they enter an audit report, as opposed to authenticating when they submit the audit report once the app is re-connected.

Authentication should presumably tell the users whether the credentials that they entered were correct or not, so you need to synchronize the user credential database to the laptop. That is a significant security risk and needs to be done very carefully, even if the user database is encrypted and uses hashed, salted passwords. You probably want to only sync a subset of users' records for instance- the ones who would be using the app.

So let's assume that you do that- then you can use the same authentication provider that you use on the ASP.NET application to authenticate the users, and re-sync that database whenever the application is connected. You don't need to store their credentials other than in the database, which as I mentioned should be encrypted using the windows data protection API or something similarly strong.

All of this could be simplified if you could get around the requirement by allowing the users to associate the reports with their account by just typing in a username, uploading (but not submitting) the reports when they reconnect, and requiring that the users connect via the website and confirm the uploaded report after authenticating the normal way.