In an existing asp.net application the httpcookies.domain configuration is used for setting the cookie domain.
<system.web>
<httpCookies domain="www.domain.com"/>
</system.web>
I have to make the application multi tenant. Depending on which tenant is requested in the application, the cookie domain might be different, for instance domain1.com or otherdomain2.com.
We would like to keep the approach that the domain is set in some central location. I would like to be able to differentiate in runtime which domain should be used for http cookies, and not have a fixed value from the configuration.
See these articles for explanation abou this setting: description, microsoft documentation
I have an ASP.NET Dynamic Data site that should only be accessible to administrators currently logged in and on the domain. I want the site to be able to tell who the user is based on their login and either allow or deny access without challenging for credentials. Due to the nature of a Dynamic Data site, I want to be certain no one else is finding their way in their so I'd like to manage authentication and authorization in IIS rather than the web.config. But no matter what I do, it denies access even as administrator.
Using IIS7 on a 64 bit Windows Server 2008 R2 Standard machine. When clicked on the site and go into Authentication, I have disabled all modes except Windows.
All three available providers are enabled in the following order:
Negotiate:Kerberos
Negotiate
NTLM
In Authorization, I have added a deny rule to deny anonymous users and then allow all users. Eventually will change that to allow role administrator but I can do that once I get this working.
What am I missing? If it matters, the web server, the domain controller, the file server the pages are on are all on the same domain.
You may want to use this little snippet of code:
Public Function GetGroups() As ArrayList
Dim groups As New ArrayList()
For Each group As System.Security.Principal.IdentityReference In System.Web.HttpContext.Current.Request.LogonUserIdentity.Groups
groups.Add(group.Translate(GetType(System.Security.Principal.NTAccount)).ToString())
Next
Return groups
End Function
This returns all the groups the current windows user is part of, that way you can check if the admin group is in the array list and just redirect them if not.
So drop the other access deny/allow and use whether or not they are in the admin group to determine access.
You will need to make sure that the following is in your config file:
<system.webServer>
...etc
<security>
...etc
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
...etc
</security>
...etc
</system.webServer>
I'm looking to deny all anonymous access to my login page and only allow people who are in a certain role to be able to view the page or anything under that directory. Is this possible? I have tried to implement this in the web.config but had no joy :(
thanks
This would only be possible in an intranet application where your users would be authenticated against Active directory. See MSDN
Otherwise, how would users log in if they don't have access to the login page?
I would rather implement access control on the actual content pages, or do an additional check when users attempt to log in and let them know that they need to be in a certain role in order to log into the system successfully.
Yes, you can...assuming that your clients are all running Windows workstations that are in the same AD domain as your IIS webservers and are using Internet Explorer (so, intranet only and not over the Internet). You want to configure IIS to only accept Integrated Windows Authentication, which will force the client workstations to use Kerberos to supply authentication information to IIS. Here's a how-to from Microsoft on how to configure this.
In web.config:
<configuration>
<system.web>
<location path="MyLoginPage.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</system.web>
</configuration>
The special keyword ? means anonymous users; which is documented in the element schema:
Attribute: users
A comma-separated list of user names that are denied access to the resource.
A question mark (?) denies anonymous users and an asterisk (*) indicates that all user accounts are denied access.
Basically this is the Microsoft long-winded way of saying:
Location: MyLoginPage.aspx
Deny: anonymous
This means that someone will have to be authenticated using a mechanism other than Form; such as Integrated (aka Kerberos, Windows) authentication, or with Basic authentication. You won't be able to use Forms Authentication, because they won't be able to reach the login page to login.
I have an ASP.NET 4.0 WebForms site that is running on a IIS6/Server 2003 instance. The site itself does not permit anonymous access and uses IIS basic authentication before the user can get to the Forms authentication screen. However, there are two site nodes below the site level, that are virtual directories which DO permit anonymous access (for requesting static images by other machines).
A new request required me to route those requests to a different page and examine the URL being requested and perform different tasks. I’m using a MapPageRoute method in the Global.asax file and the route clears through Forms authentication with a web.config setting <allow users="*" />. Obviously, that works great locally, but when deployed to the IIS6 machine basic authentication kicks in before the request gets routed.
Is there a good way to "fake" or create a virtual directory node in IIS6 and grant it anonymous access so that the routed url request can execute?
This might not work for everyone, but since in my case HTTP Authentication was primarily instituted just to prevent people from multiple attempts at the login page, I actually removed Basic Authentication from the site and all virtual directory nodes.
Then I added it just to the ~/[loginpage] that was being used. Since forms authentication was in use all unauthenticated users are re-directed to the login page and then get the basic authentication. Since the routed page request needed to be public I just added it as an exception to the Web.config. The routed values have to meet a very strict criteria to even be executed by the page logic and everything else is returned as a 404 by the handler.
Obviously this means that the asp.net dll is executing before IIS basic security when requests are redirected to the login page, but in this case I think it is fine.
I have to build a small webapp for a company to maintain their business data... Only those within the company will be using it, but we are planning to host it in public domain, so that the employees can connect to app from various locations. (Till now I have built web apps that are hosted internally only)
I'm wondering whether I need to use a secured connection (https) or just the forms authentication is enough.
If you say https, I have some questions :
What should I do to prepare my website for https. (Do I need to alter the code / Config)
Is SSL and https one and the same...
Do I need to apply with someone to get some license or something.
Do I need to make all my pages secured or only the login page...
I was searching Internet for answer, but I was not able to get all these points... Any whitepaper or other references would also be helpful...
Feel free to ask incase you need more information.
Thanks
Raja
What should I do to prepare my website
for https. (Do I need to alter the
code / Config)
You should keep best practices for secure coding in mind (here is a good intro: http://www.owasp.org/index.php/Secure_Coding_Principles ), otherwise all you need is a correctly set up SSL certificate.
Is SSL and https one and the same..
Pretty much, yes.
Do I need to apply with someone to get
some license or something.
You can buy an SSL certificate from a certificate authority or use a self-signed certificate. The ones you can purchase vary wildly in price - from $10 to hundreds of dollars a year. You would need one of those if you set up an online shop, for example. Self-signed certificates are a viable option for an internal application. You can also use one of those for development. Here's a good tutorial on how to set up a self-signed certificate for IIS: Enabling SSL on IIS 7.0 Using Self-Signed Certificates
Do I need to make all my pages secured
or only the login page..
Use HTTPS for everything, not just the initial user login. It's not going to be too much of an overhead and it will mean the data that the users send/receive from your remotely hosted application cannot be read by outside parties if it is intercepted. Even Gmail now turns on HTTPS by default.
What kind of business data? Trade secrets or just stuff that they don't want people to see but if it got out, it wouldn't be a big deal? If we are talking trade secrets, financial information, customer information and stuff that's generally confidential. Then don't even go down that route.
I'm wondering whether I need to use a
secured connection (https) or just the
forms authentication is enough.
Use a secure connection all the way.
Do I need to alter the code / Config
Yes. Well may be not. You may want to have an expert do this for you.
Is SSL and https one and the same...
Mostly yes. People usually refer to those things as the same thing.
Do I need to apply with someone to get some license or something.
You probably want to have your certificate signed by a certificate authority. It will cost you or your client a bit of money.
Do I need to make all my pages secured or only the login page...
Use https throughout. Performance is usually not an issue if the site is meant for internal users.
I was searching Internet for answer,
but I was not able to get all these
points... Any whitepaper or other
references would also be helpful...
Start here for some pointers: http://www.owasp.org/index.php/Category:OWASP_Guide_Project
Note that SSL is a minuscule piece of making your web site secure once it is accessible from the internet. It does not prevent most sort of hacking.
I think you are getting confused with your site Authentication and SSL.
If you need to get your site into SSL, then you would need to install a SSL certificate into your web server. You can buy a certificate for yourself from one of the places like Symantec etc. The certificate would contain your public/private key pair, along with other things.
You wont need to do anything in your source code, and you can still continue to use your Form Authntication (or any other) in your site. Its just that, any data communication that takes place between the web server and the client will encrypted and signed using your certificate. People would use secure-HTTP (https://) to access your site.
View this for more info --> http://en.wikipedia.org/wiki/Transport_Layer_Security
For business data, if the data is private I would use a secured connection, otherwise a forms authentication is sufficient.
If you do decide to use a secured connection, please note that I do not have experience with securing websites, I am just recanting off what I encountered during my own personal experience. If I am wrong in anyway, please feel free to correct me.
What should I do to prepare my website for https. (Do I need to alter the code / Config)
In order to enable SSL (Secure Sockets Layer) for your website, you would need to set-up a certificate, code or config is not altered.
I have enabled SSL for an internal web-server, by using OpenSSL and ActivePerl from this online tutorial. If this is used for a larger audience (my audience was less than 10 people) and is in the public domain, I suggest seeking professional alternatives.
Is SSL and https one and the same...
Not exactly, but they go hand in hand! SSL ensures that data is encrypted and decrypted back and forth while you are viewing the website, https is the URI that is need to access the secure website. You will notice when you try to access http://secure.mydomain.com it displays an error message.
Do I need to apply with someone to get some license or something.
You would not need to obtain a license, but rather a certificate. You can look into companies that offer professional services with securing websites, such as VeriSign as an example.
Do I need to make all my pages secured or only the login page...
Once your certificate is enabled for mydomain.com every page that falls under *.mydomain.com will be secured.
4.Do I need to make all my pages secured or only the login page...
Just keep the login page under https
this will ensure there is no overhead when browsing other pages. the condition is you need to provide correct authentication settings in the web config. This is to ensure users who are not logged in will not be able to browse pages that would need authentication.
#balalakshmi mentioned about the correct authentication settings. Authentication is only half of the problem, the other half is authorization.
If you're using Forms Authentication and standard controls like <asp:Login> there are a couple of things you'll need to do to ensure that only your authenticated users can access secured pages.
In web.config, under the <system.web> section you'll need to disable anonymous access by default:
<authorization>
<deny users="?" />
</authorization>
Any pages that will be accessed anonymously (such as the Login.aspx page itself) will need to have an override that re-allows anonymous access. This requires a <location> element and must be located at the <configuration> level (outside the <system.web> section), like this:
<!-- Anonymous files -->
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Note that you'll also need to allow anonymous access to any style sheets or scripts that are used by the anonymous pages:
<!-- Anonymous folders -->
<location path="styles">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Be aware that the location's path attribute is relative to the web.config folder and cannot have a ~/ prefix, unlike most other path-type configuration attributes.
Try making a boot directory in PHP, as in
<?PHP
$ip = $_SERVER['REMOTE_ADDR'];
$privacy = ['BOOTSTRAP_CONFIG'];
$shell = ['BOOTSTRAP_OUTPUT'];
enter code here
if $ip == $privacy {
function $privacy int $ip = "https://";
} endif {
echo $shell
}
?>
Thats mainly it!