I am working on an app where users are only allowed access if they click through from certain URLs. I.e. I need to authenticate by using the referral url and I am using
Request.UrlReferrer to achieve this.
I am guessing that the Request.UrlReferrer can be tampered with by malicious users to gain access...
i have a problem in my asp application . Im trying to protect the path for my application using this code :
Uri t = Request.UrlReferrer;
in my web application Request.UrlReferrer is null. how can i set UrlReferrer ?
View 1 RepliesI have the IIS webserver on Domain A. I have many users on Domain B, C, D, E.
I've set the NTFS security permission for each user and his/her domain to the webserver's security ntfs permission folder. But it is still not authenticating. So what do I need to do to enable this feature? I am using windows 2003 webserver.
How can I authorize and authenticate users by roles? I have roles table and user's table, role Id is the primary key in the roles table and foreign key in the user's table.
View 4 RepliesI have a web application that authenticates against AD. On the first login attemt it takes roughly 30 seconds to login. On subsequent requests the login occurs almost immediatly. I've searched all over google and this forums and noticed several people with the problem and everyone seems to have a different solution of which none work for me.
[code]...
I need to authenticate users based on three parameters such as username, password and officename instead of just username and password. User name is unique only across the single office and not across the application.
Can I achieve this using Membership class and if yes do I need to write any custom code for that?
I'm still new to windows authentication. Basically, we have a page on http://externalsite.com that needs to be accessed only by an authenticated user originating from http://internalsite. The user on internalsite is already authenticated using windows authentication.I'm confused here. How can I validate the user and obtain their role so that i can not only validate that they are authentic, but to authorize them to use this page on externalsite.com?
View 2 Replieswe have a web site (Web Site 1) which is presently working and authenticates the users using ASP.Net login control.
We have a new site (Web Site 2) which will have a web page with user name and password fields and these values will be posted to Web Site 1. I am trying to authenticate those user credentials on Web Site1 using
Membership.ValidateUser(UserName, Password); method. but i am keep getting "User AuthenticatedObject reference not set to an instance of an object. " exception.
I came upon an interesting discussion with my team around the use of HttpRequest.UrlReferrer and wanted to solicit feedback from the community. According to the W3C spec:
The Referer[sic] request-header field allows the client to specify, for the server's benefit, the address (URI) of the resource from which the Request-URI was obtained (the"referrer", although the header field is misspelled.) The Referer request-header allows a server to generate lists of back-links to resources for interest, logging, optimized caching, etc. It also allows obsolete or mistyped links to be traced for maintenance. The Referer field MUST NOT be sent if the Request-URI was obtained from a source that does not have its own URI, such as input from the user keyboard.as input from the user keyboard.
The Request.UrlReferrer object does the work of converting referral strings that contain well formed URIs to an object with properties on every request. According to our logs there are requests that come in that contain invalid data in the referral such as:
localhost
app:/BeamBackTest.swf
app:/multtiple.swf
app:/AFriendFeed.swf
ALToolBar
app:/index.html
mhtml:file://C:Documents+and+SettingsUserDesktoporacleWhat+is+a+View+in+Oracle+-+Stack+Overflow.mht
Using Request.UrlReferrer would mean the above cases would be NULL. Is it better to discard the invalid data based on the W3C spec by using Request.UrlReferrer or preserve it by using Request.ServerVariables["HTTP_REFERER"] even though the data may be interesting, but potentially useless.
What I am trying to solve here is to check for what is previous page's url and compare it. If it is login.aspx then I want to display an WelcomeNote() message. Any help would be deeply appreciated. Here's the codes.
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
If Request.UrlReferrer IsNot Nothing Then
I have the following code in 'main.cs' file where I am checking for a condition
protected void Page_Load(object sender, EventArgs e)
{
if (Request.Form.Get("task") != null && Request.Form.Get("postToURL") != null &&
Request.UrlReferrer.ToString().Substring(0, 31).Equals("http://cs.astra.co.in:4040"))
{
ASCIIEncoding encoding = new ASCIIEncoding();
<SO ON>
Instead of checking for the URL [URL] in 'main.cs', Can I check for the same condition in the 'web.config' file ? If so, How can I do that ?? Is there any way to transfer the part -- Request.UrlReferrer.ToString().Substring(0, 31).Equals[URL] -- into the 'web.config' !!
[Code]....
Both returns the incoming url, Just to know When to use Request.UrlReferrer and when Request.ServerVariables["HTTP_REFERER"] and why?Currently, in one of my application Urlreferrer is working in my local machine but its not working when went live?Additionally, its most appreciable if anyone can guide any alternative of both Urlreferrer and HTTP_REFERRER?
View 1 RepliesI'm NTLM (authenication="windows" in the web.config) with an asp.net mvc 2.0 site. Right now once a user logs in it keeps them logged in for weeks at a time. The use of the application is being opened up to users who share computers that use logged in service accounts. I need the site to reprompt each user for their AD credentials each time in order to handle these users. (Activity on the site must be linked to a uniquely identified user.)
View 3 RepliesI'm new to asp.net and SQL Server and I'm trying to research and implement a good way to authenticate a user using those technologies. Would you have any advice as to best approach this? I've read some of hashing but I couldn't find a good tutorial or website describing the best way to approach that
View 3 RepliesI'm using ASP.NET MVC and I want to authenticate users with their Google or Facebook account
View 4 RepliesI have been asked to use the login control to authenticate users to use the website. I have a master page which has header pictures and a menu down the left. I have created a login form and configured my web.config file to use form authentication but when I run it, it does not show my master page just the content page. Should my login page not be a content page?
View 39 RepliesThe behaviour I would like is for a user to be able to visit a custom built website and if they are already authenticated against sharepoint for the custom website to know who they are and give them various rights. If they are not recognised by sharepoint then I would like them to login to sharepoint and be directed back to the custom website. Sharepoint picks its users and groups up from Active Directory. I don't know much about the internals of the server, but the custom one will be in a separate domain (I think) though I have full control over the custom and moderate control over the SP infrastructure.
View 1 RepliesI'm looking at starting a new web app which needs to be secure (if for no other reason than that we'll need PCI (Payment Card Industry) accreditation at some point). From previous experience working with PCI (on a domain), the preferred method is to use integrated windows authentication which is then passed all the way through the app to the database using kerberos (so the NT user has permissions in the DB). This allows for better auditing as well as object-level permissions (ie an end user can't read the credit card table). There are advantages in that even if someone compromises the webserver, they won't be able to glean any/much additional information from the database. Also, the webserver isn't storing any database credentials (beyond perhaps a simple anonymous user with very few permissions for simple website config)
So, now I'm looking at the new web app which will be on the public internet. One suggestion is to have a Active Directory server and create windows accounts on the AD for each user of the site. These users will then be placed into the appropriate NT groups to decide which DB permissions they should have (and which pages they can access). ASP.Net already provides the AD membership provider and role provider so this should be fairly simple to implement. There are a number of questions around this - Scalability, reliability, etc... and I was wondering if there is anyone out there with experience of this approach or, even better, some good reasons why to do it / not to do it.
I am trying to integrate authentication for a cloud-based application with an Active Directory forest behind my cilent's firewall.
I am a Python developer from the open-source world... needless to say, .NET is not my forte and I'm not familiar with authentication technologies provided by IIS/WIF/etc.
I have installed DotNetOpenAuth and gotten the sample MVC OpenID provider working with the included ReadOnlyXmlMembershipProvider.
I have scoured Google for a sample config/implementation or any documentation at all that describes the appropriate membership provider to use. The only thing I have found are hints - "It's included out of the box," or "create a .NET app that authenticates off of AD and expose OpenID."
How can I query off my client's AD? Is there a provider included with DNoA?
I'd like to Authenticate Users without having to use a Membership Provider.
What's the easiest way to do this?
I'm looking at returning a DirectoryEntry.
There is one page which is actually a streaming to The Axis IP camera which spits MJPEG output.It requires user to log in with the user name/password promp on browser .I am using this stream to show video directly on a web page.It shows video correctly but asks user to provide correct user name and password set for the camera,I tried to logging in to this camera on server side using HTTP requests and then I realized I authenticated server request not the browser the end user is using.
So what I want is a method server side or client side, that can allow me to log-in to camera automatically when my end-users visit this page.I am using asp.net with c# 2005
Need to develop a Web application that will be used to authenticate and authorize internal and external users to log and then re-route to web applications for the organization. The login application should be able to provider smooth integration with any future applications that needs a secured authentication. Should I be using WIF - Claims based Identity/ADFS or asp.net Role membership provider to develop this app.?
View 1 RepliesDoes anyone know how I can authenticate users based on their Email Address and Password as oppose to Domain, Username and then Password?
View 1 RepliesI am having a issue with my form authenticating the form. I checks to see if there is a password but does not authenticate. Here is my code.
[Code]....