I just wanted to ask if you can retrieve cookies in your asp.net application from when you logged into the YouTube website?
I understand how to set and retrieve cookies using .net and i could do this when the user inputs there username and password in my application but whats the point if the user has already logged into there YouTube account using YouTube. So from the user logging into there account using YouTube could i retrieve the cookies set by YouTube?.
You're not able to read cookies from another domain since doing so would be a huge security risk. So in your case, your web app would not be able to read cookies from YouTube.
Depending on what you're trying to do, you can leverage OpenId or OAuth for authentication and/or authorization respectively. This is a comparison of the two.
Related
How do browsers share credentials belonging to one domain with other? As I asked in question, if I log into one service, I'm automatically logged into other service? What authentication scheme is this and how are credentials shared?
The answer is that they use OAuth or something like it. You can read about it at https://en.wikipedia.org/wiki/OAuth or just google for OAuth. Only one site receives your username and password. The others are granted permissions by that site.
By using API's.
For example: When you going to Youtube and you want to log in, then Youtube uses Googles API's to check if there is an account that equals with your details.
And in case of logging in automatically, just the same way, but then with a session or cookie I think.
They use cookies to save your (encrypted) information.
Cookies stored on your browser are readable by any website*, so in theory any website that knows how Google's authentication scheme works is able to "log you in" on a Google account.
Also, in theory, any person who "steals" your cookies and use it on their computer would be able to log in as you. However there are certainly security measures taken into consideration from Google before allowing you to authenticate using only a cookie (using IP and other request information to make sure that cookie belongs to you, etc)
As a proof of concept, if you delete all cookies on your browser created by google.com you will find out that you are logged out of Google's websites. And when you log back in, the cookies will be recreated.
Errata:
*Cookies can be read by websites under the same domain.
I have configured thinktexture identity server which is connected with my database for authentication and returning the claims in response.
Now I am able to use STS in my website. Behavious of STS is, user is getting redirect to STS website login page for authentication and response is getting retun to my website after successfull login.
I want to implement a little bit different. I want to use Login page from my website itself instead of using this from STS so that stsyle and theming can be displayed as per my website.
Also want to implement many other password control features ie Password expiry warning, force change password etc can be implemented within the website.Please suggest the approach
Look into the WS-Trust endpoints that IdentityServer supports.
After a lot RnD, we finally reach at conclusion that it cannot be achieved.
It will always redirect to identity server URL for authentication.
I am very new in web api security. I have used form authentication technique. when user logs in, a token is created and stored as a cookie in user's web browser. On each request the token is varified and if user is authenticated and authorized user is given access to the service.
but I think this approach does nothing in web api security. cookies can easily be copied and pasted in other browser and anyone can get the service.
I am thinking to use App key and secret along with form authentication. I am not suggested to use third party service like Oauth for authentication. I am not Sure about the Implementation of app key and secret that how it exactly works.
Please provide better way to secure my web api wihtout using third party services and to prevent cookie hijacking etc. What actions are performed to build a strengthly secure web api.
The forms authentication is good enough. You can also do the following:
Use anti-forgery (antifrogery) tokens. Check this or this
It will also be great if on sensitive actions you check if the call to the function was made from the same site or not.You can implement your own action filter for this. (check if the referral site is your site, or the expected site)
Edited:
Thanks guys for your comments. I guess you are right. Well authentication cookies in ASP are created as httpOnly cookies which means even if the site had some XSS vulnerabilities it will still be safe and cant be stolen. I would also suggest to use https everywhere if the site is used for sensitive operations (like a bank) to make sure the cookies are perfectly safe.
I'm developing a web application that requires the user to log in using forms authentication. inside the webpage you need to download a desktop application that requires to login to the same system too. Is there a way to transfer the current logged credentials from the web application to the windows desktop application without need to login again?. Both applications shares a Login object from an vb.net interface.
I tried to save the IP address in the Database but that don't work for me because the website needs to be accessed inside and/or outside of the company and the user cannot login twice in different machines.
I tried to google for solutions but without luck.
Do you have any suggestions regarding this?
This may not be exactly the scenario you're envisioning, but this article shows how to use Forms authentication from a Winforms client using WCF Authentication Services. This should get you going in the right direction. Per the article, you can use these services in any .NET application.
http://msdn.microsoft.com/en-us/library/bb386582.aspx
This article shows how to do it with a Silverlight app, just so you have another example. http://blogs.msdn.com/b/brada/archive/2008/05/03/accessing-the-asp-net-authentication-profile-and-role-service-in-silverlight.aspx
And just one more for fun. http://aspalliance.com/1595_Client_Application_Services__Part_1.all#Page1
There isn't really any way to share this without encrypting a file containing the user's credentials and storing it on the hard drive along with the file, but then you run the risk of someone decrypting the information and getting access to the user's password.
I think that an alternate approach that could work is to generate an authentication token (could be as simple as a GUID) and store it in your database along with the user's id when the user requests the download. You would want this token to expire after a reasonable time limit (5 minutes, for example).
You could then include a file that contains this authentication token with the download. When your apps starts, you could check for the existence of the file. If it's there, you extract the token, delete the file, send the token prior to presenting the user login.
If the token valid, your server would send back the user's login and your app would proceed as though the user were logged in, otherwise you would just display the login screen.
I have an asp.net application in which I have used forms authentication.
Now, there is a need that user authentication is done outside of my application.
There will be an intro page which will do needed authentication.
Then, after authentication is successful user should be redirected to my app.
Of course, if user is not authenticated via that external page and tries to access my app directly, I need to redirect him back to this external log in page.
What's the best way to implement such a functionality? One way which I think is feasible is that I transfer some particular encrypted string in cookie from external login page and verify it in my application. So, based on that, I can see if user is authenticated via this external page or not.
Your own suggestion of validating the external site's cookie is how I would implement this functionality as well.
I would simply go with adding a Webservice in the first application that you in your stage can connect to a check if the user is logged in, the only problem with this is that you need to know which user whants access to your site and also to confirm that this is truly that user (So a user cant use other users who are logged in). This info could probably be sent via a cookie.
You probably should no be rolling your own single sign on solution in 2011. Rather, you should look at some emerging standards -- particularly OAuth and OpenID. Getting rolling with them is easy -- check out the OpenID website template on MSDN.
At the end we decided to use SAML 2.0 protocol.
External login page posts SAML complient XML digitally signed with certificate to other application. In this XML authenticated username is transferred. Application which receives this XML verifies digital signature with certificate's public key, and if validation is OK, reads username from XML, applies internal application authorization logic and at the end creates auth. cookie. We will probably add encryption so data protection would be complete.