I use MVC5 for a site where users have to login with custom credentials. I've changed the login procedure from the inital auto-generated code to a somewhat single page approach.
Users enter their credentials
these are sent via ajax to the controller
if the credentials are valid, a loading animation shows and the main page is being loaded via ajax
the controller that returns the main page is annotated with the [Authorize] attribute.
I wonder: is there something basic that speaks against such an approach?. The site I run does not have any top secret contents, but it should not have a backdoor just because I missed something basic here.
From what I could see, MVC5's auto-generated login procedure sents the credentials in plain text as well, just like the ajax post I use. The auto-generated login includes a RequestVerificationToken which I obmitted.
Thanks for any ideas!
Using AJAX to authenticate a user is a common approach. A couple things I would recommend:
Whenever you are sending credentials like a username/password combination it should always be done via SSL. Even after the user is authenticated all requests should be send over SSL to prevent a hacker from stealing the security token.
Make sure that there are is no UI code in your AJAX calls. AJAX is used for sending and retrieving data only. Your UI should be on the client using a framework such as Knockout, Backbone, or Angular. Even if you are not doing a full blown SPA (Single Page Application) and do not require one of those frameworks, select a client side templating framework like Mustache or Handlebars.
Related
I have an existing ASP.NET website with a login. The login procedure is not trivial, because of routing to different front ends on different servers based on which user logs in. There is also some communication/login going on to a classic ASP website.
Now I want to start to decouple the first step of the login procedure using a tiny Angular2 app. Basically this should just collect the user and password and leave the login validation etc. to the existing ASP.NET logic. So from my naive point of view, this is the same as filling out user and password on my existing ASP.NET page and clicking the submit button.
I know that I can make http requests using angular2 and have successfully done so calling SOAP based web services which are part of the login validation process.
I have the idea that I can somehow fake the http request which is executed when submitting the login form in the existing ASP.NET page. But as far as I understand it right now, even if I could make an http request to my login.aspx site the response I would get would sit in my Angular2 obervable as text whereas I would like to leave my Angular2 app and "simply use" that response.
I am not even sure what questions to ask ... but how do I do that?
What have I not considered?
Some options I have:
It would be possible to change parts of the existing ASP.NET page(s).
I think it would be OK to open a new browser tab in which the existing ASP.NET app would be displayed.
We need to use static method's to make Ajax calls.
I didn't really understand the whole picture, but I know that you can load an ASP.NET partial view from an Angular2, or even make an http call to an ASP.NET Controller to get your data.
So I don't really understand your problem there, since the question is not clear, but you could make an http call to an ASP.NET Controller that would manage calls to your different WebServices.
Some clarifications would be helpful for a more detailled answer.
I have a system which uses Jquery AJAX calls to an .ASMX web service for INTERNAL and STATELESS use.
For example, after pressing a button, a Jquery call is launched to insert a new user).
Now, the problem is, that the Jquery AJAX call is dynamically inserted by the user. The user can decide what code of Javascript to put, so he may call a AddUser() function in the web service, or do something else. Then, that piece of code is inserted dynamically and the button will add all the Javascript that the user wrote into the HTML content.
In the case the user decides to call the Jquery and specifically adds a code to call the AddUser() function in the WS, how can I do it securely? How can I assure that this AJAX request is coming from the same domain?
I understand that every HTTP Request header can be manipulated, so how can I assure that the AJAX call is coming from the same site?
I remind you, the purpose of that web service is for internal uses of the system - so I don't want that an external user will read the JS code and copy it an add users as much as he wants!
I don't want to use tokens or identification. It is a stateless request and I just want to add a user but to have control of who is making the call.
I will be happy to get any suggestion. Thank you in advance!
In my opinion you can't. You either add some kind of authentication (if you have one on the site you may use the same authentication) or render a token on the page which is sent with the AJAX request. Of course in both cases you add some form of state but in my opinion the requirement to originate the request from the same site is a requirement to track state.
I have built a SPA application with Hot Towel (durandal) and I have problems to understand the authentication.
When I am loading data from my database how can I filter this data to the current logged in userid ?
thanks for help,
Best Reguards
If your SPA is calling asp.net of any kind on the back end you can still use Forms Auth cookies to secure your ajax endpoints and identify the user making the request. Depending on how SPA like you need it you can just use a standard aspx or mvc login page, then from there redirect the user to your SPA start page that calls your main.js and starts your SPA. All ajax calls you make to that site will have the Forms Auth cookie set and you can use it to verify the user making the request. Here is a link to standard forms auth. If you want handle the login process in durandal as well that can still be done, you just need to make your ajax endpoints for logging in and out to allow anonymous and then handle setting the forms auth cookie in them.
On the server-side, referencing User.Identity in the controller will get you the properties of the currently authenticated user. The question is, what form of authentication does your application use (Windows, Forms, Basic, Anonymous, etc.)?
I have an ASP.NET site which requires a login to get access to the rest of the site. Login information is stored in database and accessed through a service.
The business have asked to be able to login from an external site. I added a Generic Handler (.ashx) to my project which takes username & password input, verifies the credentials, and then if they are valid stores the credentials in the session using IRequiredSessionState interface. It then gives a URL of the entry point to the application to the client.
The client (a plain old HTML page using jquery to .post()) then takes the response and redirects to this URL.
Well, this seems to work great and exactly what I needed. I figured that I could avoid having to generate a token and pass it around in the querystring by doing this, since the handler and site both share the same session. But the problem now is when I tried a test by putting the Login HTML page on a co-workers computer (eg external to hosting in my application) - it doesn't work. The session is added correctly in the ASHX handler, but in the Page_Load of the entry point, that session value is gone..
Is it possible to do what I am doing? Why is session forgot immediately like this? I would think it would be the same as logging in from the log-in page and redirecting from there (it's the same application & the same session..)
Thanks!
I'm working on a solution to part of my companys site that is done in 2 different languages. My part of the project is in ASP.NET, and the login portal is in a different language.
We pass authentication credentials by storing login information in the database on the portal page and then sending a corresponding token to the URL in the page written in .NET. Almost all the tutorials and articles I've read about security for ASP.NET, and most languages, the message has generally been "just use the built in stuff and don't mess with it".
I have code that takes the token, goes into the database and gets the user details.. what do I do then to integrate that into the built-in security stuff for ASP.NET? I'd like to ultimately use Action Filters for authorization on my controllers. Thanks.
Once you get the user details you could emit an authentication cookie:
FormsAuthentication.SetAuthCookie("username", false);
This will append a cookie to the response so now the user will be authenticated and you can safely redirect to a controller action decorated with the [Authorize] attribute.