Our web app currently under development has authentication on all the pages.
We can deny a user access to any particular page but have found that if a user had previously opened the page that they can still access the page via the url. [Even if they log out and log in]
Assuming that the page is coming from client cache [Ctrl F5 in IE kicks in the proper authentication behavior or clearing the client cache]
A lot depends on how we have implemented the authentication but a quick fix on our side would be from within the admin section where we deny access to certain pages that we expire client cache for that page.
Is there a way to do this programmatically.
This would mean that client caching would continue to work as normal for all other users that still had access to the page in question.
You can add this line to your Page base class or any where in a specific page you want to disable caching on.
Response.Cache.SetCacheability(HttpCacheability.NoCache)
Related
Scenario:
ASP.NET 5 / Razor Pages / C#
We have one main site, with very good security. In the background, all passwords are encrypted. Also, a log is made of all logon usernames, from which IP addresses, at whatever time accessed.
We have a second site that is hosted within the main site visually on the front end via iframes mostly, but not on the server. They won't live together in the same web app.
Problem:
I need to ensure that the secondary site access is secure, whilst relying on the fact that the user already logged on successfully via the main website. I don't want the user to need to logon twice to two systems, rather I want the single logon to fluidly allow access to the secondary site.
I have a method I am using now. It works, but I really want to delve in and see if I can improve this given I'm not heavy on experience in terms of website security. I'm sure there is a better way.
Options?
From a security point of view, using iframes, the two site are independent.
So you need to guarantee that the security process is issued on both sides.
You have several possibilities, but the best, I think, is to revalidate the user in the "iframed" website.
You can use a token, generated from the main website and stored in a backend DB, and pass it to the iframe URL.
The endpoint of the iframe has to read the token, call a backend API to validate it and allow the access.
The main problem you have is to refresh the token after a reasonable time, in order to ensure the validity during the use of the "iframed" website.
Problem:
Asp.net WebForm application is loosing its session data (loosing ASP.NET_SessionId cookie) between any Requests, when having web app framed(via Iframe) inside another app hosted in another domain.
Our Setup:
We have 2 applications - each hosted in its own domain(not sub domains);
1st being an asp.net webform (.Net 4.6.1) apps lets say A,
Another application(Not on .Net), lets say B.
A (webform) is being framed/opened inside iframe from B(Not .Net).
Problem in Detail
When first time A opens in Bootstrap popup(using iframe) inside B, it shows an aspx page.
From there if user does any operation with in iframe, which if makes another request to A itself with in iframe (postback or redirect),
then previous session (internally ASP.NET_SessionId session cookie) is getting lost and new session/cookie is getting re-created.
This breaks application logic/behaviors as we need active session for all requests of A.
Solutions Tried
We are going to follow one of below (either via code or configuration options available in 4.7.2), and have tried one on POC level and seems fixing original losing session issue.
ASP.NET webform loses session when getting posted data from another domain
ASP.NET_SessionId cookie value is alway Lax in the SameSite
Queries I have
Will using option of setting samesite as none, and cookie to be secured (if app A is accessed via https always) cause any additional security risk? - If both A and B are owned by us and in our domains.
If yes, what is risk involved? can it be recommended to used in production box for setup we have?
I understand even with above option, we will still loose session data when our app B is opened in chrome's incognito window and B then tries to open A in iframe?
Is it correct?
If yes, what are solutions/alternatives or even workarounds(only as last resort)?
I found one, but that recommends to use cookieless session, which we cant as our authentication is based on cookies.
Let me know please if need any additional details. Thank you.
How do I redirect url based on register client in c# .net or asp.net 4.0. For example if client registers as "client1" and our website is www.mycompany.com for every page client proceeds should get www.client1.mycompany.com.
More detailed example:
For example another client created is Client2. The pages i have created in general is like
"www.mycompany.com/product.aspx"
"www.mycompany.com/categories.aspx" should be shown as
"www.client2.mycompany.com/product.aspx" and
"www.client2.mycompany.com/categories.aspx" respectively
I have searched on web and found for static pages or using Gloabal.asax during startup of application but haven't found any thing after user logged in.
I have done something similar before in a few sites and there are a couple methods you could use. Assuming that you have a url setup so that all subdomains ( *.url.com) will send any user to your server and you have IIS setup to handle them all (i.e. no host header required, just IP) in the same site you can use one of the following methods:
After login simply send the user to that url. Since .Net won’t care the url the server knows how to render it, then it should be that simple. This assumes all your navigation uses relative paths and you must enable cookie sharing for that domain. This is required if the cookie for login was give on 1.url.com and you send them to 2.url.com You can share cookies in the same domain, requires a little work, but can be done.
Create a generic login page that does a web service request back to the server to see if the user can login. If he or she can have it send back to the browser a command, along with the correct url, that tell the clients browser to post directly to that sites login page (send username, password). This will login them into their site and assign the cookies correctly all from one simple login page. You could even make an external login page that only exists for this purpose. In the end all the generic page did was see if they could login and the sent their credentials to the correct page that did the login. I recommend this be done in a post with ssl for security reasons.
I hope that makes since.
There's a project called UrlRewritingNet which I use - it's pretty old but the source is available so you could recompile it for 4.0.
Link is at http://urlrewriting.net/149/en/home.html
I have create a web application in Visual Studio 2010 using C#.
I have two web page and the web application is hosted on a machine that has joined a domain WATSON
The first web page is basically the login page. The end user will enter their username and password and select their domain and click submit.
Now, the problem is that although I use the following code to authenticated the user, but I do not know how should I store the authenticated result as.
using(PrincipalContext pc = new PrincipalContext(ContextType.Domain, txtboxDomain.Text))
{
// validate the credentials
bool isValid = pc.ValidateCredentials(txtboxUser.Text, txtboxPass.Text);
}
I thought of storing the authenticated result as a cookie but I run the risk that the end-user might disable the cookie setting or the end-user try something funny to the cookie.
Also, I can't be possible putting the login page on each of the web pages that my web application have.
Also, suppose I redirect the end-user who have successfully authenticated to another aspx page, the end-user might just bookmark that aspx page. So, next time, the end-user will just go straight to the aspx page without going to the Login page. Then the end-user will not need to login, which is what I don't want it to happen.
So, how should I go about to enable that only those correct and rightful user are able to access the another aspx page?
Take a look at one of my answers how you can set windows authentication on application level:
WindowsIdentity and Classic .Net App Pool
And here is another link how you can limit user access to specific pages, it might get you handy:
How to restrict unlogged/unauthorized users from viewing web pages in ASP.NET
I am developing a large asp.net based application. Certain pages & links require user authentication. At some page, I have links and form submission for which I first need to authenticate the user. Here is an example:
In PageX I have a link L1. When user click, i check if user is authenticated or not. If not I redirect to login page. Once, the user is authenticated, I redirect back him to the PageX. But the problem is, I don't want the user to click L1 again! Instead, I want the L1 action to be executed once user is authenticated and its results displayed etc.
I am trying to have a good solution to this problem. Any idea on how to accomplish this?
ASP.NET's Forms Authentication addresses this scenario. You can deny all unauthenticated users to all pages or (more commonly) deny unauthenticated users to a proper subset of pages.
there are several way of doing it:
1, The build-in way of Form Authentication, correct me if i remembered wrong, you should be able to add your own login logic and integrate your login control with Form Authentication provider
2, assign L1 url link to query string or a session if user is not login, and add logic to your login control, redirect user when login is successful.
Use Forms Authentication.
It's baked into ASP.NET and does exactly what you're talking about.
The User will click on a link. If they're not authenticated, they will be redirected to a login page (one of the parameters to the page will be the destination URL they were trying to reach). After a successful login, the User will be redirected to the page they requested instead of having to click the link again.
You also need to make sure you have your web.config set up to properly allow/deny unauthorized access to your application as described here:
Setting authorization rules for a particular page or folder in Web.config