I am looking for a way to allow a user on my web site to log into another external web application (for example: gmail, jira,etc..) and redirect them successfully to the landing page.
I found this article which provides some code for posting the log on info, but doesn’t discuss what other actions I need to take (For example I believe I have to create or save a cookie on the machine) that will allow me to successfully redirect the user to that site.
Does anyone have any code or resources that can point me in the right direction?
Thanks for your help!
It's not possible. Especially with the cookies, you can not login to Gmail, receive a cookie from them and then redirect that to the user. The users' browser will see it as a cookie from yourdomain.com and not from gmail.com.
The link you refer to is doing something else. It logs on, retrieves data from that website and processes it (on the server). It does not redirect the user to the authenticated homepage.
Related
I want to restrict my intranet users in such a way that I provide them userId & password of websites (such as LinkedIn, Facebook, Gmail, Twitter etc) only these logins should be allowed.
If any user tries to use another userID then it should block all such users to access above mentioned websites.
I am not sure how this should be achieved. But here I am trying to develop a web application using Asp.net that will Log-In to websites with default credentials & save the session cookies in browser then user will be redirected to relative website, which will have user session in cookies. Also I'll block Login page of websites for rest of users/systems on CC Proxy.
Please guide me in right direction.
Thanks
I think DNS will be a bad option for you, it will be easy to bypass and you could not redirect specific web page.
I think the answer to your question will be proxy, with proxy you will be able to supervise thier web actions completely.
They will still be able to bypass it but I believe it will be hard enough
I have a website where users can post ads and view them. I am using ASP.net build it. So normally site is free for to view ads. But if anybody wants to post an ad he or she needs to be a registered user. So if an user try to Post an ad without logging then he will be redirect to login page. So I want to enable SSL for login page to securely transfer information over the internet.
Here few things you should know.
I just only need to secure the user name and passwords.
Ads post by users are not sensitive data. So it is OK if it transfer through non secure path.
I dont want to enable SSL for every page. Because it will slow down page loading and it is a CPU intense task.
So how to achieve this? Do I need to maintain the HTTPS state after user logged under SSL connection until he post articles and until he log out?
Cant I just secure the login page for authenticate the user and then go with normal pages? Keep in mind that I need to keep the logged information because I saw in an another blog that saying When you go from HTTPS to HTTP all the states are being lost. Is that true?
So Help me here.
Thank you very much.
You should maintain SSL for every page once a user is logged in so that you can use secure cookies for the authentication cookie. This can be set using the requireSSL="true" in the web.config (MSDN doc). You definitely should use secure cookies for authentication, and you'll only be able to utilize that cookie over HTTPS.
Or as Scott Hanselman put it in this seriously old blog post:
In order to prevent Session Hijacking, when you've got a secure site,
it's a good idea to mark your cookies as "secure," meaning that they
can't be accessed over HTTP. This prevents folks from being issued
cookies over HTTPS then switching to HTTP in order to access the
cookie with sniffers or other evil.
This question has also been covered at Information Security Stack Exchange and Programmers Stack Exchange.
More Reading: OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection
I'm just curious if you can bypass the login into a asp.net website, which to let yall know, I have no control of using a unique url?
I have login credentials to the site, and tried using those to do this but to no avail.
So is this possible? Only thing I could think of was
http://username:password.awesomesauce.com/login/login.aspx
FYI I can log in fine, I just need this to login to the site via a 3rd party app. It is a major pain to login everytime with the app and sometimes many of the functions fail because its screwy with keeping an authenticated login
No, this is not normally possible.
This would be a very specific custom case - there is no standard for this as all logins are different, and authentication methods with databases etc. are all different.
FTP can work like this, but that is because the authentication is part of the protocol whereas in a web form it is not.
I used a firefox add on called Live HTTP Headers 0.17 to follow the url actions as it logins into the site. After turning on the capture option I logged in and it gave me this
Then I took the contents from the Content-Length catagory and appended it to the url like so
https://www.TROLLFACE.com/login/login.aspx?__LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJMTI2OTI3NTE1D2QWAmYPZBYCAgMPZBYMAiAPDxYCHgdWaXNpYmxlaGRkAiEPDxYCHwBoZGQCJg8WAh4LXyFJdGVtQ291bnQCGhYCAhkPZBYCAgEPFgIeBXN0eWxlBQtib3JkZXI6MHB4O2QCKA8WAh8AaGQCKg8PFgIeC05hdmlnYXRlVXJsBRZqYXZhc2NyaXB0Om9wZW5DaGF0KCk7ZGQCOQ8PFgIeBFRleHQFKUNvcHlyaWdodCAmY29weTsgMjAxMiBCIE8gWCBQYXJ0bmVycywgTExDZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFGGN0bDAwJGJ0bkNoZWNrSW52ZW50b3J5MdYH4EkMQWCgv%2FEOSMLJPNZ21rMa&ctl00%24cphMain%24txtUsername=USERNAME-GOES-HERE&ctl00%24cphMain%24txtPassword=PASSWORD-GOES-HERE8&ctl00%24cphMain%24btnLogin=Log+In
Please note the USERNAME-GOES-HERE and the PASSWORD-GOES-HERE
So far it works every single time, effectively skipping the login.
Is there an easy way to password protect my website during development so that only my tester can hit it? It's an ASP.NET site and is hosted on discountasp.net.
Thanks,
Jay
You can just set up a temp user/password in the C# part of your login page. That'll keep others out, and let you get in until you implement a real user system.
If they click login without that pass, no redirect to the rest of site. If they enter the correct user and pass, redirect to the rest of the site.
Require ASP.NET Forms authentication in your web.config and redirect to login page if not authenticated. This can integrate into your existing authentication database.
You need to activate Windows Authentication for the website. This will require a domain or server account credentials to be filled in before the site can be accessed otherwise the user will receive a 401.2 not authorized error.
Example at www.33bh.com. Just hit escape when the popup appears to see the 401.2 not authorised error.
I have a sharepoint webpart where I have links to go to different web sites to which login is required. Therefore, I think i need to log the users on before redirect them into deep pages in that site, therefore I think i need to set up a cookie to that web site when the web part is loaded (by using the user credentials of the user's active directory information).
How can I achieve this requirement with out opening up a new browser window? (Though I have used a client side script, it pops up a new browser window)
Any help is highly appreciable...
Thanks
If you are referring to "different web sites" as sites having completely different URL's, then it's probably not possible without SSO system.
The reason is that it's impossible to read/write cookies from other domain in web environment, i.e. pre-login the users like you are saying.
If all the sites are inside same domain, like mycompany.com for example, and different sites are in abc.mycompany.com or mycompany.com/subsite, then yes, you can set the cookie. See top section here http://www.15seconds.com/issue/971108.htm
A simple way to implement SSO is by implementing method described later on in same article.
in the "Requesting Cookie from Another Domain". This is not a very secure method though, but can be done if you restrict it properly to specific slave domains. And obviously all the slave sites have to be modified, as with any SSO implementation.