I have a website that holds one setting - a number that the user clicked.
I want the user to see this number and be able to change it at any time. Up until now I was using cookies to achieve this. But then I stumbled across an error : When user opens this address to my website :
http://ServerName/Pick
He sees a certain number. But when he opens this address :
http://ServerName.ServerDomain/Pick
He sees a diffirent number. And in the browser settings I see 2 cookies : one with the domain "ServerName" and one with the domain "ServerName.ServerDomain".
Is there any way to share the same cookie without relaying on wether the user specified a domain name? If not, is there a way to do this without cookies?
NOTE : I have full control over the client and server side (ASP.Net MVC)
You can't share cookies for different domains, but you can use one domain as a primary domain that will issue a cookie and to read cookie from other domains you should redirect to that domain, read cookie and redirect back with a value in query string. Similar, like google redirects all Sign-In requests from google.com, google+, docs etc to account.gooogle.com or microsoft from MSN, Hotmail, etc to login.live.com and then back.
Related
I wasn't really sure on how to form the search terms for this question but I didn't really find what I was looking for either way, so here goes:
How would I force a client to only enter certain parts of my website from certain entry points? For example I have an overview of what activities the company I work in currently got going but I only want users to be able to enter the page responsible for adding a new activity by pressing the "Add New Activity" button.
So that you can't enter that page just by typing in the URL for example. How would one achieve this in ASP?
The same way we do it in the real world, authentication, authorization. Whenever a visitor views a page on your website. They are sending a HTTP request, along with that request you'll receive any cookies that have been set by your web application on their computer on any previous visits, this happens on each and every request.
Authenticated users can be identified using cookies, usually what happens is... upon sign on, the server will set a cookie containing their identity. So when the authorized user requests to view "foo.com/topsecret" and the server receives that request, the server decrypts the data stored on the cookies and checks to see if its been tampered with... if all is good... access granted... if not... then it's simply denied.
In your case u can use the Session Variables and in login u can check all permission.
In your page you can add a check in Page_Load same this:
User myUser = (User)Session["User"];
string page = Path.GetFileName( Request.Url.AbsolutePath );
if(!myUser.pageSee.Contains(page)){
Response.Redirect("home.aspx");
}
you create a User class with proprerty a list of strings for the pages that you can view,
you may also add permissions for a single div.
I have a website with two different domain.
us.site.com
usa.site.com
Now when user Click on Login
It first check its country. According to country I want to redirect whole site on that url and that time it not again asks for account id and password. so i want to maintain these things but it should not visible in Url.
Please Suggest me any way to do this.
I don't want to use QueryString and Cookie
Posting my comment as an answer.
Basic idea as following. You can use cookies. On login, create a cookie for "site.com" having user information. When user redirects to for say login to usa.site.com, check the cookies in pageload. If you found the cookies read the cookies and convert it to session. Use session further to check loogged in user information.
Related question link,
How can you keep a session across multiple subdomains in c# mvc?
How can I share a session across multiple subdomains in ASP.NET?
Write cookies from subdomain and read from another subdomain without changing web.config
To make cookie secure use encryption.
Reference :
http://www.codeproject.com/Articles/13665/HttpSecureCookie-A-Way-to-Encrypt-Cookies-with-ASP
Encrypt cookies in ASP.NET
http://www.c-sharpcorner.com/UploadFile/manishkdwivedi/encrypting-and-decrypting-cookies-in-Asp-Net-2-0/
Use MD5/SHA Encryption to store value in cookie and once you redirect to other page then use decryption Algo and use that cookie value.
It will solve your issue.. Check below link for reference -
http://www.codeproject.com/Articles/38951/How-To-Hash-Data-Using-MD-and-SHA
http://www.codeproject.com/Articles/14150/Encrypt-and-Decrypt-Data-with-C
http://www.codeproject.com/Articles/12602/Using-MD-Encryption-with-C-and-MSSQL
Or you can use alternative way to store value in database temp table
I have a primary web app with authentication on example.com, and I have a secondary app with authentication on subdomain.example.com
I want the 2nd app to be integrated with the first one. So once a user registers and logs in, s/he doesn't have to register/log in again.
It is possible to send a post request, but this won't generate the cookies in user's browser...
How can I do that?
Thanks
You're able to set a cookie so that it works on all subdomains (www, subdomain, etc.). See Basics of Cookies in ASP.NET:
By default, cookies are associated with a specific domain. For example, if your site is www.contoso.com, the cookies you write are sent to the server when users request any page from that site. (Except for cookies with a specific path value, as I explained in the section immediately preceding.)
You can also use the Domain property to create a cookie that can be shared among multiple subdomains. For example, set the domain as follows:
Response.Cookies("domain").Value = DateTime.Now.ToString
Response.Cookies("domain").Expires = DateTime.Now.AddDays(1)
Response.Cookies("domain").Domain = "contoso.com"
The cookie will then be available to the primary domain as well as to sales.contoso.com and support.contoso.com.
Scenario:
I have a tricky situation where need to keep many modules happy [Google Analytics, etc, etc...]. Got a asp.net page in the project which initiates the request on the third party website (after clicking the Process button) and redirects the user to the third party website. Transaction is processed on their website and then the control is returned back to the current page on our site. You can relate this scenario with kind of Paypal processing too, but it's not paypal.
Issue:
If the session is time out, I want the user to be again authenticated when the control reaches our website after the processing is done on the third party website. So I am thinking of passing the authCookie information to the third party website and then when the control reaches our website back, I will have the authCookie information (imagine it is the scenario) and then want to log the user back in. Can I do that by just creating an authCookie again based on the username?
It really depends on the transaction processing system you are using. If you check the result of the transaction by calling their API, then the response usually have a user id or something that you can tie to user id. You can store the user name in the cookie, cookies are per domain or subdomain and it won't get sent to the transaction processing web site if it is in the different domain than yours, which is most likely the case. Get or derive the user name from the transaction result response, compare it to the one you obtain from your cookie. If they match up, sign in the user. Signing the user in just based on the cookie contents is risky in many respects. First of all anyone can set the cookie with any name in it to the browser. Second, if you are signing in a user just based on a cookie, you'll basically get never expiring session. This is not what you want. For added security you can check the transaction time from the transaction result response and refuse to sign in if it was too long ago.
Oh, and in you question you mention that you "need need to keep many modules happy" but you do not expand on as to what you mean by this. So I'm just simply ignoring this bit. Not sure what a happy module look like =)
I have two webapplication, one is a simple authenticationsite which can authenticate the logged in user and redirects him then to another site.
Therefore I have to pass ther userId (GUID) to the second application. Currently this is done via the URL but i would like to hide this id.
Has anybody an idea how to do this properly?
[EDIT]: I can't use the Session because of the ApplicationBoundaries (2 different Servers)
This sounds like a tricky situation.
There are however several options you can use but it all depends on what your application does.
Let's call WebApp1 your authenticate site, and WebApp2 your distination site once authenticated.
Can WebApp2 not call WebApp1 behind the scenes? (Services)
THe problem with passing this Guid between applications is it's going through clear text, and considering it's a user id, if anyone manages to intercept this they will have access to WebApp2 for life. Whether you pass it in a querystring or form variable, it's still vulnerable.
If you can't use WebApp2 to query WebApp1, you should consider WebApp1 creating a temporary Guid that expires. That would be much safer long term, but as it's clear text is still susceptible to attack. The 2 web apps will also need access to the same data store.
Ultimately, i think the AUthentication Site should be a service which WebApp2 can consume.
Users should login through WebApp2, which will call WebApp1 securely for authentication.
WebApp2 can then manage it's own session.
If you can't use cookies because it's cross domain then encrypt it, with a nonce.
Setup a shared secret/key between the two servers; send the encrypted GUID and nonce combination to the second server. Unencrypt, check the nonce hasn't already been used (to stop reply attacks), then use the unencrypted GUID.
If you want to be extra tricky have a web service on app1 where it can check the nonce was actually issued (at this point you're heading towards WSTrust and a single sign-on solution, which generally solve what you're trying to do)
Even with cookies, as they're easily edited/faked, you should have some form of checking.
You have two ASP.NET web applications, and one application does nothing but authenticate a user?
this sounds like a job for....
Web Services!
Create a new web service on the authentication app (They are the .asmx extension), and add a single method that takes in the user and password etc, and returns authentication info.
Then import the WSDL on your 2nd app, and call the 1st app like it was a method. It will simplify your code, and fix your issue.
An Example:
AuthenticateUserService.asmx goes on the Authentication app:
using System;
using System.Web;
using System.Web.Services;
using System.Web.Services.Protocols;
[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
public class AuthenticateUserService : System.Web.Services.WebService
{
[WebMethod]
public bool AuthenticateUser(string username, string passhash)
{
// Fake authentication for the example
return (username == "jon" && passhash == "SomeHashedValueOfFoobar");
}
}
Once this is setup, fire up your main app, and right click the project and click "Add Web Reference".
Enter the url to the asmx on the authentication app, and Visual Studio will discover it and create a proxy class.
Once that is done, we can call that method like it was a local method in our main app:
protected void Page_Load(object sender, EventArgs e)
{
// Now we can easily authenticate user in our code
AuthenticateUserService authenticationProxy =
new AuthenticateUserService();
bool isUserAuthenticated =
authenticationProxy.AuthenticateUser("jon", SomeHashMethod("foobar"));
}
So, what does this really do?
It eliminates the client from the authentication process.
Your current process:
Client Enters credentials to AppA
AppA redirects the client to AppB
AppB redirects the client back to AppA if the credentials match.
Is replaced with a server side SOAP call between AppA and AppB. Now its like this:
Client enters credentials in AppA
AppA asks AppB if they are good
AppA serves proper content to the client.
Pass the GUID through a session, best way.
http://www.w3schools.com/ASP/asp_sessions.asp
OR, since it's 2 different servers, pass the information by POST method:
http://www.w3schools.com/aspnet/aspnet_forms.asp
The other possibility is to store the session state in a database on the local server, and remotely access that database from the other server to see if the user has successfully logged in and within session timelimit.
With that in mind, you can do the entire authentication remotely as well. Remotely connect to the local database from the remote server and check the login credentials from there...that way you will be able to store the session and/or cookie on the remote server.
I would recommend AGAINST the hidden field proposition, as it completely counteracts what you are trying to do! You are trying to hide the GUID in the URL but posting the same information in your HTML code! This is not the way to do it.
Best choice is the database option, or if not possible, then use HTTP POST.
Use session variables or HTTP POST instead of HTTP GET.
Instead of passing it via a query string you should create a hidden form field with its value and then post to your 2nd page, which can then grab the posted value and it will be hidden from the user.
If the servers have a common domain name, you can use a cookie.
EDIT: Cookies will just hide the ID visually, it is still accessible. Same with hidden fields or using POST rather than GET. So if the ID is confidental and you want to avoid to send it over the network unencrypted, you need a different approach.
A solution could be to encrypt the ID on the auth server with a key which is shared by the servers. Another solution could be to generate a random GUID on the auth server, and then let the auth server directly inform the other server (over SSL) which ID the GUID corresponds to.
go for session mangement or use a HTTP Post as said in the above post.