Say I store data in a cookie that needs to be used both by a front-end server and a back-end server. What is the typical/proper way to share that data?
Should the back-end and front-end share a common domain, like having the front-end on example.com and back-end on api.example.com? Should there be two local copies of that data for the front-end server and back-end server?
Related
We currently have a node web server that does authentication of users including oauth2 to google and facebook. We would like for it to handle the serving of web pages while a stateless .NET web api handles the serving of the actual data (which is all requested asynchronously). My question is how to handle authentication to the web api?
I mean should the client even authenticate to the api (and if so how do we do the pass through authentication so that it is authenticated to both once authenticating against the web server) or should the web server authenticate the user and then just forward all api requests to the api along with a user id? What is the standard scheme used for this?
Thanks in advance.
This answer is late, but I'll post my thoughts for the heck of it. I would place a dummy api in your node app, just a simple pass-through for everything that is in your data api (the .net one). Then I'd lock down the data api so only your node server can talk to it. The short answer is that any api that you expose to the internet has to be locked down. If you do the above, you don't have to expose your data api to the internet. You get the added benefit of not having to deal with CORS - you can have a simple /api folder hanging off of your domain. You can also use this pass-through api to aggregate calls to multiple business apis if your solution ever grows. It's a very scalable architecture.
If you don't want to do the above, then you'll need to either place the data api on the same domain as the other site, or setup CORS so javascript/AJAX from one can call into the other. Once your data api can see cookies written by the other site, you'll need to authenticate them, probably very manually, in your .net api, since .net didn't write the auth cookie - node did.
I am going through how ASP.NET page is processed when the request is send from browser to Server. From many sources i came to know that during asp.net request processing Application Manager instance is created and the Application manager creates the application domain . The Application domain provides isolation layer with in the process. My Question here is for the same application if there are many requests coming up , will all the requests will be processed by same App Domain or it will create many App Domains for each request. How to calculate how much memory the Application Domain is using. Will the App Domains share the dlls if many App Domains are using the same references like (system.web, system)
My question is as follows:
A site is hosted on multiple web servers, all servers refer to same domain.
Sometimes, users login to a central server, but get re-directed to other web servers.
Since domain is the same, cookies will be sent from browser to the new servers.
But server side (uses JSPs) session related data will nto be present at the second server.
So, will the second server accept this as an existing session, or, will it deem that there is no session?
For my own reasons, I had to stick to single session, multiple servers approach. This is basically for a game like evony.com, with multiple realms hosted on multiple machines possibly. Login happens once, but same session will be used in multiple server machines. Please let me know.
I have an application which is structured as:
Web Application - WCF Service - Database
All communicate to and from the database goes through the WCF Service, the Web Application is not able to directly talk to the database. I needed to protect the data as it travels across, so i setup SSL on my local machine to test and configured it in IIS, so now the WCF Service has to be hit using HTTPS. However, I did not setup my Web Application to use HTTPS, is that ok? I thought since the WCF Service is doing all the transferring of data, it's the only one that needs HTTPS.
Thanks.
If you're interested in encrypting your data, you need to make sure it's passed encrypted on all tiers of your application. From your description it seems that the data passed from the user to the WebApplication itself is unencrypted and therefor passed in clear text. This means that anyone that "listens" to the traffic between your users and the Web Application can intercept the data.
I recommend adding SSL on the Web Application too, to make sure that your data passes encrypted through all 3 tiers of your application.
Scenario
I have an HTML/javascript website that uses javascriptSOAPClient communicate with an ASP.NET 1.1 web service in order to read/write to a SQL database. (http://www.codeproject.com/KB/ajax/JavaScriptSOAPClient.aspx). The database contains anonymous demographic information--no names, no credit cards, no addresses. Essentially the data collected is for data mining purposes.
The site is live, but we want to introduce a more secure communication between the javascript/ajax client and the wbe service for both this and future projects. Working as contractors in the financial industry, at some point we're going to get nailed with the question: is this website hackable? If we don't have a solution we could be out on our ears.
I am already following best practices such as communicating with the database via command parameters and stored procedures). However, currently anyone could browse to our web service description and figure out how to consume our exposed services.
Questions
With my hybrid solution (i.e. not end-to-end Microsoft) how should I go about authenticating client requests on the web service?
If I start passing a username/password or some other identifiable element into the web service as authentication, should I be concerned about how that key is generated/stored on the client side?
A few suggestions to consider:
List the threats, and compare each to your current setup.
Use SSL / HTTPS. This alleviates a whole class of vulnerabilities.
Use username/password, generated on the server side and sent out of band (in the post or by phone) to the user. (Hope this answers question 2).
Use 2-factor authentication. To do this, you can look at security tokens such as RSA's keyfob-type gizmos or look at Steve Gibson's Perfect Paper Passwords
The easiest solution from a programming standpoint is to use two way HTTPS. That is, the server presents a certificate to the client, and the client presents a certificate to the server. Then only clients with proper certs (issued by you) can connect.
That helps reassure clients that your site is not generally accessible, yet the security is transparent to the application and, once they've signed up and received a cert, to them. The downside is that you have admin overhead in issuing and tracking the user certs -- but that's probably less than you'd have dealing with username/password combos.
There are a few simple options:
SSL + Cookie
If the web app is also ASP.NET and hosted along with your web service, then you should have access to the User/Membership/Session of the web app inside your web service (essentially #1, but you get it without doing any work).
If the web app and web service are not on the same domain, then cookies are out due to cross-domain issues - so you can have the web app embed a GUID into a hidden form field, and use that GUID as a sort of cookie (and it will need to be passed as a parameter on all web service requests).
Can you incorporate a certificate authentication mechanism? So that only clients that have keys you can verify can communicate? That's how the product I work with has its managed devices communicate back to the core.