Security :: Storing A Token In Browser Or In Querystring?
Feb 17, 2010
We have developed a system to allow users to access another one of our web applications by placing a token in the db and then when they redirect passing this token in the browser to the new apop and using that as an authenication method. However I am thinking that it might be better to simply place this token in the browser cookie as then the user doesnt have to physically click a link they can simply do straight to it because the token wont be in the query string anymore....
Will it add much of an overhead doing it via cookies are there any disadvantages?
View 4 Replies
Similar Messages:
Jul 2, 2010
I don't know if the following is possible or not but in brief, here is what I'm trying to achieve:
1. When a user requests to view a document, they click on a link (could be other) which contains an encrypted query string containing data required to retrieve the relevant document. i.e.[URL]
2. I want to ensure that if after x minutes the user goes back to their history and select the link again or re-type the same url as above that it will not request the document and redirect them to a page letting them know that the requested document "link" is no longer valid.
I don't want to rely on cookies or sessions, so thought that maybe there would be a way to add a datetime token at the end of the existing url but this needs to be done at run-time as the url is already predefined when the link is created, so I'm not sure how can I do this?
ideally, I'd like something like this [URL] where the token would contain the date & time when the link was clicked.
Once re-requested, I would decrypt the token and validate it again the server time and if it was over the x minutes defined, it would redirect me to the "link is no longer valid" page.
View 2 Replies
Feb 9, 2010
In our application, we have a need for a user to "impersonate" a different user. Think of it as a hierarchy -- Bob is above Frank in a hierarchy. Bob is logged in, and he needs to do things in the system for a short time as Frank. So, we have given Bob a list of users that report to him, and an impersonate link. He clicks on this link, and, behind the scenes, I log Bob out, and log in as Frank. I also set a session variable that tells me that really Bob is they guy who is the user. Also, Bob (acting as Frank now) has a nice little link at the top of every page that says "Stop Impersonation."
In addition, when Bob is impersonating Frank, Bob is restricted from doing some things, like changing Frank's password.
This was working great, until we encountered a situation where, if the session (I think -- getting confused here) gets destroyed (such as when I copy up new code and dlls to the live site), then when Bob clicks on "Stop Impersonation" he gets redirected to the default page, and is still logged in as Frank, but without the Impersonation session variable. So, now Bob really is logged in as Frank, and can change Frank's password (among other things).
How is it that a session variable (Impersonation) gets destroyed, but I guess the session is still hanging around, because it doesn't make the user log in again?
This is a somewhat serious bug for how our system works (bug in our code, I'm sure, not in .Net). We are using ASP.Net c#, aspnet membership services, .net 3.5, forms auth...not sure what else you need to know.
EDIT: Updated information. Looks like when "something" happens, for instance, when I recompile some dlls and copy them to the webserver, the session gets dumped. Or, rather, the variables in the session get dumped. The session id stays the same. I do get to check for Session.IsNewSession and it returns true, even though the id is the same as it was before.
Just like Utaal mentioned, Membership Services is separate from Session, so it's forms auth token is still hanging around in the browser, but my session variable telling me that that isn't really the user who is controlling the browser isn't there anymore.
EDIT: Sky, here is what I'm doing to authenticate a user. I can't figure out where I would insert a ticket into this flow:
if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text))
FormsAuthentication.SetAuthCookie(txtUserName.Text, false);
View 2 Replies
Mar 6, 2010
Here is 2 web applications: 1 is asp.net, another is J2EE base webapplication.Both them are using same AD ( e.g. DomainTest ) as authentication source.Question here:1. User log in the asp.net application ( form based log in DomainTest, not IE prompt authencation dialog ), on the left navigation ( link to J2EE web application), just click this link, SSO to J2EE application.I think should transfer identity token from asp.net to J2EE, but don't know how, and for JSP, how to modify it to use token tranferd from asp.net ?
View 3 Replies
Mar 2, 2010
How to create Uniue Token with properties like expiration time,
Any standars method provided by Microsoft,
View 2 Replies
Aug 27, 2010
I'm using the Windows Identity Foundation (WIF) Security Token Service (STS) to handle authentication for my application which is working all well and good. However I can't seem to get any long running login with the STS. From my understanding I shouldn't care about the client tokens at the application level since they can expire all they want to and it should redirect me to the STS and as long as they're still logged in on the STS it should refresh their application token. Yet it doesn't seem to want to keep them signed in.
Here's what occurs in my login.aspx on the STS
var cookie = FormsAuthentication.GetAuthCookie(userName, persistTicket);
if (persistTicket) cookie.Expires = DateTime.Now.AddDays(14);
Response.Cookies.Add(cookie);
var returnUrl = Request.QueryString["ReturnUrl"];
Response.Redirect(returnUrl ?? "default.aspx");
Which was taken almost directly from existing application using normal Forms Auth.
From my web.config
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" timeout="2880"
name=".STS" path="/" requireSSL="false" slidingExpiration="true"
defaultUrl="default.aspx" cookieless="UseDeviceProfile"
enableCrossAppRedirects="false" />
</authentication>
Looking at the cookie after I sign in I can see the expires time on the cookie is set for 14 days in the future and that the cookie is NOT a session cookie. When I'm required to log back into the STS I can see that my original cookie is still there. Is there some kind of time stamp functionality that the STS embeds into the cookie that is invalidating my cookie even though as far as I know it should still be valid?
View 2 Replies
Jun 15, 2010
I've two application ASP.NET (once is Mojo Portal). I can navigate from one to other using an URL token id.
To this way, by token, I create a new session and save the relative auth cookie.
But, sometimes, the asp web application don't keep the session and put me down. When this happen I can't login until the session cookies is not deleted.
Both the two application are behind an reverse proxy.
View 3 Replies
Feb 1, 2010
I'm writing an ASP.net application that uses Windows Identity Foundation. My ASP.net application uses claims-based authentication with passive redirection to a security token service. This means that when a user accesses the application, they are automatically redirected to the Security Token Service where they receive a security token which identifies them to the application.
In ASP.net, security tokens are stored as cookies.
I want to have something the user can click on in my application that will delete the cookie and redirect them to the Security Token Service to get a new token. In short, make it easy to log out and log in as another user. I try to delete the token-containing cookie in code, but it persists somehow.
How do I remove the token so that the user can log in again and get a new token?
View 2 Replies
Jul 16, 2010
In my website, I am not using any authentication or authorization. I've created login page to capture the user credentials and check against database. If the user successfully authenticates, it's storing the user data in session and navigating to other pages. How thinking of implementing Forms Authentication, but my concern is how to secure the authentication token in client browser for security reasons. Does anyone have any ideas how to secure the authentication token?
View 1 Replies
Oct 1, 2012
I need to hide query string in url on button click and by using <a hef="http://xyz?abc=pol" />
View 1 Replies
Aug 3, 2010
I dont know whether this simple task or not, but I tried to search in google but couldn't find anything.
I've a asp.net form and user enters some data in the text boxes provided. Whenever user submits the form, browser will save that form data. I don't want this form data to be saved in browser. How can I restrict the browser saving this form data without touching the browser settings?
Application is developed using asp.net and normal text boxes are used here.
View 2 Replies
Oct 16, 2010
It works when i pass the querystring on the browser as this: http://localhost:51765/foo/foo.aspx?ID=c516f4f4-36a9-40a7-baad-d2419ea631b9 want it to work when the page load not when i pass the querystring on the browser.
<asp:SqlDataSource ID="categoriesDataSource" runat="server"
connectionString="<%$ ConnectionStrings:ConnectionString %>"
SelectCommand="SELECT [CategoryID], [Name] FROM [Categories] WHERE ([UserId] = @UserId) ORDER BY [Name]">
[code]...
View 1 Replies
Aug 19, 2010
I'm looking for a way to get rid of the querystring of a page and redirect to itself but preserver the querystring data in some way. Exmaple: [URL] should redirect to [UL] Still, after the redirect, I want to be able to pick up the parameters that were originally passed. And I don't want to have [URL] in the browser's history.
What I tried so far:
* Response.Redirect(): does a proper redirect without creating browser history but I cannot preserver the parameters.
* Server.Transfer: preserves the parameters but the browser's URL remains unchanged.
* Create a client form on the fly and submit in "onload": works, querystring is gone, parameters are accessible through Request.Form, but creates a history entry in the browser.
The only thing I can currently think of is to store the parameters in the session, then redirect, then pick them up from there.
View 2 Replies
May 21, 2013
ASP.Net (C#) ... I have a URL like mydomain.com/detail.aspx?id=1. I want to no any one can change or remove content from my query string...
View 1 Replies
Apr 24, 2010
Encrypt request.querystring and Descrpt request.querystring
View 1 Replies
Mar 24, 2010
I have used querystrings in many webpages. When user click hyperlink then it moves to next page but there is a very long string is being displayed in the Address bar of the browser.
I just want to show like this:
[URL]
Not like this:
[URL]
View 5 Replies
Feb 25, 2013
i have passed the values from clientside using querystring. Below link displaying like URL>..i want to encrpyt the following code
?id=vidhansabha&cat_name=Industries&email=rafi045@gmail.com&mobile=9786629228
View 1 Replies
Oct 16, 2010
i have a page, when the page loads, nothing shows up, when i pass the querystring on the browser as [URL]
I want it to work when the page load not when i pass the querystring on the browser.
Here is the code:
[code]....
[Code]....
[Code]....
View 4 Replies
Feb 10, 2010
I have created a custom user creation wizard to store custom user information, This is working fine. I am now trying to create a new page to give the newly created user to create users in there own company, so i need to retrieve the company information from the user profile created and automaticlly fill that information into the new create user wizard. ie User from A company logs in. (company_id from profile is stored in session)
User A wants to make another user in company A (but cannot make a user in company B) User A fills in details for new user, Company A information is autofill into new user info. (possibly from session)
I have read alot about storing membership. info into session but i cannot find any code examples of how to do this. I need to find a way to store Company_id into session and then use that for creating a new user with the same Company_id.
View 7 Replies
Sep 5, 2010
I am trying to create a cookie for storing Username and Password.
This is so far I am :
[Code]....
But I am getting error :
[Code]....
View 8 Replies
May 21, 2010
Just wanted to know what is the best pratice for storing new fields data when an user sign up ?
Also...
1- Is there a way to make the login controls use the same database than my website database?
2- It is okay to use the Membership and Role API to manager users from an user interface (without the ASP.NET Web configuration tool) ?
View 9 Replies
Feb 20, 2010
I have implemented Membership and Role Provider in my web site. Membership and Role information is stored in database created from aspnet_regsql option.
I want to store the access rights given to the pages in ASP.NET Configuation option in Database inspite of web.config file and want to give page wise add, edit, view and delete rights that should also be stored in database.
Is there any inbuit class like Membership and Role to add page access rights?
View 3 Replies
Nov 25, 2010
When I first implemented forms authentication I consulted an article that told me to store the user's custom IPrincipal object in the cache. Is this wrong? Should I have stored it in the session?
View 1 Replies
Aug 30, 2010
how to handle html and scriptswhat . if I build my own CMS? Isn't it inevitable that I'll want to store html code, possibly scripts, and almost certainly apostrophes and special characters, and then display them again.
What's the best way to do this, since I wont want to display the encoded html, but the html itself.
Would it be to encode everything then when I want to actually display the html, decode it, but everywhere else, keep it encoded?
I'm just trying to think of all the scenario's that I could come across when I accept user input where I don't know what they could be typing in. What if I WANT the user to be able to display html? Is it possible to decode only some tags but leave all other tags encoded?
View 10 Replies
Oct 21, 2010
I've got a couple pages in my web app that are used by external applications. They will link to the pages, and pass in various querystring values to allow my app to do the searching and return the results in the page. The problem is, if the user is not yet logged into the web app, they are sent to the login page, and the ReturnURL is truncated to include only the first QueryString value. I lose the rest of the values. So far I haven't figured out a solution to this. Here's a quick example:
The external application links the user to:
[URL]
If the user is not logged in they are sent to the login page, and the current URL looks like this:
[URL]
View 4 Replies
