Is there a way to create an RSS feed that only customers who have logins to our customer portal would be able to see the content of the feeds? I know I can secure the RSS feed using standard ASP.Net authentication which would be fine for viewing while on our site... but how would a reader be able to subscribe to the feed then?
I'm pretty sure the answer to this is No... but maybe there's another solution I'm not seeing?
Thanks!
You can secure it with a other auth cookie, with a long time out like in this article
http://www.andreas-kraus.net/blog/increase-aspnet-authentication-membership-cookie-timeout/
but i prefer another approach. If you have a user, than its always good to give the user an uuid column in the database. Then you could give the user a link to your feed with his uuid and can check if he is allowed too consume it without other authentification.
hope that helps
You can not use forms authentication as an RSS client would not know how to handle that. What you could do though is secure it with basic authentication and let the users that are suppose to be able to access the RSS feed include the username and password in the URL. E.g. like:
http://username:password#www.domain.com/feeds/rss
This should be supported by any RSS client as this is a perfectly valid URI. Preferable use https though as the username and password are sent in the clear.
Note: Recent versions of Internet Explorer do not support this anymore as it was subject to spoofing. For example, spam mail could be sent containing links to:
http://www.trustedbanksite.com#somewhere.ru/
This could easily fool users into thinking that they are actually visiting the website of their bank. I don't know how the support is in other browsers.
Related
First of all, I'd like to preface this post by stating that I know this is a terrible user experience...
I have a client who would like to prevent site visitors from sharing login credentials.
Because this is a corporate marketing site, social login is not an option.
The client claims that there is a site where upon registration, a cookie is dropped onto the user's device and the user is also given a unique password that will only work on that specific device.
Does anyone know how to make this work using Wordpress? (I'd like to avoid using third party plugins)
This sounds like the use of Single Sign On (SSO) or 2 factor Authenticaton (2FA) will be needed. The SSO Wikipidea page references a cookie based solution for TCP/IP networks https://en.wikipedia.org/wiki/Single_sign-on so perhaps that's how this came up from your client.
Once you identify what your options are with that, based on what your client is using for authentication, then set up may be a bit easier. I think a plugin would save you a lot of time, since this is a pretty elaborate task. This one may do the trick https://wordpress.org/plugins/miniorange-saml-20-single-sign-on/
Regardless it's pretty challenging to prevent the sharing of credentials. SSO may be a deterrent if that gives access to something else that user doesn't want to share. 2FA doesn't prevent a user from sharing the pin thats generated too. Perhaps the only real way is to require an IP match on a device with bio-metric authenticaton.
Im currently connecting with a site which uses basic auth, and my url looks like http://username:password#mysite.com. It works, but everyone can see the password; Is there any method to hide it, by means of base64 or something similar?
This syntax is just a shortcut for the browser. Some browser will use this syntax to build the Authorization headers (some will not).
But. One thing is sure. You are giving the user+password to everyone. If your site use basic authentication, then you need to give the user and password information to your users, like in an email for example. Why would you add an authentication and then let everybody access the authenticated section?
HTTP Basic authentication is not very secure. But can be used to prevent indexation by bots, or with https. When you add this sort of (annoying) popup the users will have to enter the credentials, there is no other way. And the browser will record the credentials and add the same information (user+pass encoded in base64 -- which means is in clear text, no security--) for each page requested on your site until the browser is closed. So you do not need to add the credentials on the url, the browser will do it for you, after a first popup.
Please read the whole question before saying duplicate.There are similar but this is different.
I have a website that users can post ads. Its written by using ASP.NET. So
If a user post an ad it should go through a review path.( Involving an admin )
eg: User posting an ad. Then admin log to his admin page and review the ad and then give the approve.
I developed it within the same solution file. Currently I put this page in a folder. To access it user have to type
www.test.com/admin/review.aspx
manually. Because that page is not linked from the main website. And this admin user doesn't have a user account in user account table. Note that whole site is secured with SSL.
So admin has to enter a password to enter this page. This password is hard coded( Not getting from the DB ).
So am I using the right approach? Can a hacker attack to this page?
I dont want search engines to index this page. Also what about this hard coded password method? Is it a secure way?
Is it a good way to implement this page in this domain? I have different domains for this website end with .org and .info etc. Can I use such to access my admin page?
Tell me the best and secured approach to do this. Thank you very much.
A hardcoded password is never a good idea:
Developers of the website will know the admin password for all deployments of the application.
If the password is discovered by an attacker, it cannot be easily changed.
Pre-production versions of the app will carry the same admin password as live versions.
The security of the admin page should be be based on the fact the URL is hidden. URLs are hard to keep secret as they're stored in browser and proxy logs, they are emailed, and are leaked in the referer header if links are followed or resources are used from other domains (e.g. JQuery).
Hiding the page from search engines is a good idea, however do so via the use of meta tags, not robots.txt, as robots can be viewed by anybody to determine the location of your secret pages.
Use established security methods to make your admin functionality secure:
Implement TLS/SSL so all acces is over HTTPS to mitigate Man-In-The-Middle attacks.
Implement account/IP lockout after a number of incorrect password guesses.
Use two factor authentication (e.g. Google Authenticator) to mitigate phishing attacks.
Store passwords in a DB or outsource your authentication to e..g Open ID.
If storing passwords in your DB, hash and salt them and use a slow algorithm such as bcrypt, scrypt or PDKDF2 with the highest number of iterations you can get away with.
I don't want to add another username and ID to the world, so I really want to integrate openId into my web site. However, I am confused about it. I looked at various blogs about it, and they all point to DotNetOpenAuth. I plugged that in, but didn't get quite what I expected.
What I see is something like this (from Scott Hanselman's blog)
What I expected to see was the same sort of log on experience I have here at stackoverflow.com
I am obviously confused on what OpenID is. Can someone help clarify for me? Even better, can someone point out what I need to do to get that stackoverflow.com experience.
Thanks.
Think of Open ID as the concept of taking a providers word that I am 'Joe'. There are many different providers you can use. Facebook, Twitter, Stackexchange, Google, Yahoo, and more. The UI you have is just using the OpenID provider. If you want a better UI, check out this jquery plugin, or this one.
The UI SO uses (and the two linked above) is really just eye candy. Conceptually they build a URL that your user will be sent to. Some require the username in the URL, others do not. If you are going to roll your own solution, you will need to know what every provider needs. If you use a prebuilt one, just go with it. :)
I did a blog bost a while ago that walks you through implementing DotNetOpenAuth in an MVC site. What is important to note is the method ActionResult LogOn(string openid_identifier) takes the URL the provider needs, and redirects the user there. You will get this URL from one of those controls. If I remember correctly, it handles everything for you. All you do it tell it where to POST the form to.
Once you get a response back (the other LogOn method), you can process it. response.ClaimedIdentifier is basically the users ID. It will be different for each user. If I log in using Google, AND Facebook, it will be different for both even though I am the same person. If you want your users to be able to log in with more than one, you will need to allow them to assosiate the logins, and code accordingly.
Ok so OpenID works by communicating with trusted openID providers (e.g. google) to tell the site who you are. A write up about how google's implementation can be found here http://www.readwriteweb.com/archives/google_clarifies_openid_implementation.php
Here is what I see when I click on Scott Hanselmans comment login system. http://imagebin.org/186528 Note how the OpenID textbox adds the url? I am pretty sure that all stackoverflow is doing is teh same thing - but having a link to click rather than something less usable.
I have created a username and password to enter and search people in linkedin. Now, I am devloping a web application using asp.net. I need to open a popup page which is displaying the searched results in linked in as logged in.
When the popup page is displaying, I need to logged in automatically using the username and password.
So, here is my question,
How to logged in automatically when the button clicked in Asp.net application using linked in username and password?.
Thanks
The problem is twofold:
deciding which credentials to use
actually logging in
Logging in is fairly straightforward: post to LinkedIn's login URL in the manner that LinkedIn expects. Unfortunately, LinkedIn still does not have a public API, so this is going to require hackery. Go to a LinkedIn web page that allows login and analyze the page source. There will be a field names for username and password in the login form, and the login form will post to a specific URL. Duplicate the username and password with a web request to the URL of the form. You will receive a cookie as part of the response. Make sure you include that cookie in future requests to LinkedIn and you are then "logged in" for every request.
Of far more importance than the actual logging in, which is a simple programming challenge, is deciding which credentials to use. I'm guessing that you're building an application for others to use, rather than yourself. If so, you'll need to ask them to give you their LinkedIn credentials. Beware: this is something that most people simply will not do. It's a trust issue; if they give you their credentials, you now have access to their profile and can do nefarious things with it. You'll need a good disclaimer explaining how you would never do that, ever, and you'll need the people who read it to believe you. Not as easy as it sounds.
If, however, this is just for you, you're on easy street. Just use your own credentials.