I have a Asp.Net MVC4 website which can connect to multiple databases depending on the user's login credentials. In order to get the database access list for the user, I have to perform a few complex joins when they login. To avoid having to do this more than once, I am currently encrypting and storing the database ID in a cookie. I now realize that this may not be a good idea and even strong encryption may be broken. In addition, the encrypted cookie is transferred around on every request increasing traffic. I am now thinking about using the HttpContext.Current.Cache to store the data instead. Can anyone comment on whether this is a good idea. I would also be interested in knowing if there are better options out there. My website is not deployed on a server farm right now but what would be the implications if I were to use a cache and a server farm in future?
Based on your requirements (i.e. keep a hold of sensitive user specific info across a session), the correct place is for this is the SessionState. AFAIK sessions states can be shared across multiple web servers so if you did use a server farm you wouldn't need to change anything.
Session is right container for user sensitive data. Or you can store it in database and get it there by some identifier that is stored in session(it is useful if you store large amount of data).
Related
I am working on a web application, asp net web forms site (.Net 4.0, C#).
I want to be able to ban a user's IP either temporarily or permanently.
A permanent ban would occur if the IP address is attempting to log in using multiple usernames and passwords. This would signify a malicious attacker, so I want to ban them. I would like to avoid using the database at this step to avoid DOS type attacks slowing down the network.
A temporary IP ban would occur if the user types in the wrong username, such as username1 instead of username, and they keep trying to log in with their password. This method will use the database as the user might have not realizes they typed in the wrong username.
My question is:
How can I track if the same or different user name has been used across the page refreshes?
I am thinking about using a Session, but after some searching around for similar problems, it looks like the Session requires cookies and an attacker would avoid those.
For permanent IP bans, I found some code that uses the IIS api and the Microsoft.Web.Administration package. Here is the link for some code adding IPs to the IIS ban list:
IIS IP Security
How can I implement the tracking of the log in attempts without using the database?
I am also implementing the server (IIS) IP restrictions as another layer of security, but this only blocks an IP based on the number of attempts within a certain time period (which is desired) but does not differentiate between the cases I mentioned above.
Using any client side storage such as sessions or cookies seems like a bad way to deter an attacker. You say that you don't want to use the database because it could slow down the network so my suggestion would be to use a second local database or a in memory list to hold information pertaining to recent login attempts. It could store IP address, username, hashed password, and a time stamp. When you go to authenticate a user you could check against this local data. MSND Article on caching for more information.
If you are using html 5.0, you could use the local storage ability. Of course, malicious users may have disabled that, as well as cookies, but worth considering.
I am trying to implement a web application with Caching features.The reason I need caching is for is that we have an application which lets users access online courses. Now, Once the user logs in I validate him against our database. Once validated I want to store the user ID and course ID in cache for 20 mins so that if he requests it again I can retrieve values from cache foe both user id and course ID and if valid provide him access
For some reasons I can't use Session variables in this application so they are not an option.
Now, the caching code in my application is inside a HTTP Handler(.ashx file). Now I tried calling the cache object like you do for a aspx page but I could not, probably because it's a handler and not a webpage.
So,
Cache.Insert("Id", 123);
will not work in Handler. So then I tried HTTPRuntime.cache. But after doing some research I found out the HTTPRuntime.cache is common to the whole application. I don't completely understand "Whole application". Does it mean that it is shared by all the users on different computers accessing our applications? or does it mean it's shared by all the users on one computer accessing our application. Because if it is the latter I am OK with it.
So is HTTPRuntime.cache a good way to cache data for one browser(or one computer) or is there a different and better way to implement Browser caching to store data?
Cache is stored in web server memory.
You should understand the differences between Viewstate, Cache and Session
I am creating an application to be accessed by multiple clients, but
each customer will have a different database, only access the
same application in IIS, I'm using DDD, C # and MvC3 and Entity Framework 4.1 CF. Does anyone have any example or an idea of how best to configure the connection string
specific to each client?
First, you need to identify whether it's a database per client (machine?), user identity authenticating, or some other identifier. For example, if it's per account, then two machines may be able to authenticate as that account and get the same storage.
Once you have that identifier, you'll need a master table somewhere with a map of account to database connection string. You'll probably also want to cache that table in memory to avoid two db roundtrips on every request.
That global configuration information is typically stored in a database. You could go as simple as a file but that would cause problems if you ever wanted to scale out your front end servers, so common storage is best.
My asp.net session objects are storing in SQL server.I am storing an ID in session. If client open another browser and storing different ID in session. I need to notify client is “are you sure you want both ID’s open?” in same based user logged user.
Application runs on logged in user (not anonymous)
How can we check this in asp.net?
Session is not linked to an authenticated user, and there is no way of accessing an other connection's Session without knowing its SessionID.
Usually this kind of problem can be solved using cache instead of session state. With cache you can create your own user-based keys to store data. Depending on whether you are planning to just run your web app on one server or in a web farm environment, you can either use asp.net in-process cache or one of numerous distributed cache solutions (like memcached which I'm using in my web projects with great success).
There are a couple ways to go about this:
Option #1, in your user table, add a value called "session id"
When a user logs in, check to see what their last session id was. Then test to see if it's still a valid session. If it is, ask them what they want to do. Store the latest session id in that table after each log in.
However, I'd go with option #2: Don't do this. If the user wants to open multiple browser windows to access your application then let them. There's probably a pretty good reason for it. Most (as in nearly all) users have no idea what "session state" even means and they really have no desire to know. All they care about is getting their job done.
I have been tasked with developing a single Login and Dashboard page that user can login too, the user will then be shown all the systems (we developed) that they have access based to based on some roles stored in our databases.
If they logged in we would like that "User Session" (not sure of correct terminology) to be carried to which ever system they are redirected too.
To illustrate a very rough overview of what I want to achieve:
alt text http://www.pcbg.co.za/attachment.php?attachmentid=12165&d=1268903524
Is there a way that a user can login in one site, and then carry over that login to the other sites?
Help, Advice, Link will be much appreciated.
Sorry I am not experienced at ASP.net but have a good understanding of Silverlight, C#, WPF.
Thanks in advance.
You can use the concepts of single-sign on. You can manage your session data as out-proc, i.e. in a SQL server or a State server. Here are couple of links which will give you some pointers:
ASP Allaince
MSDN
Edit: Alo look at this question in SO:
One method that I would use is that you implement your own authentication system - almost like the ASP.NET 1.x days. However, the trick is that you establish a cookie for each domain (host part of the URL) with an authentication cookie.
If all of those systems are running on the same server, I am sure you will be able to use all the FormsAuthentication methods and the Membership API. If they are not [edit: hosted on the same server], then ensure that they configured to encrypt the authentication cookies with the same keys. Implementation of this bit will be by what mileage you need to do...
One thing to notice is that you may also establish only one cookie is sent to the browser but shared by all the applications. Imagine that you have the following URL's:
dashboard.com
myapp1.dashboard.com
myapp2.dashboard.com
myapp3.dashboard.com
Setting a single cookie to the domain "dashboard.com" will send and share the same cookie to all the other domains.
The shared session states as described by the other posters will not work. The way session variables work on the server is that an unique key is generated on the server for your data storage (whatever the medium is: in proc, out of proc, SQL server). That unique key is stored in a cookie where it is sent to your browser as the host part.
I hope that gives you some insight on how to go about tackling the single sign in solution that you are making.
One way would be to use the session state service that ASP.NET provides. Basically once the user logs in, that session could be stored on a separate process (and not be a part of aspnet_wp). All your applications would need to be modified to go to that machine to fetch user authentication status. Search Google/MSDN for Session Management techniques.