We are looking to create a website that displays information to all new visitors to a site, i.e. welcome, please read our help guide, etc.
The big problem is that our website is not allowed to use long-lasting cookies (i.e. over 20 minutes). Does anybody know of any way we can determine whether a user has visited the site before or not. As another restriction, we can not add anyform of registration to the system.
The application is being created in ASP.Net 3.5.
Thanks for the help
The EFF has a tool/site that you can visit that shows how with the plugins, OS details, browser details, etc. you can determine a visit fairly uniquely. It could give some insight on details to store in a database to determine if the user had been there before:
https://panopticlick.eff.org/
You could attempt to use an IP address, but with NAT'ing and most ISPs handing out dynamic IP addresses anyways, you'll never really know if the user visiting is one who's been there before or not with any certainty.
If you have no way of storing information on the client side, this is impossible except for saving IPs and comparing those, which isn't really accurate either.
Does anybody know of any way we can determine whether a user has visited the site before or not.
No, you can't. Since you can't use cookies all you've got is what the client's sending by default: IP address, user agent information. With the current IPv4 depletion and the popularity of NAT devices the IP is anything but useful.
About the only way is to capture the IP address of web browser and use that as a unique ID - assuming that it is indeed unique.
You can't rely on the IP since it can be shared by many user, or change for one user.
If you can't store a cookie on the client side, it is not possible.
You can also ask him: "Did you ever visited this site in the past?", but I doubt this is good practice :D
Store a boolean value like "AlreadyVisited" in the Session. So everytime the user visits the page for the first time, he will see your welcome message.
After displaying, set the boolean to false (you need to store it in the session)
Related
I'm designing a site using ASPx and IIS, where clients can sign up and then offer services to their clients. For example:
if you go to http://www.mywebsite.com you can sign up for your mywebsite.com account as a business owner. When you sign up, you are given a Site ID (Example: AA1234).
http://www.mywebsite.com/AA1234
What I want to do is always include the Site ID in every url (Inbound and Outbound). The Site ID is stored in a session variable based on the initial incoming request.
Does anyone know of a good way to do this - or a different design that works better than this?
Thanks
Your question is nebulous at best. However...
Wouldn't this be what cookies are used for?
In particular, if your user is authenticated (this is generally achieved in asp.net with an auth cookie), then at the server, you would have tools at your disposal that allow you to recognize the user and provide a different experience according to whatever criteria you choose. Most likely, these details might be stored in a database.
Found the answer in this topic: http://www.tek-tips.com/viewthread.cfm?qid=1149673
The last response from BoulderBum is exactly what I needed.
Using the HTTP module I will take the /AA1234/ URL and point it to /Company/.
On the way out, I replace all instances of /Company/ with the site id again
We have a web application : C# + SQL 2k5
Different companies send us information, we parse, them, do different things, and come up with a simple list for each of our customers. The list will look the same, but will have different information based on the customer.
They should not have access to each other's data.
We would like to create a page which would be embedded on their own site. I was thinking about using something like an iFrame.
Basically customer ABC would embed on his own abc.com an iframe with a URL (we will give them the parameters needed) and his clients will see our data on his site.
The other customer, lets call him xyz, has an other website xyz.com, will do the same thing, but in the url I should make a difference between them.
I would like to know how is the best, safest way to proceed.
How should I start to build up this page that is going to be embedded.
How should I make a difference between the 2 customers? The only way to get info from them is the parameters they send me, and eventually, I could get the 'parent' of my embedded iFrame, so that might help me restrict xyz to embed using url parameter info to get data from abc. See my dilemma?
Probably a unique identifier for each customer (like a GUID?) will be needed, and they woul dnot know each other's ID ... Or is there a more secure way to do things like this?
Any help would be appreciated.
Thanks
Embed a publically visible unique id in the URL and process this to extract the client id. e.g.
<IFRAME src="http://example.com/1122334455667788aabbcc">
You could check the Request.UrlReferrer to ensure that the request see this answer
However the only safe way of doing this is to provide an authenticated API that the site uses server side to process via a services API (e.g. WCF), or at the very least an authenticated HttpWebRequest; any other way leaves your data only as secure as a publically visible unique id.
Take a look at how one of the credit card processing portals do this (eg WorldPay or Paypal). There are several ways.
At the very least you need provide each customer with a unique ID that they send you.
Scenario: We have a website that is viewed both internally and externally. When an error occurs the users are displayed with a detailed error page(Stack trace etc).
Problem: The external customers do not need that much information about the error. We are looking to have the external customers see a messsage instead. Ex. Please contact Administrator. Also if possible we would like to log this message in our SQL database.
Note: I'm assuming I make a custom error page like - Implementing a Custom Error page on an ASP.Net website but how do I determine whether or not the user is internal/external? Also is this the best way to approach the problem? Additionally if anyone has suggestions on the best way to store these errors in the database that is also appreciated.
Thanks in advance.
YOu can try settings your mode to RemoteOnly in the web.config
<customErrors mode="RemoteOnly">
This way local users will see the error, and external users will see the other error pages which you have set up.
There is an article here about such things http://aspnetresources.com/articles/CustomErrorPages
The way I would do this is to have different entry points for external and internal users. I would do this through the hostname. By varying the hostname I could then create a custom error experiance for each type of user.
If by 'internal' you mean logged in, and 'external' you mean anonymous, you could use the same custom error page but check the user's logged in state using Request.IsAuthenticated
You could then simply display the message based on the user's status.
For storage of errors you could use log4net and/or ELMAH. ELMHA is specifically for catching unhandled exceptions. Log4net is predominantly for logging from within your code, i.e. from within a try/catch statement.
It is good practice to use both.
That article is on the right track of what you need to do. Also, see:
http://aspnetresources.com/articles/CustomErrorPages
http://www.asp.net/hosting/tutorials/displaying-a-custom-error-page-cs
http://weblogs.asp.net/erobillard/archive/2003/04/23/5992.aspx
The determination about whether a user is internal or external will be handled by the web server.
customErrors for RemoteOnly will probably not help you because RemoteOnly only refers to users not accessing the page from the same physical box. Users on the LAN will be treated as remote just like users from the WAN will.
If I had to solve your problem, I would start in Application_Error and examine Request.UserHostAddress and Request.UserHostName but even those are not going to be completely reliable because on my corporate intranet, my address of 10.4.42.219 might very well match your companies internal addresses, and UserHostName is supposed to be a human readable name but it isn't always - case in point, look at it running in debug mode and both UserHostAddress and UserHostName will be "127.0.0.1" when you'd expect the latter to be "localhost".
See the problem here is that by the time they hit your webserver, they're inside the firewall, and the server is a listener - so it doesn't matter what IP the incoming connection CLAIMS to be from (spoofing being a very real problem), your webserver isn't gonna initiate a response, it's going to send a response down the very pipeline that the client opened.
Now if your firewall can be configured to leverage spoofing and force the IP coming in to be a specific value, that would be one possible way to reliably identify external connections, and by process of elimination, the internal ones but I can't speak to the viability of that approach with any certainty.
Edit to add: I suspect your initial question may itself be flawed. The question I'm asking myself is, who on your internal side really cares about the error message? Is your corporate secretary going to want to see stack trace info? Probably not.
I suspect that what you REALLY need here is active authentication and role based security, such that only specifically identified users - members of the "Error Investigator" role perhaps - should see those detailed exceptions, and everyone else, including internal users, gets the pretty custom page.
I have to implement a single signon kind of solution on my website. Let's say my website is www.myweb.com and I want to allow the users to use this site who only come from a site www.sourceweb.com.
I thought URL Referrer would do but in IE may comes null.
See here
Please suggest me some alternate solution.
Thanks,
Gaurav
If you have access to www.sourceweb.com and can modify the source then a possible solution would be:
Create a webservice on www.myweb.com.
Create a link on www.sourceweb.com
When the link is clicked call the webservice to retrieve a unique id.
Redirect the user to www.myweb.com and provide the unique id in the querystring.
On www.myweb.com confirm that the unique id is valid and remove it/mark it as used.
There are many ways to skin a cat, one way in your case would be to set a cookie on the 2nd site, using a pixel gif (1x1 pixel small picture) embedded on a page of the main site. The 2nd site then can later allow access only when the cookie is already set.
To make this secure, you have to add a token to the pixel gif URL, containing a timestamp and signed using a HMAC or something similar establishing a shared secret with the other site. Then you only set the cookie when the timestamp is recent (less than a minute ago) and properly signed.
URL_REFERER is your best bet.
Keep in mind that like most HTTP headers, it is easy to forge and does not have to be provided.
The very short answer. Don't implement this yourself.
Security solutions should not be implemented but bought. The only exception being if you actually develops security solutions for other to buy of course.
Choose one of many available SSO solutions and go with that. We use Microsofts ADFS, though not perfect it gets the job done for us with very little maintance and the only real hazle is for our applications hosted on non-windows platforms like AIX.
There so many chance of screwing things up when you try to implement your own security solutions. If you disagree than just remember than anual contests are held to break the security systems of companies such as Apple,Microsoft,Mozilla and Goggle and most of the years some one takes home the price for breaking each of them.
I know this has been posted before, but never really answered, I'm using the DotNetOpenAuth to try and do GoogleID login, and every time I do details = OResponse.GetExtension<ClaimsResponse>(); I always, always, always get back null, I don't get whats the point of the GoogleID if I can't get back any information, I would think at the very least I would get an email address, so I could associate it other login information in my databse. I just don't understand could really use some help, Im probably just looking at openID in the wrong way.
I'm using ASP.NET and looking to use openID/Facebook as my sole means of logging in users, I really don't want to mess with membership roles, or extra junk that ASP.NET likes to add.
Yes, this has been asked and answered many times. Google does support AX. But it ignores any attributes marked as "optional". So if you want the email address, you have to say that email address is a required attribute.
The ClaimsResponse extension you're checking for isn't AX -- it's Simple Registration. But if you have AXFetchAsSregTransform behavior turned on (highly recommended) then it allows you to just use ClaimsRequest and ClaimsResponse exclusively, and DotNetOpenAuth will automatically translate to and from AX behind-the-scenes for you.
Alternatively, you can use FetchReqest and FetchResponse to speak AX directly to Google.
But (and I can't hammer this hard enough), do not use the email address as the user's unique identifier!!! Instead, use the IAuthenticationResponse.ClaimedIdentifier string as the unique identifier. Email address should generally be considered just a helpful hint that can be used to prefill a registration form. You shouldn't even trust that the email address you get is really under the user's control (that's one reason why it shouldn't be considered their unique id) since the Provider can lie to you. Google and Yahoo are two providers that promise (if you choose to trust them) that the email addresses have been verified, so you can skip the email validation step for users from them if you wish.
It doesn't appear that Google's OpenID server supports AX or sreg.