Using Active Directory authentication on a internal website - asp.net

My situation is I've created a small website that does a few simple sql queries and updating. One or two of the commands should only be accessed by certain people. The website is on one of our servers so anyone who accesses will already be logged in to AD.
I’ve only done web design when needed and isn’t part of my normal duties and only used it when needed so I’m in need of some guidance.
I know I could create a whole logging in and cookies system or something but it sounds like as only people who are already logged in wouldn’t need that and I would be making the task overly complicated.
Essentially I need the easiest way to allow a situation where only certain AD users can click on a button, is the only way possible making a log in page?
I would really appreciate some pointers in the right direction it doesn’t have to be copy and paste code answers.

If all your users are already authenticated against AD then it would probably be simpler to get their credentials and check their user ID against a lookup list of allowed users which you could hold in a database table.
You could then show or hide, or disable and enable, the relevant controls depending on whether they were found in the lookup.
It would make a pretty seamless experience for the user at the expense of having to maintain the lookup.
Alternatively, you could restrict access based on checking if the user was a member of a particular AD group, which eliminates the lookup table but then requires suitable domain administrator privileges in order to add and remove people from the group.

Related

Require password after 3 page views

How do I require a password after x number of page views (or after x minutes)?
I have a website (running on WP) that I would like to allow free access to visitors for a while, but after a certain time require a password to continue seeing the site. This is to encourage sign up (also free).
I would rather not use a login system, rather a simple password to be entered. Ideally there would be a WP plugin with this feature, but I can't seem to find one.
Any suggestions? Thanks in advance!
If you can't find a plugin that directly implements this behavior, I would question this feature. Of course you can just show a popup without a close button after X minutes but such pages rather encourage your users to leave the page than to sign up (what did you do the last time, did you sign up?). I would rather recommend to use a friendly and non blocking way to inform your users about the advantage of an account or subscription. If your content is good they will be happy to sign up. Furthermore, to make sure that they just do not reload the page after they were blocked you have to set cookies or track their IP. Both requires at least in the european union a data protection policy. In addition, you would need to implement a flow to bring users back from the registration to their desired content. I don't want to say that this is not possible or that there are no plugins out there that allow such a behavior but the efforts to implement this in a proper way are from my perspective unreasonable considering that there are more user friendly options.

How can I check if it is the same user in ASP.NET?

This question is not related to ASP.NET specifically, but more web applications in general.
I am building a web application wherein I am registering a user. As of now I am taking in very basic credentials like First Name, Last Name, etc of the user. In this website I am giving some information for free for any user who has just registered so that the user finds my website authentic and that it is not a fake website. After that, to get more information, the user has to pay.
The information my site provides will get obsolete after sometime. So, when a new user registers, he/she will get the new information that gets updated; but the old users have to pay to get the same new information.
My problem here is once the information gets obsolete the same person can re-register with a different set of credentials and get the new information. I want to avoid this from happening.
So my question here is this: what information should I request from the user, or extract from the user, to check that the same user is not re-registering? Or any other way to make this possible.
I am thinking of getting the IP address of the machine from which the person is registering and use it to check. But the user can use a different machine to re-register.
I am completely lost here and not getting the solution. I even checked on the Internet but could not find an answer.
Please let me know if you need any further information from my side.
You will not find a technical way to prevent users from registering multiple times. They can simply use another device, IP, another email account and different credentials.
What you can do is asking them to send you hard to fake "offline" information, like a credit card number or a photo of the ID. Some users may still be able to register multiple times this way, but probably not indefinitly. You will however lose many possible clients this way who are unwilling to provide such information for a test account, so this is likely not the solution you want.
My advice would be one of the following two:
Limit the information/service you give out to free users, so that even if they register again they will gain something when they pay.
Try to bind them to their account in a way where they would lose something if they threw it away. This may for example be providing user rewards for activity (real or virtual) or increasing their experience based on their history. Take SO for example: If you registered again, you would lose all your reputation. The users will think twice if this is worth the new content.
After reading all of the above, i think a good solution could be to let the user identify himself through facebook or linkedin. Few people will have a second account.
I think you cannot put any users like that because every thing can be duplicate
There are some ways for which the user must have payment mode or identity details like passport or it is windows application you can have finger scanner it will be definitely Unique..
You can do this (with limitations) with the use of cookies. Setting a cookie on the users device will allow you to determine who the visitor is and that they have already registered.
The limitations are that cookies can be deleted or blocked and are only valid for that specific user agent - the user could use a different device or a different browser on the same device. A lot of people don't really know about cookies though and how to delete them.
By tying this technique with a requirement to provide a valid email address you can make it a hassle for somebody to register more than once as they will have to create a new email account and then delete their cookies.
Whether this will stop enough people depends on your site and your requirements - if you're giving money away then this technique is not nearly good enough. If you just want to discourage the practice of multiple accounts it may be enough.
Your only way out is to have SOMETHING the existing user gets as a "gift?" or added value to maintain just one account. If you can identify items of value to your subscribers and offer to "give" it to them provided their account "attains" one or more status, then you'll get some control. Take stackoverflow.com for example, I don't need a second account.
Identifying by facebook or linkedin is a good option, but if you are giving such services. which are very beneficial for the users, so they dont mind on creating multiple accounts on even facebook or linked in.
So what i think is to set some reward type stuff with each user, and increase the services as they get increment in rewards.once they are good in rewards and are capable to use multiple services, this increases the probability that they will not create another account.

ASP.NET scenario Interview question. How would you answer it?

Here's the question scenario:
Suppose you have a multiple-page ASP.NET web site with the following
requirements:
User-specific data for the currently logged in user is loaded and is required on each individual page of the application during a user's session.
The application itself only allows a certain number of users to be logged in at one time.
The next time a specific user logs in, the user should be returned to the last page visited.
Given this information, briefly describe how you would use ASP.NET to manage the state of the application to meet these needs?
Here's my thoughts and reasons. Please provide yours.
User-specific data for the currently
logged in user is loaded and is
required on each individual page of
the application during a user's
session.
This is suggesting to me that the interviewer is looking to see if I would suggest using Master pages as a way to provide a common approach to displaying the same thing on every page.
The application itself only allows a
certain number of users to be logged
in at one time.
Could the sought response be that, because scaling isn't an issue due to the limited number of users, that it is OK to put this information in the Session object for performance reasons or is this a trap and some of approach is better?
The next time a specific user logs in,
the user should be returned to the
last page visited
A cookie seems the best approach to track the last page access, since this doesn't seem to be critical information.
Please tell me how you would handle these question if you wanted to make the best impression
Feel free to provide input or comment an any line item.
Thanks!
As far as (3) is concerned, consider a shared PC. User A logs into a website using their site based user name/password. Does a whole load of work and shuts down the browser. USer B then comes along and on the same PC logs into the same site using their details. However, they will get the cookie from User A and be redirected to the last page they saw. This happens because Cookies are tied to the browser / OS user, where as you are potentially applying the site security separately in the application.
In this situation you would either need to put the user name into the cookie (encrypted) or use a server side method to store the location
Here are my thoughts:
They might be looking for Master Pages, but my first thought here was whether you're going to cache this user data, so you're not making a database query every time they hit a new page. To really impress them, you might mention partial caching techniques so that the repetitive portions of the page don't even need to be re-rendered with each page load.
I think you're right: they're helping you to conclude that the session state is an appropriate place to cache the user data. Just be sure you ask the appropriate questions, like "How many users?", and "How much data per user?"
The cached data could be used to keep track of the last-requested page, and when the user's session expires, you could save this data into a database table to be retrieved next time they log in.
That third item is awfully tricky. What if the user was last looking at an object that has since been deleted? What would be the intended behavior if a user logged in from one computer, did some work, and then logged in simultaneously from another computer or browser? I'd be sure to ask these kinds of questions, not least to show that I understand the implications of a requirement like this. If their responses lead you to believe that they're looking for a simple solution, go with the simple solution. Otherwise, tweak your response to be only as complicated as necessary.
Just a small thought.. If the system are running in a "Farmed" environment the Session data can be cleared and need to be handled some way.
http://www.beansoftware.com/ASP.NET-Tutorials/Store-Session-State-Server.aspx

How get distinct users from site and its sub sites?

I got a requirement from client that he wants to know distinct users information from sites and it sub sites those have access to site. There are separate groups for each subsite (contribute, approval and full access). From these all groups find distinct user information.
How can we do that using Object model? Please help me out.
Thanks in advance.
SharePoint 2010 - I use this PowerShell script quite often when someone asks who has permissions to a site. This wont include users given permissions directly, or site collection admins, but it's still helpful.
You must be on the SP2010 server to run this.
#Get a list of groups in a site, then a list of people in each group
Add-PSSnapIn Microsoft.SharePoint.PowerShell
$spWeb = "http://sharepoint/site/"
foreach($group in ((Get-SPWeb $spWeb).Groups)){
foreach($user in $Group.Users)
{$group.Name + " - " + $user.Name
}
}
This is one of those very general requirements that gets very difficult very quickly. It sounds like they are trying to create some sort of security audit.
If you assume each site only has SharePoint groups filled with SharePoint users and everything is inheriting permissions, then it is a little easier. You could recursively iterate over each SPWeb (and the sub-SPWeb's in each SPWeb) to find all the SPGroups. Then, using a Dictionary, you would keep track of the users you find and their permission level. Their permission level is determined by their membership in the group and you'd probably use web.RoleAssignments.GetAssignmentByPrincipal(group) (GetAssignmentByPrincipal) to get the list of assignments (Ex: Read, Contribute, etc).
However, the scenario is probably NOT what your client has. Things to think about (some easier to overcome than others):
What happens when a user exists in multiple groups in the same site?
Users with individual permissions to a site?
Broken permission inheritance at a SPWeb level? What about list permissions? Item permissions? What happens when you see Limited Access?
Are AD groups used anywhere? Do you have to list all the users in each AD group? What about special groups like "ALL AUTHENTICATED USERS"?
Realistically, it is very difficult to write an accurate security audit. The best solution for this is probably to find someone who is familiar with how security should be set up going through each site to fix them.

To use or not to use the user module

We are currently transitioning our website to Drupal 6.x from a non Drupal source. One of the first issues we need to deal with is that of authentication. We have a central database where we keep member information. We will create a module to authenticate against this database however a question of whether or not to create users in the drupal is needed.
I'm worried that if we do not add user to the user tables and have our module keep sync that with the other database, then we will not be able to take advantage of other modules that may use the user module
My colleague on the other hand believes that this is not an issue we can add all necessary attributes to the global $user at authentication with our module.
Is there a standard way of dealing with this problem?
Thanks!
David
Look at the LDAP_integration module, they do something similar. When logging in and a local user cannot be loaded, a user is searched for in another application and when user&pass are equal, the user is copied in the Drupal usertable.
If you want any Drupal functionality (read: core and modules) to be associated with that user account, then you will need to use that user table.
This is especially true for anything node-related, so if you want people to be able to create nodes with referenced data you will need it. uids are stored in the nodes table in order to show who authored the node. Storing a uid in the nodes table with a something that doesn't exist as a relational key to somewhere else will only return an empty object. For instance, if a person wants to see the author of X node they will get an empty user object. Keep it. There's no sense in working harder just to remove it. Besides, you can store as little or as much as you want in the user object for each account.
I'd also suggest looking at the LDAP module. I was able to use it as a jumping in point to interface with a custom WSAPI authentication method for an external database that we have at my company.
Do you need to have both sites running in parallel? If not, then you don't need to sync the user tables. A conversion will be enough then.

Resources