Let's say I have an ASP.NET web application. I create an aspx page that shows a table containing users and email addresses. The user data is stored in a database, and when the page is requested by a logged-in user, html is generated to display the data. If the users requesting the page are not logged in, they are redirected to a sign-in page.
All of this is very standard.
My question is, is there any way the personal data could end up being indexed by a search engine (besides someone hacking into the site or an evil user publishing the data somewhere public)?
What if there was no requirement that users log in? Would the data then be indexed?
In general, search engines should index exactly whats visible to the public visitors, google will be angry with you if you'll expose something different to their spiders.
if you want to control the pages that are indexed on you server check out: http://www.robotstxt.org
If the users don't have to login to access the data, then I see no reason why a search engine could not get access to it. Your data will be indexed if it's not protected by a login.
If there's a login mechanism, it will not be indexed.
IMO you should remove the login requirement from the profile page and also make a sitemap to give a list of users to the search engines. You should prevent guest from viewing users' extra information only.
Related
I'm trying to password protect a page that contains confidential information.
Upon clicking a link, user will be shown a pop-up dialog to enter password.
If successful, redirect user to page. Otherwise, display "Wrong password".
The thing is, this can be easily overcome if user just copies the URL and add "/exec#ConfidentialPage" to the end of the URL.
Any suggestions?
If at all possible I would highly discourage implementing your own authentication system and instead rely on Google login to secure your data. See https://developers.google.com/appmaker/security/secure-your-app. My short recommendation is to:
Create a google group which contains the users you want to access the
data.
Create a role in App Maker which contains that group
Restrict access to both your data and your view to members of that role.
This is much more secure than a password based approach as #1 It's implemented by Google (implementing your own auth correctly is hard) and #2 You have a list of everyone who has access to your data in the form of the Google group.
can anybody tell me if its possible to retrieve a list of a member's pages without manage pages permissions? or if its possible to send the graph a facebook page id and have it return whether or not the current FB user admins the page.
i have a page tab application which a FB user can install to one of their pages, and in order to show the relevant info regarding the current FB user from my website on their facebook page, i need to know that the page they have given me is administered by them.
since i dont want any control over the page itself, only to know that the page id ive received is associated with the current FB user, asking for permissions to log in as any and all of their facebook pages seems like a bit of an excessive permission
Im building an ASP website with user login. Does any one knows what is the best and must secure way to make login page and make pages restricted access? I know some ways and used them for some website but sometimes they were not that secure. There is couple access level for this website. Admin, User, Sales Team, and couple more. Thanks.
you can use session variables to store user level and then on asp code define what user can or can not see.
Or in database, I assume, you have field where level of access is defined as well.
Basically make your security level part of SQL query and show only data user should be able to see.
Basically you should have level of access in database, login page verify credentials and then store user level in session variable.
On any given page, while header loads, ASP retrives session variable and compare it to database.
If user have clearance to see that data he will if not-- display message that he is not authorized or redirect somewhere else where he can be.
Add an include file at the top of your ASP pages which is executed before any of the page's code. This way you can write your security code once, and apply it to all of your pages.
Assuming you are using IIS as your web server, you can let it handle your website security by using the different available authentication methods.
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/9b619620-4f88-488b-8243-e6bc7caf61ad.mspx?mfr=true
http://www.authenticationtutorial.com/tutorial/
Perhaps the best authentication method for you would be Windows Integrated Authentication since it allows you to create groups (or maybe use the existing ones) to give access to certain directories or pages.
I have a very basic understanding of ASP.NET and I am trying to do the following. I have a home page that is set-up to be a login page. If you could just picture a username and password box that is the extent of that home page. Once the user is logged in they will go to a different page let's say the account page. However, when the user clicks the logo at the top left hand it takes them to the home page again but it shows the username and password boxes again ready to be filled.
The user status at the top of my page still shows that the user is logged in. What I am trying to do is add a piece of code that will change the link of the logo to display the account page once they are logged in and not the login page.
I don't know if this can be done through the web.config file since I read a different article that has something similar to this or if this code can be put directly next to the code where my logo link (default.aspx) sits.
Many thanks in advance!
Research the Membership Provider.
It's an industry standard in ASP.NET session management. It will manage all of your pages and allow you to customize pages, menus, etc. based on roles and permissions. Don't reinvent the wheel if you have the oppertunity to use it.
Straight from MSDN:
ASP.NET membership supports facilities
for:
Creating new users and passwords.
Storing membership information (user
names, passwords, and supporting data)
in Microsoft SQL Server, Active
Directory, or an alternative data
store.
Authenticating users who visit your
site. You can authenticate users
programmatically, or you can use the
ASP.NET login controls to create a
complete authentication system that
requires little or no code.
Managing passwords, which includes
creating, changing, and resetting them
. Depending on membership options you
choose, the membership system can also
provide an automated password-reset
system that takes a user-supplied
question and response.
Exposing a unique identification for
authenticated users that you can use
in your own applications and that also
integrates with the ASP.NET
personalization and role-management
(authorization) systems.
Specifying a custom membership
provider, which allows you to
substitute your own code to manage
membership and maintain membership
data in a custom data store
I've setup forms authentication in my Google Search Appliance. Is there a way to have the title and a summary come back for protected pages? Currently, since they are all redirected to the login page, all search results are titled as "Login." I'm using asp.net with the .net framework 3.5.
You need to either:
Configure the Search Appliance to authenticate against your server.
Allow the search engine through to your protected pages.
On some of our client sites we've gone with option 2, partly because of the dynamic nature of the protection (i.e. articles published in the last 30 days are open, but you need a subscription to see the archive) which didn't lend themselves to using web.config settings.
We have a "Base Page" class that inherits from System.Web.UI.Page, and that all our pages inherit from.
In that class, we check a number of things, including the IP address and user agent of the calling client, if these match our search engine, we display a custom page layout that removes things like navigation, header, footer, etc (using a master page), and display some additional metadata that we use for filtering - this way the search engine sees and indexes the entire content.
If these checks fail, then we check to see if the user is authenticated, and if they have a vaild subscription.
If they don't have a valid subscription or aren't authenticated, we display a summary of the page, in place, along with a call to log in or register (using standard ASP.NET controls).
If the title of your pages is something other than login, you probably haven't set it up correctly. The title of the document is what was indexed by the GSA during the crawl. I posted previously some tips to completing the SSO wizard here: http://www.mcplusa.com/blog/2009/02/completing-the-sso-wizard-on-the-google-search-appliance/