I want to allow a login that happened on a parent site to automatically allow the iframed site to be logged in.
Here is the specific situation:
I have a site that is a simple login page. After login the user has menu with a series of URLS (all with the same base domain but with different ports).
main.example.com (main site)
main.example.com:14002 (iframe #1)
main.example.com:14003 (iframe #2)
...
The user selects one of the menu items and the url is loaded into the iframe.
The menu is driven off of a database table.
All the URLs will be loaded from the IIS but they all run on different ports so we have good control of being able to restart them and deploy new ones in the middle of the day.
What I am struggling with is finding a way to allow the login of the main site to allow the secure login of iframe sites.
In other words, how can the iframed site securely know the user id of the user that logged into the main site?
These are not arbitrary sites being iframed. We are in control off all the source code.
Here is what we ended up doing:
The master site places a cookie with a token in it using this technique so it is visible to the module site:
document.cookie = "key=token;domain=mydomain.com"
Then the module.mydomain.com site does a web service call into master.mydomain.com website with the token to retrieve the logged in userid.
If there is no cookie or the token is expired the user is presented with a login screen in the iframe window.
Related
As part of user flow on my site, user is redirected to a different domain that is not under my control, where he logs in and is then redirected back to my site.
Google analytics fail to correctly display the user flow, showing the callback URL as a new landing page, which is obviously wrong.
I am considering rewriting referrer on the callback page, but it seems like a very hacky solution to a common problem.
Is there a standard way to connect the flow after a redirect?
You must enter the domain of that site in the Referral exclusions list in the Properties settings.
I received results back for an ethical hack assessment for one of my asp.net webforms sites. One of the items was a multi step way the hacker changed the request to display a page he shouldn’t have had access to with his user privileges. Below are the steps he performed to execute the hack:
1) logged in using Admin level rights.
2) navigated to page ‘A’.
3) using his Burp tool, saved a copy of the page headers.
4) he then logged in using a User account which shouldn’t be able to see page ‘A’.
5) goes back to the home page to get a fresh request.
6) using his Burp tool, opens the request headers for the home page and replaces them with the contents he saved from page ‘A’.
7) he continues on with the request and is now able to see the contents of page ‘A’.
I tried to programmatically check the request.url and compare it against what pages the user has access to but the hacker said that didn’t fix it.
Is there a built in way to prevent this in ASP.NET 4.x? Is there some web.config property I can set to stop someone from changing the request headers and performing this kind of hack?
Update: This was happening because the username and usertype was being stored in session variables after authentication. Once the hacker gained access to the session, they replaced the session of the ‘User’ with the session of the ‘Admin’ account and it was just as if the Admin was logged in. The fix was to not store the username and usertype in session variables. I also created a table with the pages that each usertype was able to access and checked that each time a user comes to a page. If the usertype does not have access to the page, they get redirected back to the homepage. Both of these fixed the issue and eventually passed the ethical hack.
On my website, the user can log in through Facebook.
I have also created a Facebook canvas app which consists of a small part of my website.
Through the Facebook canvas app, the user can access certain features of the site regarding their site account.
It works great when the user accesses the FB app while already being logged into the site.
However, if the user accesses the FB app while NOT being logged into my site - how do I log them into my site through the app?
It would be ideal if I could somehow automatically log them into their account when accessing my site through the FB app.
If that isn't possible, I would like the user to be able to log into my site through the Facebook app.
However right now when I redirect to the oauth login I get the following error:
Refused to display
'https://www.facebook.com/dialog/oauth?response_type=code&client_id=…nLpHx7N5X--Q'
in a frame because it set 'X-Frame-Options' to 'DENY'.
Summary:
Can I auto-login to my site when accessing the site through Facebook canvas
If not, how can the user log into my site through the canvas app?
So basically your problem was just how to call the FB login dialog from within canvas. If you use the URL redirect version, then you have to call it in the top window instance – the login dialog can not be shown in any kind of (i)frame, for security reasons¹
top.location.href=… in JavaScript, or target="_top" for a simple link can achieve that.
¹ User needs to be able to verify via address bar that they are entering their credentials on facebook.com, to prevent phishing attacks.
Here is the scenario...
I have a site:
http://internet.com
and I set a token(cookie, something like that) from http://internet.com when a user has SUCCESSFULLY logged in.
I also have http://web.internet.com.
On http://web.internet.com I want to display data to users that have that token/cookie/etc available to them.
Here is the use-case
user logs into http://internet.com (asp.net framework hosted on different server - this is our primary product that requires a subscription / username & login )
user then has access to a section that is hidden from plublic view on http://web.internet.com (wordpress site hosted on goDadday - this site contains a knowledge base that we do not want to make public unless they have done [XXXXX] )
both sites are hosted independently of each other and do not share a common username and password
======
Another scenario is to set up wordpress to allow a specific section as a jsonp response. but only if the user is logged in at http://internet.com to allow the user to have access to the jsonp response located at http://web.internet.com
Any ideas from you beautiful people?
It really depends on the level of security you require. You can log a user in to a Wordpress site without a password by using wp_set_auth_cookie, however if you are just validating that a user is logged into the ASP.NET site and then using JSONP to load a page that set's the auth cookie, it will work, however you definitely have some security gaps.
A better solution would be to set a domain level cookie for .internet.com with a token that can be read by any server in your domain. The Wordpress site could then check is_user_logged_in(), and if not take that cookie value and make a back end call to the ASP.NET site to verify its authenticity, and then call wp_set_auth_cookie(). A simple web service would likely be the best option. You would still need some level of mapping between usernames on the ASP.NET and Wordpress site however to know which user_ID to pass.
I am developing an intranet asp.net application. We will be using Windows authentication, so the authentication mode is set to windows in web.config.
I want to restrict some pages to only certain users so I am using the
tag with the tag to allow/deny certain users.
Scenario :
User1 is not allowed access to page "Reports.aspx" (this page has restricted access using the authorization tag in web.config)
User2 is allowed access to this page.
Both of them are in the MYCOMPANY domain.
When User1 tries to access this page he is shown a credentials popup - he will enter the details of "User2" since user2 is allowed access ; subsequently, user1 is now able to access this page(by using user2's details).
Now user1 goes back to some other page which is not restricted by authorization tag. Lets say he goes to homepage. Now again from homepage, he will try to access Reports.aspx. At this point logically speaking, again a prompt for login credentials must come up . But instead no popup comes up and the user1 is allowed access to REports page.
I decided to check the username using HTTPContext.Current.User.Identity.Name in this scenario. When the user1 is trying to access Reports.aspx for second time(after having logged in successfully first time) his credentials are being stored in the browser(I guess) because this time around, when the page loads, the credentials show up as User2 in code behind.
How to prevent this and force a login prompt every time for this page ?
Guess I was a n00b back when I asked this.
For the benefit of people who might have faced a scenario - when you login again, the original credentials are no longer maintained and ASP.NET always recognizes you as the User2 hereafter.