I have 2 web sites running on the same server. Web1 needs to transfer data to web2 (same web server, different webs), passing sensitive data from one to the next. The browser will be using https. Are cookies possible/advisable here? My initial thoughts where to encrypt the data and pass through the querystring, both sites using a shared key. Perhaps also pass an encrypted expiration date to prevent the url from being reused in history if it's on a shared computer.
Figuring it's https and encrypted, initially it sounds ok. However, my gut tells me its unsecure. Another option is a session server but that seems a bit overkill for what I'm after.
What is the best way to securely transfer a single piece of data from 1 site to the next on the same web and do it relatively simply?
You can just have one site do an http post to the other site server-side. This information would never go through the browser and wouldn't even have to be encrypted (although that certainly wouldn't hurt).
You could even write data to the database and then redirect the user to a page on the second site that would read it (if the two sites can both access the database).
If I'm reading this right, you have two different web sites running on the same web server that need to share data securely. Correct?
If that's the case, don't send the data in the browser. If the sites are on the same server, you can have them communicate directly. Server-side communication within a closed server will be more secure than any system you can deploy to the client's browser.
You should consider implementing a web service on your server to handle the request. That way each website only needs to know about the web service and not about one another.
Related
What is the common(best practice) way of allowing a user to sign in from a Windows desktop application. Some examples of what I mean are Dropbox or Google Picasa. You sign in with your credentials and then the software is permanently signed in.
I assume the communication takes place over HTTPS. Does the client store the credentials to be sent with requests or is there some sort of token generated? Can anyone point me to some resources on how this should be handled?
Logging into a website normally creates a session at the server. The server then has to identify subsequent requests by the session. Typically, there is one of the following two solutions applied:
Session cookie, storing a session identifier
URL rewriting, where the session identifier is appended to every link in the html source
Which approach is taken is site dependent, so if you are writing a general 'for all sites' client, you might have to implement both.
In the former case, your application will have to handle the session cookies, in the second case, your application has either nothing to do - if it caches the html response - or will have to emulate the url rewriting itself.
In both cases be aware that the session will expire at server side after a certain period without any activity, so you might be required to generate such.
My question is as follows:
A site is hosted on multiple web servers, all servers refer to same domain.
Sometimes, users login to a central server, but get re-directed to other web servers.
Since domain is the same, cookies will be sent from browser to the new servers.
But server side (uses JSPs) session related data will nto be present at the second server.
So, will the second server accept this as an existing session, or, will it deem that there is no session?
For my own reasons, I had to stick to single session, multiple servers approach. This is basically for a game like evony.com, with multiple realms hosted on multiple machines possibly. Login happens once, but same session will be used in multiple server machines. Please let me know.
I'm building a solution where 2 applications are involved.
One of them handles the login and user management, and and other provides the service itself.
I need a way to send the user from the first app to the second, along with some data that derives from the whole login process.
The data has to be sent in such a way that it can't be tampered with; or a way to check if it's legit has to be available.
Some more details:
The solution consists of 2 ASP.NET (Webforms) websites
Although both websites are sitting on the same server, a solution that doesn't rely on this is prefered
Thanks in advance.
It might not be the best solution.
But this is what immediately comes to my mind.
Serialize the data, (from first website) that you need to pass, into a database accessible from both web sites (can be a third server in worst scenario when your both website might be sitting on different server).
Generate a key for the serialized data in the database. It can be a GUID. Pass it on to the other web site. Other website can delete it immediately after retrieving it by using the give key.
You could set an encrypted token cookie in the login application and pick it up in the management application.
I don't know of any way to transfer state data between applications on the server.
I am not if it is possible to use Server.transfer to the second site. But this would definitely be tamper-proof since it would occur on the server. The landing page on the second side would then persist the transfered info. Context object would be a good location to store the transfered info.
At a minimum it would recquire both apps to be on the same server.
Right now, my site is served by a single server, but I anticipate the need to increase my server capacity, soon. Instead of splitting my websites up among multiple servers and having to manage sessions across servers, I want to have multiple web servers all with the same code base on them and use router based round robin load sharing to distribute users to each server. And once a user hits a web server, have him stay with that web server throughout his/her whole session. To my knowledge, I don't need to have any special asp.net code to facilitate this.
Does anyone have any caveats or comments for this approach?
What you are talking about is called sticky sessions or session affinity. If your router supports this, then you are golden.
The only caviat is that the load balancing won't be perfect. If you have a few high-load users who all end up randomly on the same server, they will staty there until the sessions end.
I have implemented this kind of load balancing where I work, and it requires no special asp.net code to implement.
Most (perhap all) load balancers do have the ability to enforce "sticky" sessions where users on the same IP are directed to the same web server on every request. There is no code change required to accomplish this. There are two caveats that come to mind:
Using sticky sessions will mean that the traffic load will not be distributed as evenly as it would if you were not using sticky sessions. However, the distributionshould be"even enough" IMO.
There will be a very small percentage of users using proxy servers that may come in on different IPs on different requests. These users may experience "odd" behavior as they get passed to different servers.
Another characteristic of this configuration is that if one your servers go down the sessions of the users on that server will lose their session as well. I think this is one of the most commonly used setup since it does not require any development effort if the router supports sticky session or session affinity.
As others have mentioned, you should be able to turn on Sticky Sessions on your load balancer, that should take care of most of the "stay on one server" issues for you.
However you will want to ensure you have put settings in place to cope with a user landing on the wrong server mid session - Sticky Sessions are usually based on IP address, and users IPs can change mid session if you're unlucky, or a server may go offline, and the user will be directed to the other server.
You should make sure that your MachineKeys are the same across all servers - this will ensure that you can decrypt the viewstate correctly on all servers.
If you own the servers, you can do this in the machine.config, otherwise you can set it at the application level in the web.config, more details can be found in this how to:
Configure MachineKey in ASP.NET 2.0
There are some slight differences if you're running on IIS 7.5 - Tess Ferrandez has more details in a recent post "Forms authentication fails after installing IIS 7.5".
The other thing you'll probably want to do is move your sessionState from InProc to either Sql or StateServer.
We have an application that among other things, checks the existence of a cookie and reads and decrypts the contents of the cookie. Though the data stored inside the cookie is not sensitive, it has been encrypted via TripleDes encryption. A question was raised today whether the cookie saved on a single PC, could be copied on to another PC and whether the web application would detect the presence of this copied cookie on another machine, and ultimately decrypt what it would have on the original PC.
My question is this:
We use the standard ASP.NET implementation to save cookies (i.e via HttpResponse), does the index.dat file prevent the transplant of a cookie from one machine to the other? What if the index.dat file was also transported and copied over, or is there some internal structure inside index.dat that ties a cookie to a specific machine?
Absolutely. This is one way that cross-site scripting (XSS) attacks work:
I inject javascript into a page
I wait for someone to look at the page
The javascript I injected sends me your cookies
I login as you and do bad things
This particular issue bit SO during the private beta.
Yes, stealing cookies is a common technique to steal a session from a user.
Some sites try to bind a cookie to the IP of the client, but this fails in the face of big corporate proxies with multiple out-bound interfaces or other non-residental setups.
Even if everything else is ok, if someone can get physical access to the user's machine, they could copy the cookies to another machine.
E.g just clone the disk if needed!
In addition to the other answers. Never trust anything coming from the user of a web app, regardless of whether it's encrypted.
This ties into the idea of validate input on both client and server. Don't trust that the validation on the client was done.