I want to save the page url, to a log file for example, that a user browses during a session and suggest him/her next time. What's the best scenario?
The correct scenario is to connect the user cookie with his data on a database on server and there keep the last visiting page.
An alternative for a site with few pages (and not database), is to have a number for each of your page and save this number only on the cookie, and then know what page to show base on this page number. Eg the 56 is for page contact.aspx
So the next time it will visit your page you find that parameter and make your suggestion.
To save the full url page on the cookie is something that I do not suggest because you make the cookie too big in size and that can lead to other problems (think that all cookies are follow the user on all calls, even the calls to see an image).
Of course you need to make this suggestions only for new sessions - and if the user is not on the same page. Think also what happens if a user have open 10 pages of your site opens and the session ends on all after some time of inactivity... Think again the user interface, the common way for that is the full history of what he see at the end of the page.
Related
I received results back for an ethical hack assessment for one of my asp.net webforms sites. One of the items was a multi step way the hacker changed the request to display a page he shouldn’t have had access to with his user privileges. Below are the steps he performed to execute the hack:
1) logged in using Admin level rights.
2) navigated to page ‘A’.
3) using his Burp tool, saved a copy of the page headers.
4) he then logged in using a User account which shouldn’t be able to see page ‘A’.
5) goes back to the home page to get a fresh request.
6) using his Burp tool, opens the request headers for the home page and replaces them with the contents he saved from page ‘A’.
7) he continues on with the request and is now able to see the contents of page ‘A’.
I tried to programmatically check the request.url and compare it against what pages the user has access to but the hacker said that didn’t fix it.
Is there a built in way to prevent this in ASP.NET 4.x? Is there some web.config property I can set to stop someone from changing the request headers and performing this kind of hack?
Update: This was happening because the username and usertype was being stored in session variables after authentication. Once the hacker gained access to the session, they replaced the session of the ‘User’ with the session of the ‘Admin’ account and it was just as if the Admin was logged in. The fix was to not store the username and usertype in session variables. I also created a table with the pages that each usertype was able to access and checked that each time a user comes to a page. If the usertype does not have access to the page, they get redirected back to the homepage. Both of these fixed the issue and eventually passed the ethical hack.
I have built an ASP.Net MVC site using Forms Authentication for a client.
Recently, they have requested that an authenticated user be restricted to a single browser session. That is, if the user raises a new browser instance, or opens a new tab on the original browser window, that he/she be logged out of the original. They insist on the added security.
Does anyone know how I might approach this? Thanks in advance.
Personally, I would push back and ask exactly what security this is bringing. Maintaining state like this counter to web architecture and is only going to bring you and your users grief.
Here is what I would do if presented with this problem:
Store the username of the user in your database (i.e. LoggedOn table).
When a user logs on, check to see if their username is already present in the LoggedOn table.
If the user isn't already logged on, insert a row into the table with the username and the current time; otherwise present the user with a message informing them that they can only log into the system from one device at a time.
Include logic to expire and delete the rows in the table if a user's session expires or if the user logs out.
First a disclaimer: I'm no expert in web programming.
Perhaps you might try a system where every user interaction requires the submission of a random value that's been generated for that page (much like what's used for CSRF protection.) That key could be kept under the user's session information on the server, and if a page is ever requested without the correct key as a URL parameter, the session is invalidated. The URL from one browser won't work in another, either, since once a URL is gone to, the user's session key has changed. The only way for a user to transfer a session between tabs would be to copy the URL of an unclicked link and paste it in a new tab's address bar. Switching browsers would be even more complex assuming that ASP.Net uses a session cookie: the user would have to transfer the cookie from one browser to another. Going back would also fail, as all the links on the previous page, and the URL for the page, would carry an incorrect session key.
Also, for reference, I believe the US Gov't TreasuryDirect site works in the way you've described, though I've never looked at how they manage it.
Thanks, people for the suggestions. Each had strong merits, however I had to take a hybrid approach. I found an incredibly simple suggestion from this post.
I implemented table of active users as Karl suggested as well. This will give the client the ability of deactivating the user on demand.
Thanks again.
Think of it as one active view at a time instead of one browser or tab. Or convince the customer to view it this way.
You can always issue a unique cookie for the browser session (ASP.NET Session) and allow communication to the latest cookie issued effectively making only one session active at a time, and therefore rendering other open sessions (browsers, tabs, etc) useless with the app by disallowing them communication any longer or serving up an error page for them. To do so you have to recognize who the user is and authenticate them against your app. This is half the puzzle and will force the user down to use your app in only a single browser at a time on their machine.
The other part of the problem is to pare down the windows and tabs that are part of the same browsing session of that browser, to allow only one view to be active at a time. To do so you can issue a unique sequential ID to the viewstate of each page for postback to the server to uniquely identify that page apart from other pages sharing the same session state (whether that page be in a browser tab, a frame or new window, etc). Or a code of your choice that's traceable. You then know which page is posting back within the session and can disallow others or deactivate previous ones by, again, shutdown down communication in some manner or serving up an error page, etc.
A new browser instance or a new tab may or may not be part of the same browsing session depending on how the browser is configured. I believe, for example, IE provides a setting that allows the behaviour to be set of whether a tab opens in a new process or session or shares the session. You won't necessarily get expected consistency across browsers to rely on for this feature, therefore you need to take programming steps to reign it in, like those described above.
You can additional steps like disallowing the user to be connected from a different IP# at the same time.
I have created a web page but i want to restrict only one instance of the page should be running at all times. The scenarios are given as below.
First time - User launches the page by URL and page loads.
User types URL again in another window and it should say that a page is already open OR refresh the existing page.
User closes the window and tries again - new fresh page will be loaded.
Additional Details : I have a database, user authentication.
Tried So Far : Set a flag in DB-->> This method how do i redirect the user back to the page which is already opened.
Any ideas to implement this.?
Thanks in Advance for your opinions and suggestions.
Perhaps you should use a cookie which expires when the user closes the browser. However, all browser instances may need to be closed.
First time, there is no cookie and http_referer does not contain the same domain. (set cookie now)
http_referer contains the same domain
cookie expires and go back to (1)
You should consider using cookies for this. Create a session-long cookie upon opening of the window and destroy it upon closing of the window. If a cookie already exists, you know the window is already open.
This of course relies on javascript and is easily got round. You can not use a server-side solution because it would be impossible to catch the closing of the browser window in order to clear the cookie.
Personally, I wouldn't try and restrict the opening of multiple windows but restrict the functionality available in each window. This approach would be much easier to control using a server-side approach, e.g. events fired in the window can be validated server-side.
I've noticed that on some sites, StackOverflow included, that if I start writing a post (Title, description etc), then leave the page - I might come back and click on the 'Ask Question' link a day later and the details are prefilled exactly from where I was the day before.
I was wondering how this is best achieved when developing a site using ASP.NET MVC? I was thinking that storing it in Session would expire after x minutes and it'd be too much to try to store in a cookie?
You can save post in database by ajax even if user doesn't push save button, there is many browser events that you can use to save post while user is on page. As example you could start saving post every x seconds after user focuses one of form input fields, or after user enters certain amout of characters, page onunload event would be good place to store post too, but you can't rely on it because browser could be killed and not closed gracefully. So just save post in your database with flag "Unpublished", and load it next time user comes to same page.
Well...
Don't expire the session.
give it a "dedicated" session that lives longer than a normal session
store it in the browsers local SQL db (this doesn't move with
the
user)
if it's short enough, store it in the cookie.
associate it with the logged in user, and allow them to store only "one".
Do autosave every short periud of time and save it to cookie/server database.
If you'll save it to cookie then user can continue typing in his browser next time, but he won't be able to continue message on another PC or browser.
Otherwise using database can have rather big load on database and bandwidth if there are many users in your application.
So its a ASP.NET problem where two users using the same machine, same browser.
User 1 logs in the domain.
User 1 changes some data without saving it.
User 2 logs in the domain in a separate tab.
User 1 switches back to his tab and saves the data.
User 1 actually saved the data into User 2!!
This is caused by the following mechanism:
Different tabs in the same browser seems to share the same session id.
We are storing user auth in cookie and the cookie is shared between tabs (same domain)
Therefore, when User 1 request to save, it is recognized as User 2 since the cookie has been updated to User 2.
So I'm wondering if there's any other methods to prevent this from happening, other than:
1. Use cookieless session so the session is embedded in uri.
2. Always include a hidden field in page to indicate which user owns the page.
Regards,
You could add some fields in the database to track that the user is logged in, and grab their IP address, and restrict access that way.
IE8 has a "New Session" command in the file menu that opens a new window, but that's pretty much like using 2 different browsers.
Hiding the login form until the current user is logged out will raise awareness that another user is logged in but won't prevent the above scenario. If the logout process could refresh each page in the browser on the domain then it might work, although user1 would loose all modified data.
I used the trick of opening a new window with a specific name and always make sure that any page will open always use that window.