I am using DotNetOpenAuth to identify Google users. I am currently retrieving their e-mail address and saving a copy of that in my database. However, what if they change their e-mail address in their Google account? Then my copy can no longer be linked to their profile.
Is there a way to uniquely identify a Google account through DotNetOpenAuth?
Always use the IAuthenticationResponse.ClaimedIdentifier to uniquely identify users!
OpenID's security model is based on this design. Using email addresses is insecure in many ways. Any Provider can issue a positive assertion claiming that the user owns a particular email address. OpenID doesn't prevent the OP from lying about email addresses, so if you just used email addresses and the user key then you'd be wide open to user spoofing attacks. Even if the OP isn't trying to be dishonest, you couldn't generally trust it because you don't know whether the OP verified the email address or simply asked the user what their email address was.
Even if you trust Google to not lie, there are several reasons (some of them can be mitigated, but aren't obvious) to not treat email address as the user identifier. For example, Google lets users change the email address behind their Google account. If the user did this and then returned to your web site, your site would identify them as a different user. Even worse, if another user later claimed a recycled email address for their new Google account, your site would recognize them as the older user and give the new user access to a bunch of old user data.
OpenID Claimed Identifiers are designed to avoid all this trouble.
Related
I've created an ASP.net web page that allows the user to create an account. This site is purely for my own practice with the environment, but I have a question about the best way to handle logging in.
My site is more or less (eventually) going to be similar to Twitter.
When the user signs up for the site, they are required to put in a company ID number and a handle. In addition, they have an option of adding an email address, if so desired.
On my login page, I want the user to be able to login with any of those three options (email address, company ID, or handle).
The confusion that I'm running into: what if someone makes a handle that is the same as someone else's ID? How do I handle that?
Would the best option be to validate based off of the (salted and hashed) password if it matches more than one? I would guess no, but I'm not sure.
Now, I know that there are a lot of different options to alleviate this problem (require at least one letter in the user handle being the primary one that comes to mind, or as someone commented, adding a constraint to deny the creation if the ID already exists), but since this is just a mental exercise for me I figure I should learn something about it.
Let users specify the type of credentials they are providing.
Create a separate login form for each type of credentials: company ID, handle, e-mail address. When a user visits the site, you ask them to select the type of credentials they are providing. You could even remember this preference in the browser's storage.
When the form is posted, you know exactly what to validate. You don't have to worry about a handle being the same as a company ID. Store company ID, handle, and e-mail address as separate fields in the database with each user's account.
This is similar to sites which use federated authentication and give user's the option to sign in with Google or Facebook.
I have a registration page that sends a Welcome SMS for every registered user where the username is the user's mobile number.
In the welcome SMS there is an activation code to complete the registration process.
I also uses a Captcha control to prevent people from using bots.
The problem is, Some bad users are using the registration page to send SMS's to random mobile numbers which makes me loses the SMS credit.
Getting the MAC address of a website visitor is impossible, If it was possible, I will solve the problem by adding the anonymous bad visitors to a black list data table after say 3 different unverified mobile numbers.
My Question is: Is there any technique to identify a visitor in ASP.NET Or IIS.
Your question is answered in How can I Identify unique users on my website even IP is changed or browser data has been cleared? and How do I uniquely identify computers visiting my web site?. It can be done by combining the IP address and 'browser fingerprint'.
While this may be enough, I suspect that the malicious users will do anything possible to be not detected by these techniques. They can use a proxy server, a botnet, or other anonymizers like Tor to change IP address for every request, and they can craft their requests to fake random browsers.
To ultimately overcome this issue, you can for example make a Verified bit for each user, where you'll only send them an SMS after you have verified their account.
I am developing an MVC 4 app and use the OAuth providers provided by MS, but I would like to get an e-mail address for every user. For Google (default) and Facebook (using FacebookClient) I already get the users address, but what to do about the following:
Twitter (I have read it is not possible - still true?)
Microsoft - solved (see comments)
Yahoo - works (see comment)
LinkedIn - solved via own provider like for MS
And what about, when it is not possible via OAuth like with Twitter?
I've read in different threads it is not good/secure to just ask the user for it. Is it "secure enough" if I also require a verification via e-mail to actually use the address (but not the account in general) as I (will) do when changing the address?
The purpose of OAuth is not to provide email addresses, its to provide authentication in a standardized way. Just because a lot of the implementations also happen to give you the option of an email address doesn't mean that all of them must comply. Twitter is a case in point.
Why would asking a user for their email address not be "secure"?
I would question that, I mean if you can't trust a users input regarding their email address, what can you trust them with? If you're using some sort of confirmation mail system it would surely be fine?
I am doing a little work with Facebook Connect and wondering how on Stack Overflow for example, you are able to login using another login provider such as Facebook or Yahoo, and for the site to be able to pick up your user details as you registered them on Stack Overflow? As far as I am aware, you could have registered using a different email address and your first name and last name are not unique identifiers, so how is it done?
It all depends on your use case. For example, I use the e-mail address as a unique identifier. When you log in with Facebook, my portal also asks your e-mail address from Facebook. Then, it searches a user object with a matching e-mail address from the database.
There are more than one ways of doing this:
Only allow login via Facebook. Then you can definitely identify all of your users via their e-mail address.
Allow logging in via Facebook and a username/password too, but require your users to use the same e-mail address in both places.
Allow logging in via Facebook and a username/password too, and allow your users to use different e-mail addresses for each. This is the most complicated option. Most sites solve this by requiring the user to 'pair' their Facebook account with their site account. This means that first time it is set up, users need to log in to the site, and while they're logged in to the site, they can log in to Facebook. Then your site stores their Facebook identity (no e-mail required in this case, just store the user id in a field). After this, the users can login via Facebook only, and you can pair their Facebook user id with the corresponding user object in your own database.
If you have any questions, just write them in the comments. :)
You would most likely add a new column on to your user table such as facebook_uid. Then, if a user has an existing account, you would get them to sign in to that first, before connecting to facebook, you can then store their facebook_uid against your existing user_id. Then if the user turns up and is already signed in to facebook, you can sign them into your website as well. If the user doesn't have an existing account on your site, you would simply create one (possibly filling it with the users name from facebook)
If you wanted to allow multiple methods of sign in, you could potentially have another table that holds a mapping between a provider (facebook,twitter,google etc) and the associated id for that account back to your user table.
The basics are, when they sign in with a 3rd party login system, you either map it to a current account on your site, or you create new account on your site if one does not already exist, and you map the account to it. You would obviously need to make this clear to your users, or have some way to merge accounts in case they aren't already signed in when they use a 3rd party. You could also potentially ask for email access from facebook and try and map that to an existing account, before creating a new one
Thanks
If I have a generic public asp.net website, I want to know who is visting my website (I know how to get that), but more importantly, I want to know what company the user is from (is this a microsoft employee viewing my website, or a Coca Cola employee viewing my site or is this person using a home computer to view my site). How can I determine the computers domain name? Hope this is making sense.
Update: At most companies, I have seen the company name included as the "Full Computer Name" or the Domain value in "Computer name, domain and workgroup settings". Thats what I am looking to access.
You cannot do this with any absolute certainty - it suffers from a similar issue to getting their computer name, although you may have some success.
What you can try, is to do a reverse lookup on the IP address and take the domain part of the address (see previous link for code sample).
However, especially for smaller companies, this may just resolve to an ISP's domain, or perhaps not resolve at all. For home users it will almost certainly just be the ISP.
The other thing you could try, is to do a WHOIS on the IP address. This may give you an indication of the company; again, for smaller companies this is more likely to just be an ISP.
You can use Request.ServerVariables("remote_addr") to find the ip address that is being passed to you from the client and then use it to find out where it's coming from. A word of warning though, ip addresses can be spoofed, plus you may just be getting the address of a proxy server, so these things aren't exact.
After you get the ip address you'll need to do a whois lookup to find out who it's from. You may want to look here to find a whois api.
Also you may just consider running some sort of web log analysis through webtrends or some other analysis tool to get the same information in batch form. Because all of this information is more than likely being stored in your web server logs.
You cannot access computer name / domain name credentials without the user actually logging on to your public website with those credentials. If that were the case, you could access the remotely logged-on user using:
Request.ServerVariables["REMOTE_USER"]
The only way to get close to what you are asking is to use third party software. Maxmind.com is just one company that has a Geo location service. You can see that they offer an organisation field in their IP-to-City lookup.
If a user accesses your website from within a corporate network, Maxmind should have that data as part of their database, which you can then use.
Remember that the organisation refers to the IP address (netblock) owner. Therefore, should the user access your website from home, or from a mobile device, or anywhere outside the corporate network (or Maxmind has incorrect or incomplete data), then the data would be missing, misleading or flat wrong. The organisation needs to be big enough to own and register its own IP address block.
This info may also be available in Google Analytics.