I implemented a kind of Bio metric login in Flash. Now, my flash is detecting person and authentication him. But all I need if after bio metric authentication some information to be passed from Flash to my ASP.NET as to initialize session.
Is it possible to pass authentication code from Flash file to ASP.NET page?
I've done something similar.
Keep in mind there's not much you can do to secure your application, as the .swf resides on the client and can be decrypted and decompiled. I'd recommend just storing an encrypted value in a cookie using a secret that keeps changing and read it from ASP.NET. It's no better than using an encrypted query string, though.
You can pass the values with url parameters
Here is how you open web page from flash
http://board.flashkit.com/board/showthread.php?t=140468
Related
Currently in our website we are using 1.) Session 2.) Cookie ; , they both have their own disadvantages. So, in our new website we don't want to use sessions and cookies.
We have googled and find some alternative ways of session and cookie as below:
1.) Use 'Local Storage 'or 'Session Storage'.
2.) Append data with the querystring.
Local storage is client side alternative to session. It will only be available to client script, not the server code, you would use it if you are writing a SPA and plan on making Ajax calls.
So, we need a alternative technical way to handle session and cookie with some other method.
Please help me regarding it .
Use 'Local Storage 'or 'Session Storage'.
Local Storage is not a replacement for Session State. They are totally different technologies.
Append data with the querystring.
QueryString is not a replacement for Session State either. We only use query string to pass very small data (normally integer value) between pages.
So, we need a alternative technical way to handle session and cookie
with some other method.
Cookie
For ASP.Net MVC, you want to use Cookie for authentication unless you want to use Bearer Token. There is nothing wrong with using Cookie for authentication unless you abuse it.
Session State
In a nutshell, we do not need to use Session State directly in ASP.Net MVC. You can say that Session State and View State are somewhat replaced by Model if you will.
Keep in mind that TempData use Session State under the hood.
I have googled to find some resources and trying to find out more, if anyone have suggestions please update.
2 ways to pass data between pages without using Session and Cookie:
1.) using Local Storage
2.) using Secure Query String:
====================================================
1.) using Local Storage:
a.) Local Storage or Session Storage:
What is the difference between localStorage, sessionStorage, session and cookies?
b.) HTML5 offline storage - Alternative to Session? [closed]
HTML5 offline storage - Alternative to Session?
Disadvantages:
Are there any drawbacks to using localStorage instead of Cookies?
2.) using Secure Query String:
a.) MVC Encrypt Query String:
Encrypting an id in an URL in ASP.NET MVC
b.) Securely Passing Identity Tokens Between Websites
http://dotnetslackers.com/articles/aspnet/Securely-Passing-Identity-Tokens-Between-Websites.aspx#1776
c.) Encrypt and Decrypt URL in MVC 4
https://dotnettrace.net/2013/09/19/encrypt-and-decrypt-url-in-mvc-4/
I have two web applications, of different technologies, one is developed in ColdFusion and the other in Asp.Net.
Both applications have authentication implemented. The usernames for both applications are the same where as the passwords differ.
So here is what I wanted to do, I log in to my ColdFusion application and when I click on a particular button it has to navigate to the Asp.Net application, without asking me to log in again to that application.
This is the solution I came up with; I passed the username from the ColdFusion application on button click as a querystring parameter to Asp.Net url, where it checks if it has keyed querystring and if username exists then log in to the Asp.Net application.
It looks something like this http://xxxxxx.com?username=xxx
But passing username in the querystring is not secure, what can be done to make it secure? I'm thinking of encrypting the querystring, can this be done? Or should I follow another method to get this log in functionality?
1) Create a table in your .net application Called AuthorizedSessions (or anything meaningful to you).
In this table, store the username, a randomly generated string aka token, a date created, and a date field to track if its been used.
2) Create a script in your .net application to accept a username/password from your CF application, and to first authenticate that the user is allowed to login, and then generate a record in your AuthorizedSessions table and then return back the tokeng back to coldfusion.
3) generate another script in .net that will accept the username/token as a link from coldfusion. This script should validate the username/token against the authorizes sessions table AND make sure that "date used" is null, since it should only be used 1 time.
4) In coldfusion, clicking the link in your application should route you to a new page in your coldfusion application that uses the CFHTTP server tag to send the username/password, etc... over to your .net script generated in step 2. If you have SSL available, that would be recommended for transfering the info over. Your .net should return the token to coldfusion, and from there, you can redirect via cflocation to your .net application, making sure you include the username & token for the authorized session. Make sure your .net application marks the token as used in the authorizedsessions table so that a token can't be used over and over again.
I've used this method in the past for linking users from 1 application to another and its worked succesfully. Its basically your own scaled down version of an open auth type token system.
I would add a random guid to each user in both system's authentication tables. Authenticate them with the first system and pass the guid to the second system via POST. Grab the guid using the second system and validate authentication and initialize that user's session.
In a current project we are hosting a WCF 3.5 service on IIS7 and expose the methods through basicHttpBinding to an Adobe AIR/Flex4-client. Luckily Flash Builder 4 has integrated support for SOAP, so that a service-proxy can be generated easily.
Unfortunately, we are not able to find any elegant solution to enable username authentication. The only way we got working, is to pass username und password on every single method-call, which certainly blows up the method-signatures and enforces the service-method-implementation to do a validation by their own.
Could you please direct me to any solution, which could bring username authentication within the message-headers to adobe flex?
Best regards,
Daniel Lang
How would you pass the authentication credentials in a non Flex app?
Most people just set a cookie of some sorts. Many server side app servers do this stuff internally.
Any calls from the Flash Player to your backend will send along any cookies that were already sent; which can easily be used to connect to your server side session. I thought most server side app servers handle this stuff internally.
If you need to set specific headers to HTML calls, you can specify them using the headers property of HTTPService. Here is a good example about how to set the header.
I have a web application that is secured and stores user detail information in a session object. I am building a Silverlight control to view images that are stored in the database and access to those images needs to be secured. I am not trying to prevent copying or anything like that but I need to make sure that the user accessing the image actually has access to view the image which can be achieved by checking the user data in the session.
So my thoughts were to do the following:
Web Application that has hosts the Silverlight control.
A ashx file to handle the serving up of the image from the database.
The ashx file when accessed via the silverlight control will check the session to make sure they do have access to this image. (I am assuming the silverlight control and web app share the same session, this could be a wrong assumption.)
Does this setup sound correct or are there other ways of approaching this? This will be my first time integrating a Silverlight control into a web application.
THe silverlight control lives within the context of the browser. I think that if you're silverlight control callse your ashx page, the ashx page will execute under the same session that your web application is running.
When a user logs into your web application, store something in the session to indicate they are authenticated, and check it in your ashx page.
It is a simple scenario to mockup and test.
Sounds like you want to ensure that nobody is sniffing traffic to determine the URL to your ashx path. Perhaps you don't want that URL being used independently from your page, or for other images that the user/caller shouldn't be seeing.
Have you considered leaving a cookie value for the client? Perhaps a scenario like this:
when your customer visits the page, it sounds like you want to load an image into a Silverlight control. At the time that you're processing the other data on the page, send a cookie value back to the browser.
drop a salted/hashed value in a cookie based on the browser/caller AND the image being requested.
Let's say that the image is someImage.png, and the client's IP address is 10.10.10.10. Use some salt like the image's db identifier to ensure uniqueness between images. Let's pretend it has ID 509.
Run the string "509_someImage.png_10.10.10.10" through a one-way encryption method (i.e. AES) using a strong key that you keep secret on your end. Let's pretend that your result is 'biglongcrazyrandomstring123', but it will obviously be much longer.
on the querystring to the call to the image.ashx page, force the include of that value (i.e. image.ashx?img=someImage.png&key=biglongcrazyrandomstring123).
On the server side, you go to your DB and retrieve the ID for someImage.png. Run the requestor's IP address, the image file name, and the database ID through the same encryption algorithm. Compare THAT value with the value sent in the querystring. If they match, then you know that YOU put the string in their cookie. Rather, you know reasonably that they couldn't have guessed it.
If anyone tries to mess with that querystring value, it'll fail every time because you're comparing two generated values.
Im just wondering how to go about using FormAuthentication in asp.net
In our project we are basing it on webservices, which returns an XML document on successful login with all the credentials we require. Whats the best way to store and access the information returned?
Thanks
EDIT: thanks for the response. I cant use the default provider because the provider is already given to us.
Basically, what I want to know is whats the most effecient way to store a Guid and an Integer on successful login so that it can be easily accessed by my asp.net application.
When you create your FormsAuthenticationTicket, you can set the UserData property to anything you like, including the data from the web service. That data will all be encrypted when placed into the Forms Authentication cookie, and will be decrypted on each subsequent request. The information will be available in the Ticket property of the FormsIdentity object that you can reach via HttpContext.Current.User.Identity.
How to go about it? Its a complex subject which no one can answer fully here.
I can tell you that the easiest way to implement it is to use the standard SQL Server-backed forms authentication provider. This is a step-by-step on how to set it up.
It can get a little confusing when there are database issues, however. These are usually caused by common issues and some googling often straightens it out quickly.
Keep in mind, also, that forms authentication usually entails sending cleartext passwords across the network. So protecting your login URL with SSL is a must in a production environment.
Session["GUID"] = value;
Session["INT"] = value;
Shoving the XML Dom object or xml in the Session object is not advisable for performance reasons when you only need 2 tiny values.