I have a Parent Application just a view where you can click different buttons to open the links embedded in it, which takes you to different asp.net applications. Problem is each of the application's basic authentication is set to true in IIS. How can i implement single sign on to save user to enter the password each time.
One solution is you make form authentication in each sites and in web config the machine key of the applications should be same. I want to know is there any way that i can set Single sign on settings in the parent application in IIS? as i dont want to distrub other applications code.
Related
Scenario:
ASP.NET 5 / Razor Pages / C#
We have one main site, with very good security. In the background, all passwords are encrypted. Also, a log is made of all logon usernames, from which IP addresses, at whatever time accessed.
We have a second site that is hosted within the main site visually on the front end via iframes mostly, but not on the server. They won't live together in the same web app.
Problem:
I need to ensure that the secondary site access is secure, whilst relying on the fact that the user already logged on successfully via the main website. I don't want the user to need to logon twice to two systems, rather I want the single logon to fluidly allow access to the secondary site.
I have a method I am using now. It works, but I really want to delve in and see if I can improve this given I'm not heavy on experience in terms of website security. I'm sure there is a better way.
Options?
From a security point of view, using iframes, the two site are independent.
So you need to guarantee that the security process is issued on both sides.
You have several possibilities, but the best, I think, is to revalidate the user in the "iframed" website.
You can use a token, generated from the main website and stored in a backend DB, and pass it to the iframe URL.
The endpoint of the iframe has to read the token, call a backend API to validate it and allow the access.
The main problem you have is to refresh the token after a reasonable time, in order to ensure the validity during the use of the "iframed" website.
Here is the situation:
C# Windows Forms application
ASP.NET web application
Both authenticate with a custom user table in the same database (usename/password) and create a User object that is used throughout both applications
A user is logged into the Windows Forms application and we want to launch a URL to open a page in the ASP.NET web application in the default browser (IE, Chrome, Firefox, etc.). We want to pass the current username/password from the Windows Forms application to the ASP.NET web application in order to keep the user from having to log into the web application separately.
Based on our research, here are some options we have found (and the drawbacks):
Pass username/password in URL as QueryStrings and create the User object in the web application
Not secure (password visible in URL)
Create a temporary HTML page on the client machine that includes a JavaScript OnLoad function that POSTs username/password to the target URL and create the User object in the web application
(Could not find a way to POST data directly to a URL and display URL in default browser using C#)
Not secure (password visible in temporary page)
Create a "Handoff" table to store username/password with a key that gets passed to the page via QueryString and deleted from the table when the page loads and create the User object in the web application
Small potential for key to be intercepted (hackers)
Have a separate MongoDB that stores the User object and retrieve it in the web application
Separate software (MongoDB) running - additional point of failure
All of this is so that the user doesn't have to type their username/password twice to log into both applications.
Which one of the above options above would work best (most secure, least overhead/maintenance)?
OR
Is there a way to create a Forms Authentication ticket (cookie?) in the C# application that could be used by the default browser?
OR
Is there a better, secure method for handling this?
(edit)
OR
Is there a good argument for requiring the user to enter the username/password again to access the web application if they're already authenticated from the Windows Forms application? If so, can you provide links to references? Best practices, web security standards, etc.
You could salt+MD5 the password and send it simply with the URL.
However, you should point to a script on the server first, which authenticates the user and creates the appropriate cookies, and redirects to the desired page, now without the credentials in the URL.
edited: or basically do whatever you want to preserve the users' session
Unfortunately, as long as passwords are involved, you can't be 100% secure. Still, hashing a salted (salting is when you concatenate the password with some other string before hashing) password might be your best bet if somebody can get a visual on the passwords.
You generate the password hash, with salt.
You send it to be processed (I usually just put it into the URL of a separate script, but it's a matter of preference.)
You generate a hash with the same salt on the server and check it against the submitted one.
Authenticate the user and redirect to the original location.
In additional to what Máté Gelei has contributed, you could also include a timestamp in the Url and check to make sure the timestamp falls within a few seconds of current time. This is a little added protection and ensures the login attempt becomes invalid very quickly. Of course, you would want to somehow hide the purpose of this to make it a bit more secure.
This does not make it 100% secure, but it does add one more level of protection.
okay I have a web application that manages the logins for different client web applications, stored inside the root folder. Each client web application has its own login controlled by C# Roles class, where by they are routed to their site.
http://msdn.microsoft.com/en-us/library/system.web.security.roles.aspx
Now while logging in and using the site works perfectly, the problem is if a user enters the url for one of the other client sites, it allows them access to it.
Is it possible to restrict this access?
Your roles should be attached to a specific application. This can either be done with separate databases for each application, by adding and filtering based on the associated application within your role manager, or using application specific roles for each application (I'd avoid this, but it should work). If you have the role "user" that is used by multiple applications without any filtering, then the individual application won't know whether it's a user for their app or not, and thus by default allow any "user" to access any application that allows users.
I'm building three web applications in .NET that will all share a users database and login information. Lets pretend that application 1 is the "parent" application and applications "A" and "B" are the "child" applications. All users have to be logged into application 1 to have access to applications A and B.
Authorization, Authentication, and MachineKey sections of all web configs are present and work correctly.
I have the correct web.config settings in all applications to achieve Single Sign On except one problem remains: what do I put in the "loginUrl" attribute of the forms tag in Applications A and B.
Assume that the url for the login to application 1 is "www.johnsapp.com/login.aspx" How can I get applications A and B to send the user back to application 1 for authentication using only settings in web.config?
You could use
if (!Request.IsAuthenticated)
Response.Redirect("~/Login.aspx?ReturnUrl=~/thisurl");
in the Page_Load function of the codebehind. This will redirect automatically.
How about using Windows authentication?
I am using WebBrowser control in the WinForms application. I want to write program which can put Login and Password for some user and test some functionality.
It's working fine when I am running one Application instance, but I have problem when I am trying to run two app copies with different users - both instances are working with the same user and it's impossible to log in with different users. For example, I want to log-in to the same web site as User1 in one application and as User2 in the other app instance and perform tests.
How it's possible to implement program to allow two different app instances with WebBrowser Control to work with different users? As I understand, I have to isolate cookies somehow so different application instances will use their own sessions.
Do you understand why this is happening? You can't really "isolate the two cookies", but you could redo the app to use some sort of session key instead and POST values. It's creating a cookie using the IE settings, so it's putting the cookie in the default location.
I suppose you could override that functionality, but you would probably have to override WebBrowser.
I don't think this is an issue with your app as much as it is with how the website is functioning. Creating a cookie is a function of the browser and the website, not your client app. Do you have the ability to change the website code?