Say I have three endpoints
First/foo/bar
Second/fizz/buzz
Third/whatever
Only one of these endpoints is valid at a time, starting with first, then second, and so on. This is a problem is the user tries to go back, or they pick one of these endpoints from their history -- they'll be presented with an error dialog.
I thought I could use SessionState to keep track of the most recently accessed (and thus valid) endpoint and redirect with action filters based on that information, but my team has disabled SessionState.
So does MVC have a canonical way to ensure a user navigates certain endpoints in order?
MVC doesn't provide any behavior over what a browser does. That is, it is using the HTTP protocol and there is no way to prevent a user from manually typing in a URL in their browser (unless you have written your own browser that does this).
However, you could design your application as a single page that uses a JavaScript framework (such as JQuery or AngularJS) so the browser doesn't actually change URLs. This would prevent the browser from tracking the interaction between the JavaScript code and the server. Then you can guarantee that the user can only view the "pages" in the correct order.
Related
Scenario:
ASP.NET 5 / Razor Pages / C#
We have one main site, with very good security. In the background, all passwords are encrypted. Also, a log is made of all logon usernames, from which IP addresses, at whatever time accessed.
We have a second site that is hosted within the main site visually on the front end via iframes mostly, but not on the server. They won't live together in the same web app.
Problem:
I need to ensure that the secondary site access is secure, whilst relying on the fact that the user already logged on successfully via the main website. I don't want the user to need to logon twice to two systems, rather I want the single logon to fluidly allow access to the secondary site.
I have a method I am using now. It works, but I really want to delve in and see if I can improve this given I'm not heavy on experience in terms of website security. I'm sure there is a better way.
Options?
From a security point of view, using iframes, the two site are independent.
So you need to guarantee that the security process is issued on both sides.
You have several possibilities, but the best, I think, is to revalidate the user in the "iframed" website.
You can use a token, generated from the main website and stored in a backend DB, and pass it to the iframe URL.
The endpoint of the iframe has to read the token, call a backend API to validate it and allow the access.
The main problem you have is to refresh the token after a reasonable time, in order to ensure the validity during the use of the "iframed" website.
I have a single solution with multiple C# ASP.NET Web Forms projects. I want a way to identify a given browser so that each website can identifier that same browser. I need to do this from the C# Code-Behind code (not with the client code, like JavaScript). I also cannot use the Session because it isn't shared across websites. I don't think cookies are either.
For example, if a user logs onto Website1 and then logs onto Website2 with the same browser on the same computer, I want to be able to identify that. But if a user logs onto Website1 with Chrome and then Website1 with FireFox (regardless of whether it's on the same computer or not), I want to detect that as well.
If it makes any difference, I am using Azure to publish my web projects. So all websites will have similar domains (eg website1.azurewebsites.net and website2.azurewebsites.net).
If you want to track someone using the same browser on the same computer then use a cookie. If the websites have different domains you'll need to be clever because modern browsers have a lot of protection against what they see as tracking cookies. One option is using a hidden interstitial page as described here.
Your second scenario, a user accessing same site with different browsers, I suggest storing the user agent string (one of the request headers) and adding this to a login audit so you can build up a collection of different user agents used by a given user. There are libraries available for parsing user agent strings and extracting name, version, engine etc.
Between these two techniques and a bit of business logic you should get what you need. If you would like me to clarify any of this, let me know and I'll provide more detail.
We are using anonymous identification in asp.net. Anonymous identification creates cookie whenever user lands on our application first time. according to the value of cookie we identify our user and made our business check whenever user lands on our application. It works fine with one cookie/user/anonymous user at a time.
Now i want two parallel anonymous user in one browser at a time. Can you please help me regarding this? How can i do that in Asp.NET MVC? How will I manage two cookies at a time?
let suppose two tabs are open in browser so it mean two user are present. How will system behave when user enters same URL in 3rd tab?
Note: This is a bad idea, and users sharing a browser session seems really fishy to me. You could also use Chrome named users or an incognito session, or different browsers. However, I will present a solution assuming that the strange requirement stands.
You are looking for cookieless sessions. Add this to your web.config in the system.web section:
<sessionState cookieless="UseUri" regenerateExpiredSessionId="true" />
Note that you may find that this is not officially supported anymore in MVC, but does work in many cases. It worked in my simple test.
This will use the URL as the session identifier with each user getting a unique session upon hitting the site without a session in the URL. This is not secure at all because users like to share links and in this case they will be sharing a link to their session.
For your case, this may be sufficient.
More info here.
I am getting some special characters and some letters along with the url at runtime. The url is like
http://b1.elenageosystems.com/%28S%28z1qmpcpllhmuoxgsnkhcbflh%29%29/Default.aspx
Here you can see the special characters appended along with the url after b1.elenageosystems.com/.....
Default.aspx is my page
You can view my project - www.b1.elenageosystems.com
This is so-called Session ID that used by IIS to manage your sessions, it is added to every URL firing from the same browser session.
Many IIS-based frameworks (for example classical ASP.NET) depend heavily on sessions and require this ID to overcome generale stateless nature of HTTP requests, this is why IIS provides (and implements) fully transparent support for it.
If you don't like these URLs, you can also use Cookies to store your Session ID. You can configure the way how you store your IDs for sessions either per WebApplication using your web.config file in your application or globally for your complete IIS server.
You find more how to change these settings on MSDN.
I'm building an ASP.NET MVC 2 site where I'm using the OutputCache parameter heavily. However, I have a concern: using such caching may interfere with authentication.
On all of my pages, I display whether the user is logged in or not. Furthermore, in some of my Views, I do filtering based on user role to determine whether or not to display some page content (for example, the Edit link on one of my pages is only shown to users in the roles of Moderator or Administrator).
Will using OutputCache interfere with this dynamic changing of my Views? If so, how can I resolve this problem without eliminating caching?
The [OutputCache] and [Authorize] attributes play well with one another. The AuthorizeAttribute.OnAuthorization() method sets a hook into the output caching system that forces the authorization filter to re-run before the page is served from the cache. If the authorization filter logic fails, it will be treated as a cache miss. If the authorization logic succeeds, the page will be served from the cache. So if you have [Authorize(Roles = "Moderator, Administrator")] and [OutputCache] on an action, the page will not be served from the cache unless the current user is in the Moderator or Administrator roles.
Note that this does not vary by user or role; it's literally re-running the original check. Imagine that User A (who is a Moderator) comes in and causes the page to be cached. Now User B (who is an Administrator) comes in and hits the cached page. The [Authorize] check will succeed since both Administrator and Moderator are allowed, and the response served to User B will contain the exact same contents as the response that was served to User A.
Note that response substitution does not work in MVC 2. If you're serving potentially sensitive data, the best bet here is not to cache it. If you absolutely need to cache, you can mimic something similar to response substitution by using an AJAX callback to dynamically fill in the missing data.
I believe what you need is ASP.NET donunt caching. See here for a good explaination. I wouldn't be suprised if SO uses something like this for the top bar area.