IFrame and Basic Authentication - asp.net

I have a webpage which displays an IFrame. The IFrame source page is located on the other server which needs Basic Authentication. Is there a way to programatically pass the basic authentication information to the other server page so it does not throw the login box using Asp.net ?

As long as you don't mind exposing the password to everybody you can change URL to something like this:
http://user:password#www.example.com

Related

Asp.Net MVC returnUlr hack

I have a Website written in Asp.Net MVC.
I have been getting strange requests to my website which I think is a Hacking attempt but I'm clueless at what is being tried.
The requests are like this, but vary in length.
/Account/Login?returnUrl=%2FAccount%2FLogin%3FreturnUrl%3D%252FAccount%252FLogin%253FreturnUrl%253D%25252FAccount%25252FLogin%25253FreturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FreturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FreturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FreturnUrl%25252525253D%2525252525252FMembers%2525252525252FMemberInfo%2525252525252FDaddyPat
/Account/Login?returnUrl=%2FAccount%2FLogin%3FreturnUrl%3D%252FAccount%252FLogin%253FreturnUrl%253D%25252FAccount%25252FLogin%25253FreturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FreturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FreturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FreturnUrl%25252525253D%2525252525252FMembers%2525252525252FMemberInfo%2525252525252FCumberdum
/Account/Login?returnUrl=%2FAccount%2FLogin%3FreturnUrl%3D%252FAccount%252FLogin%253FreturnUrl%253D%25252FAccount%25252FLogin%25253FreturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FreturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FreturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FreturnUrl%25252525253D%2525252525252FMembers%2525252525252FOrgInfo%2525252525252FCGG
I'm not supporting normal login with name and password but only showing a button which allows you to login with steam using the openid.
When I open the link myself it just takes me to the login page and does nothing. Is the bot just stopping as I do not have a Name and Password input boxes?

asp.net pulling external web page while preventing client from seeing requests

I'm facing a security issue where my users can see all url from where i pull content from,
I use a third party dashboard app with 4 html pages showing system status for each company .'www.xyz.com/dashboard/x.html'
I would like to create new 'aspx' file and display the 'x.html' inside as plain text , while preventing the user to see where the x.html is downloaded from , because he should not have access to the other 'html' files under the same domain.
here, the user should not see the xhr and where they come from
In other meaning , I need to create an asynchronous server side request that brings the 'x.html' and displaying it's content inside my aspx as it was my page.
Updated answer:
If you have an ASP.NET Dashboard app with multiple pages and you want to restrict access, you need to implement ASP.NET Identity role-based authorization so that your clients who login only have access to the areas of the site you want them to access.
On the other hand if you are trying to take someone else's HTML page and display it as your own, that goes against our community guidelines and you should instead consider openly redirecting your users to the proper page and giving credit where it's due.
Original answer: You can't do this, for two reasons:
The browser must know the target URL.
Obscuring the target URL would be a violation of basic security principles.
The <iframe> element requires a src attribute. See MDN for comprehensive documentation.

Session when navigating through html and ASP.NET pages?

I have this issue: Due to design concerns, the ASP.NET webpage I am currently building will have to be inside an iframe in an HTML page. I must keep a session to store some variables in case the user returns to my ASP page, but I notice that as soon as I go to the HTML, the session dies. I was thinking of using cookies to store the information, but would like to listen to somebody else's opinion first.
It should work to request the same page from an iframe if the user is the same as the iframe request is being made by the user's browser which will still have the session.
Are you sure it's not something simpler like the iframe pointing to a login pgae or something?
Is the iframe using a URL attribute or are you loading the contents of the iframe server side?

Default login popup for web sites

I am trying to build a web site with ASP.NET MVC, I'm new to this. My question is: how can I display the default login dialog? I am not referring to a custom dialog, like the jQuery Dialog, there is a default pop-up for credentials, which looks different depending on browser, same as with javascript alert(), but I don't know how to display it. To know what I mean, go to http://fit.c2.com/wiki.cgi?WelcomeVisitors, there is a Login button at the bottom of the page, when you click it a pop-up appears. That is what I want to display. Any ideas?
So there is no way I can do this with FormsAuthentication?
That dialog is the result of a challenge-response authentication initiated by the server.
In the context of IIS, you would get this if you used windows authentication with no anonymous access.
You do not display this dialog or have anything to do with it other than restricting access to the resource in question.

Displaying the current authenticated Sharepoint user from an asp.net Page Viewer Web Part

I am creating a standalone asp.net page that needs to be embedded into a sharepoint site using the Page Viewer Web Part. The asp.net page is published to the same server on a different port, giving me the URL to embed.
The requirement is that after a user is authenticated using Sharepoint authentication, they navigate to a page containing the asp.net web part for more options.
What I need to do from this asp.net page is query Sharepoint for the currently authenticated username, then display this on the page from the asp.net code.
This all works fine when I debug the application from VS, but when published and displayed though Sharepoint, I always get NULL as the user.
Any suggestions on the best way to get this to work would be much appreciated.
If you want to retrieve the currently authenticated user from the SharePoint context, you need to remain within the SharePoint context. This means hosting your custom web application within SharePoint (see http://msdn.microsoft.com/en-us/library/cc297200.aspx). Then from your custom application reference Microsoft.SharePoint and use the SPContext object to retrieve the user name. For example:
SPContext.Current.Web.CurrentUser.LoginName
You can still use the Page Viewer Web Part to reference the URL of the site, now located within the SharePoint context.
Thanks heaps for the answers!
Turns out that as long as the asp.net page is using the same URL and port as the Sharepoint site, authentication works across both sites.
The solution is to use a Virtual Directory inside of the sharepoint site and install the asp.net page there.
When it works in debug, is that being used in SharePoint?
Your page and the Sharepoint site might as well be on different servers as far as authentication is concerned -- in order to get the information over you might need to pass it via the QueryString from the webpart if you can -- or you might need to make your own webpart to do this (just put an IFRAME in the part with the src set to your page with the QueryString passing the username).
It does seem that this would be a security issue if you use the name for anything though -- if you are just displaying it, then it's probably fine.
If you actually need to be authenticated, you might need to add authentication into the web.config of the site hosting your standalone page.
edit: I think you'd have better luck putting your page on the same port and server as SharePoint.
I suspect you will have a hard time specifically querying SharePoint for the currently authenticated username. I can't think of a way to easily access the SharePoint context from a separate web application like you are describing.
I don't know what kind of authentication scheme you are using, but you may want to consider using Kerberos, as I've found that it can make these kinds of scenarios a little easier by allowing for delegation and passing credentials from application to application or server to server.

Resources