Now that my project is almost finished I am trying to implement the login and security.
I got a table in my database with all the users in it.
Next to the normal login and password columns I also got 7 booleans.
Those booleans represent the categories(folders) which the users may access or not.
After the user logins I put the record (user) in my session.
So depending on those booleans I will display tabs in my masterpage.
But how do I implent the security measures which redirects the user back to the login when they aren't logged in yet or when they don't got the proper rights to be on that page.
Somebody told me to add some code in de global.asax but I have no experience with it. And got no idea on how to start and it seems like i can't find any examples on the internet
ASP.NET Membership sounds like what you need. No point writing something from scratch when your chosen Framework will already handle it for you, right?
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
Related
I have a web app and I can login as admin or customer in it. Admin has access to all pages, customer has access to certain pages only.
When customer logs in, the required pages, say 3 pages are shown, after he logs out and the admin loges in, still only those 3 pages are shown. Although, After manual refresh, I'm able to see all the required admin pages.
How do I refresh automatically when user logs out? I'm using Angular 10 framework.
Since you're question is pretty generic, it is hard to get into specifics.
You must have some login code, so presumably you are loading a users permissions from some system and storing those permissions as part of the app--presumably as a cookie?
You can protect routes using auth guards. We primarily use canActivate guards.
You can hide elements on a page--such as screen navigation links--with an *ngIf. We created our own structural directive to accept in a list of allowed user permissions, and the current user's permissions and use that to determine if certain dom elements should be created or not.
I'm not sure about C#, but in Java we created a Spring Annotation to validate user permissions when a user tries to access a REST Endpoint. I suspect something similar must exist in the .NET world.
Conceptually it is not much different than our Angular custom structural directive; comparing allowed permissions to perform the action with user permissions, and then either allowing or denying the action.
It sounds like your users are getting elevated permissions by reloading the app; so I suspect there are some underlying security issues with your full implementation, but without a code review cannot begin to speculate what that is.
I'm trying to get my head round MVC and want to add admin authorised user administration on the site. (i.e. The user can CRUD users of the ApplicationUser class.)
I'm sure this must be in the framework already somewhere - it seems too vanilla to have to roll my own - but I can't find it.
Have googled to no avail, probably because I'm using the wrong terminology. Can anyone point me in the right direction for decent documentation on how to do this?
(The site will be closed, with no public registration - I need the Admin to be able to create new users, edit them, assign roles etc.)
ASP.NET Boilerplate has Module Zero, which provides user and role management. There is also an article that may interest you here.
I'm working on a C# MVC application where users submit applications to administrative users for review. Applications can be approved or denied by administrative users. My home page for administrators renders a list of submitted applications, and clicking on each application opens a new page where applications are processed.
My concern is simple: since the "Id" attribute for each application is a hidden html element on the admin "Process Application" form, it is possible that a user could modify the application ID and submit the form (in turn approving/denying the inappropriate application). I can get around this by using a Session object for "AppId" and verifying the AppId posted by the form is the same as the session AppId.
However (and this is the real problem), if I set Session["AppId"] = applicationId that session object can easily be overridden if the user was to let’s say attempt to process another application before submitting the first. Perhaps the admin user fancies their self a multi-tasker and opens two "Process Application" windows. Essentially, the first Session["AppId"] will be overridden by the second. This causes a problem on postback because now I can't validate anything based on Session.
While writing this, I realize I could add controls to prevent the user from processing more than one application at the same time. Is there an alternative approach though? Also worth noting, only admin users would have the ability to forge an application ID, which is unlikely because the Web-App is meant to help the admin users. Really I’m just looking for a best practice for these scenarios, as opposed to fearing someone will actually forge elements on my form.
Is my best approach actually storing an AppId in session, and preventing admins from processing more than one App at a time (so that the session object isn’t overridden)? It would seem so, but I’d love advice from the community.
PS: I realize this issue is similar to Secure way to stop users from forging forms. However, I think the biggest difference is I’m currently allowing users to process more than one application at a time, which prevents me from using a single session object for “AppId”.
I'd approach this from the "sanity & security" point of view. Users should only be able to change what they are supposed to change, data should [also] be validated on server side, and then you can disregard all forgery :-)
The best approach I’ve found is to check the AppId session object on page load. If it exists, then the user did not finish processing the original application (that scenario can be handled in various ways. I'll let you decide what is best, but you could probably redirect the user back to process the original application with an appropriate warning message explaining what happened). This is the only way I can think of to prevent the forgery of an AppId on the form using a single session object.
I'm developing a CMS for my website.
I need track Users activities in my Cms Admin section (protected by password).
I would like to know:
If is possible add GA (Google Anlytic) code and use it even if the pages where the code is placed are covered by password.
If such use can create security vulnerability of any kind. (If is good or bad practice).
How to retrieve easily the statistics from pages in Admin section if the folder for admin is (example: ADMIN) in GA account. They come up like /admin/mypage.aspx??? Or how???
Generally, I would like your opinion about it and if you are using this approch it in your current web application.
Thanks for your time!!!.
You can put GA on any page - password protected or not.
Security vulnerability depends on
what you're sending to GA but in
general, nothing that's sent is
personal, etc.
You can view the "Content" report and
enter a filter at the bottom to show
pages within "Admin." The full path of the page will show.
In summary, I don't see why not. GA does not care where the page resides in your site - it will work the same as it would for your public pages.
I think this is not the purpose of GA. It is used to measure ROI by putting together data from visits, conversion rates etc and to identify KPIs of your site. I believe that you don't expect to have ROI just from the site administration.
I think that actions done by admins can be easily tracked from database, if the structure is well designed (ex when what was created, logs and so on)
is there a way to redirect a user when there are n people/sessions on a site. I have a requirement to redirect to a 'sorry we are busy, please try later' page if there are too many people currently engaging the site (this is to stop flooding a live business service that is behind the webpages). The ideal is that only new users (users not already logged in) are shown this page. I was going to just count concurrent logins but wondered if there was a better way to count current activity rather than login status being that most users might stay logged in for a while.
thanks in advance.
There are several ways you could do this.
I think the most obvious way would be to do this in IIS. If you are using IIS 6.0, you can do this by going into the website properties, go to the performance tab and change the connection limit to what you require. You can then customise the default IIS error message (I think this is classified as code 500).
Alternatively, you could do something when the user attempts to login to the website. You would need to have a mechanism to keeping track how many users are connected, one way of doing this might be to use the Membership provider, which allows you to track (count) how many users are currently logged in (presumably through some basic math on the timestamp values in the membership tables).
Finally, you could probably at a push do something with Ajax to keep telling the server that the a user is "still online", but I would do this as a last resort.
My money would be on the first option.
Hope this helps