I am working on an asp.net project where user receives email from webserver.
User is given a url to visit.
Note: Obviously that url has a unqiue user identification pin
I want to know if this url is visited by same user who received mail or someone else. (In case someone tries to change unique pin and try access the web)
Is there anyway to achieve this?
Thanks.
You can't tell whether the visitor is the user or not. To the eyes of your application the one having the URL is the user. So if the PIN can be changed you'll have to encode a unique user identifier moreover the PIN in the URL sent for direct access.
You can also do some basic degree of fraud detection easily.
Using Request.UserHostAddress log the IP address of the first person clicking on the URL and collect his agent with Request.UserAgent
Then log each next visit in the same way.
If the second visit comes from the same IP and User-Agent then probably the user just revisited the email and clicked again.
Otherwise he probably forwarded the email to someone else or the email was stolen.
If you see lots of visits from different IPs and user agents then probably there has been a PIN sharing.
Related
I came across the use case of a user changing his email. There's the updateEmail method, which states in the doc that a Email is being sent to the original email address which offers the opportunity to revoke the address. So the Email is being sent always to the first email ever used.
I don't quite understand the logic behind it, since someone most of the time changes his email address, he's probably doing it out of the reason that he's not using the old one anymore. So he might not even get noticed when this email arrives when he changes the email a second, or even third time. Or when a hacker changes the email.
When I change the email from A to B, and then from B to C, why don't they just send an email for revoking to address B?
I want to design a user registration page in asp.net, When user enter his mobile number he will get a verification code to the entered mobile, After entering that code in the verification code textbox in registration page, if it is matched then he will be as a registered user or else the he cannot move to the process.
How can I do this, I have googled about this issue I had not understand much about it. how can I do this in the INDIAN mobile networks?
First off you need some kind of SMS API to send the text, such as Twilio. After this, you can generate some random number that will be sent to the user in the message, this same number you will store somewhere, maybe a database, along with the username or email address. When the user comes back with the number, you get the record by username or by the number, and compare it against the username or the number, and there you have it.
Take a look at this CodeProject article. It includes options for both Worldwide and India only services.
Or else, explore some SMS gateway services and choose whatever suits you. Basic idea would be similar to what is presented in the article.
Currently we have a typical web application, which all the clients access and login using their credentials.
One of the client does not want to login using their credentials, instead they will be passing username, fname, lname in the URL and they should be automatically be logged in if they have an acct or else we need create user account on the fly and log them in.
The web app should act the same way for the rest of the clients. How can this be achieved. Do we need to use any single sign on methodology (SAML, etc)?
Overview of requirement:
Request URL -> Determine if Client is A -> if yes then check the values passed in the url exists in the db -> if yes then log them in automatically -> if no create a record with the passed values and then log them in
---> if client is not A then take them to Login screen
If you are planning to base your decision only on some URL values to allow automatic login, you are creating a very biiig security loophole here.
Instead you should have some configurable mechanism, where system admin maps some IP addresses to specific user. This way when user requests for a page, you check if the IP from which request has come in, belongs to some specific client. If yes, then log him/her in else send them to login screen. This is also a bit of security hole, but a smaller one, because people will not gain access until they know which IPs are mapped to users and until they use some ip spoofing software.
Probably you can put a dual check of URL keys and IP mapping, that will make it tighter.
Best option is to use single sign on technologies like live id authentication. but it will require more efforts, and still requires users to login with live-id for the first time.
edit-->
If you are using your custom authentication mechanism, then you have 2 options
1. Change your login page to detect the request IP and have automatic login for selected users
2. Write a http handler which will check where the request is coming from and auto login the selected user accordingly.
I hope you understand what all things are involved in "Auto Login" which i am talking about. e.g setting the session variables/username, displaying the username on page etc.
I am developing a software but for that I want to know as if i send an email then how can i check the sent email is in recipient's inbox/ Junk.
I am using AsP.net and c# technology for this
Please reply
You can't detect what is done with the email once it is delivered to the users inbox other than requesting a delivery receipt and a read receipt but the user can opt out of these.
The best way to avoid being marked as spam is to use a trusted third party service such as Campaign Monitor or MailChimp.
Failing that you should make sure that your email has a proper from address set, that you have set up SPF records to allow the sending IP official permission to send email on behalf of the from domain, keep your html to content ratio reasonable and if possible use an email address that your customers have already received an email from before so that there is a higher chance that the address is already in a whitelist.
You really can't because there are many different email spam solutions out there and they don't send a status back saying whether they delivered the email to the recipient or not. What you can do is send an email with a tracker to see if the receiver opened it.
http://www.aspnetemail.com/samples/emailtracker/default.aspx
net website, i would like to implement forget password. I am using following steps
Form having input box for login Id and email Id and CAPTCHA
when user enter details and submit, at backend after validation new password is generated and replaced old password at database.
New passowrd is send to user at email.
Please help me whether i am doing right or not?
Is there any other secure mechanism for the same?
[EDIT]
Thanks, i got your reply. Really this is a secure mechanism. But here i have few doubt
What message should i shown to user when he enter loginId and email address at forgotten password page?
Whether message would be same for valid user and mallicious user?
Advantage of using CSRF token? Any help / link
When user click on link then what should i do; because as i guess user should automatically loggin into their account -then after that i have 2 choice (first) send new password automatically to user (second) new form will shown to user where user will enetr old password and new password twice?
Please help?
I can see why you'd want a CAPTCHA, but I'd take a different approach.
When a password reset is requested check that a reset has not already been requested for that account within the last X minutes. If a password has already been requested ignore the reset request.
Check the IP requesting the password reset. If that IP has requested a password reset in the last Y minutes ignore the request.
If the checks in 1 & 2 pass check the account exists. If it doesn't ignore the request.
If we've gotten this far generate a one time token, which expires in Z minutes and a password reset URL which encompasses this token. Email this to the registered email address. When the URL is loaded prompt for a new password and reset.
For those who believe that you should tell the user where the email has gone I strongly disagree. This is "information leakage", even if you do limit it to the domain name. For example say I've registered on JeffAtwoodEatsBabies.com as blowdart. If Jeff had requested a password reset for me and you showed the registration domain then he'd see idunno.org. This is my personal domain and thus Jeff would know the blowdart user is, in fact, me. This is a bad bad thing. I should not have to register using hotmail or gmail or whatever in order to protect myself from your code showing an email domain to all and sundry.
In addition you shouldn't be showing error messages at all. No matter what happens, a username is not actually registered, or too many requests have been made or the sky has fallen you should be telling the user that the password reset procedure has started. Informing a user that an account doesn't exist is more information leakage.
One final thing you could do is add a CSRF token to the reset request page, so it cannot be driven from other web sites.
Followup
So to answer your further questions.
What message you show is up to you. "Instructions for resetting your password have been emailed to the registered email for this account" is one idea, but really it's down to your audience.
Already addressed above.
Wikipedia is a good starting point. How you do it depends on your platform and is a complete other question! For ASP.NET you could look at my codeplex project, http://anticsrf.codeplex.com or look at ViewStateUserKey.
When the link is clicked I would first validate the token in the URL against the username it's being applied to then I would either allow the user to enter a new password, or generate a new one and email it. You can't prompt for the old one, as the whole point is the user has forgotten it!
There are many ways this has been implemented. As you said, generating a new password and sending it to the registered email address is one method. I wouldn't suggest you go that route though, as my password would be reset everytime somebody tried guessing my password.
Instead, the best thing I've seen to date is simply emailing the registered email with a link that will begin a password reset process. You may even let the user know which email address to check by showing a masked version of their email address used in registration:
An email was sent to ********#hotmail.com. Please check your inbox to continue.
Be sure to keep in consideration those of us who may forget which email address were registered with - typically a few security questions are a great way to make that information available.
I've done that recently. When the user enters their username or email address, we generate a unique token and email it to them as part of a link. Upon receipt of that email, they click the link, and are automatically logged in, taken to the my account screen, and prompted to reset their password.
Of course, this relies 100% on the security of the email client, but it's hard to beat from a usability perspective.
You shoud check the answer to the question : Can anyone provide references for implementing web application self password reset mechanisms properly? from D.W. on security.stackexchange.
It is the most complete answer I found on the subject. I also suggest you to read this article : Everything you ever wanted to know about building a secure password reset feature