I am going to create a website which in that, users can create their own album of pictures and upload them on the website. I am going to use ASP.NET (C#) to develop this website.
Each user only has access to the set of images which is dedicated to that user no shared items are permitted, so users should have their own username and password and log in before getting to their album.
So I have 2 question, where should pictures get stored to have prefect access control and restriction.
What is the best secure way to authenticate users?
Simply upload that file, and add a record that represents the user's UserId, and the path to the image.
Or you can upload directly to Sql Server 2008's (can you use that) FileStream object to store the images - and still have a record that links it to the user's UserId
To authenticate users just use the MembershipProvider. They will have a user id associated with their login. That becomes your key to look up the images.
You can get their name or user id in different ways. See:
How can I access UserId in ASP.NET Membership without using Membership.GetUser()?
for more details on getting the Id (via ProviderUserKey)
Related
I used AWS Cognito to authenticate users in my iOS application. The users of the app will have to enter the email, phone number and their name in order to register and Amazon will be sending a SMS to authenticate the phone number.
All of these are working fine. I have few questions and they are :
1.) I want to know where these data are getting saved ? It's not there in the Dynamo DB (However, I found the list of users in AWS Cognito --> Federated Identities --> Users , but not in a Table inDynamoDB)
2.) Now, once the users are authenticated, I am allowing the users to interact with the application. The first task will be that the users will have to complete their profile. I want to know if in case if an user is NOT authenticated will he be able to complete his profile ? Ideally, he should not be allowed. But is this happening automatically ?
EDIT
1) You are correct, data is not stored inside dynamo for user profiles. Cognito has an internal data store in which user data is persisted. This can be viewed and edited (as an admin) through the 'Users' tab of your user pool.
2) They should not be able to, and it is not happening automatically. The only way to update attributes stored against a user is as an admin (which the user shouldn't be able to do) or with the token that they get from signing in, so what you're aiming for is very do-able.
I hope you can give me some advice about membership and images.
Which is the best way to secure images so that only the authorised users can retrieve them?
The scenario:
I own a website on which users can enter and publish their wishlist(s). The owner of the wishlist has a username/password, and family&friends have a username/password (family&friends all share exactly 1 username/password)
Now I want to give the owner the opportunity to upload an image which will be used as a background image for the wishlist. This may be a personal image, so I want only the concerning owner and family&friends to be able to see that image. I don't want other users (and people not logged in) to be able to see this image, even if they try to hack it.
To be more specific, if I decide to store jpg-files in a folder, everyone can easily retrieve it like https://pbs.twimg.com/media/B4VBJc6CEAAFSKf.jpg
I can put it in a folder which only logged in users can access, but then all logged in users can access it, and I only want to grant the owner and the family-and-friends-user. Can I secure the image file?
So, my question is: Which is the best way to secure images so that only the authorised users can retrieve them?
I use:
ASP.NET,
SQL Server,
ASP standard membership
Only the concerning owner and family&friends to be able to see that
image. I don't want other users (and people not logged in) to be able
to see this image.
I assume you are using ASP.Net Web Form. If so, you want to look at a generic image handler.
To be more specific, if I decide to store jpg-files in a folder,
everyone can easily retrieve it
You should not store images in publicly available folder. In other words, it should be restricted to public access. For example, App_Data folder.
User can only access those images via Image Handler.
Inside the Image Handle, check whether user is authorized. If not authorized, return 404.
If authorized, you can use either BinaryWrite or TransmitFile (if image is stored in file system).
So, I've gotten weary with trying to search for my problem online.
I am currently creating an ASP.NET 2.0 application. The application currently is connected to a database which stores all the information I need to store. I also have connection to the LDAP directory at my workplace on it. I am using the LDAP directory for my application as everything is tracked by employee ids. I now need to add authentication and authorization.
Since my workplace is large, I need the ability to limit who has access to the website within the company as well as what they are allowed to do on the website. I know that ASP.NET has some sort of authentication and authorization, but I am completely oblivious as to how it works.
My current solution is to add a table to my database with two columns (employee id and access_id). The employee id can be used to pull information from LDAP about the employee whenever I need to. The access_id is a set of integers that represent what the user is allowed to see on the website.
When the user first starts a session on my website I use their nt id and pull the employee id from LDAP. I then look up all the access_id's and store them in an array for the session. Everytime a user accesses part of the website, I check whether they have the access_id associated with that section and allow or disallow them based on that. My first access_id of 1 allows the user to see the webpage by setting the visibility of in C# as
if(access_id == 1)
Enter.visible = true;.
What kind of LDAP directory are you using? If it's Active Directory, try:
http://msdn.microsoft.com/en-us/library/ff650308.aspx
or
http://msdn.microsoft.com/en-us/library/ff647405
You could also consider: http://msdn.microsoft.com/en-us/library/ff649313
If it's not AD, you could implement your own MembershipProvider: http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx
It's better to use the framework(s) where you can and only roll your own code when you have to.
I develop an ASP.NET website. It will contain text articles and some of them will contain pictures from my facebook account above and beyond the text. Note that I'm going to use only the public albums from my account.
So I created a sql table and binded the articles, the albums and the photos (in fact the IDs of all of them). I already used facebook api sdk and it was a great library.
Obviously any visitor of my website (even he doesn't have a facebook account) mignt be able to see the articles and the pictures withount visiting facebook and without authentication via facebook oAuth to access them.
Well here are the questions:
1) How do I get the photos a public album contains by album id and user id without authentication? (I don't know, maybe I should use the other parameters than album id and user id)
2) How do I get the properties (name, id, etc) of a public album?
With out an access token there's very little you can get from the graph api.
Just try yourself by directing your browser to: http://graph.facebook.com/YOU_USER_ID.
You can also check the fields/connections tables in the User object documentation, where it says "No access_token required" in the Permissions column (3rd) you can get with out a token.
If you want to get other data of yourself and serve it publicly on your site you have two options:
Use the server-side authentication flow, get a long lived access token (60 days), save that and use it for the following 60 days to get your data from facebook.
Then, when it gets expired go through the authentication process again.
It will just be you who needs to go through it, not your users, and only once every 60 days.
Log in yourself, authenticate against your app, get all the data and persist it on your db, then just present that to your users.
You'll need to update things every once in a while.
Edit
The server side authentication flow guide has an example written in php.
It's a simple example which does not cover all scenarios but it's a good start.
I have implemented this in python and java but it's not something that can easily be shared since it spans across multiple requests and states, and so I'll just describe the flow I think that you should use:
Inside facebook you go to your canvas app
Facebook will make a POST into an iframe with your canvas url
In the post data you will get a signed request, decode it and check if it has an access token, if so check when it expires. If all is good save that token and the auth process is over, otherwise:
Redirect the user to the oAuth dialog along with your redirect url and permissions that you require.
After you allow your own app you will be redirected to your "recirect_uri" with the code parameter (in the querystring).
Exchange the code for an access token against the facebook servers and save the token.
You can then redirect yourself to the canvas app or just stop there.
That should do it for a long lived access token which you can then use for 60 days.
As for persisting your fb data on your own db, it's a pretty trivial operation to save data on a db, and it all depends on what data you want to save, how you need to encode/use it (json, xml, plain text).
For example, let's say you want the display your own photos, then after you get the token (as described above) just query from your server for your photos by issues an http request to: https://graph.facebook.com/me/photos?access_token=XXXXXX.
You should get a json encoded result, iterate over that and save each picture as a record on your db.
To retrieve list of user's albums you need to issue next GET request to Graph API:
https://graph.facebook.com/me/albums?access_token=...
And to retrieve list of photos:
https://graph.facebook.com/ALBUM_ID?access_token=...
But you cannot read user's albums (and photos) without authentication and requesting user_photos permission.
According to album documentation:
To read an Album you need
Any valid access token if it is public and belongs to a Page
The user_photos permission if it belongs to a User
The friend_photos permission if it belongs to a User's friend
So generally you have only two options to achieve the result you want:
Use Facebook Page to store all the Albums/Photos you want to display on site
Read 'em using Application access_token.
This will allow you to completely bypass authentication flow at all.
Use your personal account to store Albums/Photos
Authorize application (client-side/server-side) and grant user_photos permissions
Extend access_token for your user and store it
Use your personal access_token to access your Albums/Photos
I'm making a small portal in ASP.net (with C#.net4) where users can login and add, edit their personal information (PI). But I don't get how to load information (stored in a SQL server DB) in the page when a specific user is logged in.
For example: If Sam is logged in, he can view his PI. When Vicky is logged in, she can view her PI.
who can help me with this?
thanks in advance.
You need to retain the ID of the logged in user in a session variable and then use it to filter the query with which you fetch each user's info.
So if a user's ID is 278 then your query would run as:
SELECT first_name, last_name, * FROM user_table WHERE user_id = 278
From a session variable stored like:
Session["UserId"] = currentUserId;
The ASP.NET membership provider has already taken care of this for you. Have you considered using it? You can manage all of your authentication, permissions, roles, and access/edit profile information -- which you define. You access the data via the membership objects, and you won't need to write a single line of SQL to do it. It will save you loads of work instead of trying to reinvent the wheel.
Use the regular membership as described in the other answers. Then leverage the Profile system so that each user can view/edit their info when logged in (per the question). CAVEAT: ASP.NET profile system only works out of the box with the Website project template. If you want to use the Web Application project template, then follow the steps here:
ASP.NET: Web Site versus Web Application Project
When you have the profiles up and running, the profile data can be stored in session objects while the user is logged in.