Security - Securing Forms Authentication Token On Client Side?

Jul 16, 2010

In my website, I am not using any authentication or authorization. I've created login page to capture the user credentials and check against database. If the user successfully authenticates, it's storing the user data in session and navigating to other pages. How thinking of implementing Forms Authentication, but my concern is how to secure the authentication token in client browser for security reasons. Does anyone have any ideas how to secure the authentication token?

View 1 Replies


Similar Messages:

Security :: Use Token Based Authentication?

Mar 2, 2010

How to create Uniue Token with properties like expiration time,

Any standars method provided by Microsoft,

View 2 Replies

Security :: Getting A Client Certificate While Using Forms Authentication?

Jan 13, 2010

We have a large extranet asp.net application that users forms authentication. In addition, for SCCM purposes, each computer in the company has a client certificate installed.

Now the question has been raised:

Is it possible for us to test for the presence of this certificate from our asp.net code behinds?

We don't want to switch our security to require client certificates to access the site, there are just parts of some pages that we'd rather not display if the person viewing the site is not using a company issued machine.

View 2 Replies

Java - Can A Webservice Be Secured With Authentication When Called From Ajax Client Side

Oct 31, 2010

How do I protect a webservice if it is called from ajax ?

Update: I realize that my question didn't reflect what I intended to ask. I don't want user to be able to do the request by pointing to it with its webbrowser but only in the context of my app.

View 2 Replies

Authentication Through A Token Pass In MVC?

Sep 15, 2010

I'm working on a solution to part of my companys site that is done in 2 different languages. My part of the project is in ASP.NET, and the login portal is in a different language. We pass authentication credentials by storing login information in the database on the portal page and then sending a corresponding token to the URL in the page written in .NET. Almost all the tutorials and articles I've read about security for ASP.NET, and most languages, the message has generally been "just use the built in stuff and don't mess with it".

I have code that takes the token, goes into the database and gets the user details.. what do I do then to integrate that into the built-in security stuff for ASP.NET? I'd like to ultimately use Action Filters for authorization on my controllers.

View 1 Replies

WCF / ASMX :: SSO Authentication Token And POX Interfaces

Jul 28, 2010

We have a SSO authentication service that other externally facing web pages and services use to authenticate users. A user tries to reach a service, if no cookie is found containing an authentication token, they are redirected (HTTP 302) to the SingleSignOn authentication service. The auth service does it's work, and redirects the user (HTTP 302) to the original URL with their encrypted authentication token in the URL. Great. How can I invoke this from a WCF POX service? No SOAP here, just HTTP GET/POST with XML responses.

What I'm currently doing is, in each service method implementation method, checking the headers for the cookie. If the cookie exists, verify the auth token and process the request. If the cookie doesn't exist or the auth token has expired, then respond with:

[Code]....

That works, but isn't integrated with any of the WCF features, and requires me to manually code for a whole bunch of scenarios. Is there a way I could implement this using these classes:

[Code]....

or use some other means that checks each request to the service? I've been reading pages like: How to: Create a Custom Token, but I don't see how it applies to my needs. I'm looking into this because I have some time before my project kicks off, and I'd like to implement this project correctly and learn about WCF as much as I can.

View 2 Replies

IE Not Saving Authentication Token / Cookies?

Oct 30, 2010

I have an asp.net site. Its a mixture of web forms and MVC2.

I have this on 2 different servers which I get to via different urls.

On one server authentication works fine via all browsers (IE 8, FF 3.6, Chrome)

On the other IE 8 fails, it doesn't send back the cookie on the request to the page after authenticating.

Using Fiddler I have seen that both sites attempt to set the cookie, in the response from the login page.

Response Header I see from both servers
Set-Cookie: DemandLaunch=CCA4...E79C2D1; path=/; HttpOnly

Both sites are in the internet zone of IE.

I'm at a loose for what to check now.

I also have a page that sets a cookie via c# code and that cookie fails in IE as well.

The IE issue is not on a single computer either. I see this failure on 4 different computers Internet Explorer.

My urls which I should have included were:

beta.[site].com - works
beta_[company].[site].com - fails

View 1 Replies

Windows Authentication Header Token Not Being Sent?

Feb 21, 2011

I'm trying to get a ASP.NET application to use windows authentication. I have disabled anonymous auth and enabled windows auth in IIS7. On my dev box (my workstation, localhost) I can use fiddler and see proper token is passed in through the header and I'm not prompted. Everything is working fine and I'm authenticated as my domain user.

However, on a remote server on our domain, with identical settings, I continually get prompted. We need it to automatically send the domain authentication for windows auth.

Does anything in IE need to be configured for this to happen for a remote machine on the same domain?

View 2 Replies

Javascript - User Control With Client + Server Side CustomValidation; Wrong Client Side Validator Is Picked

Nov 23, 2010

I have a user control which contains a CustomValidator which is used according to whether a RadioButton is checked or not (there are several RadioButtons, I'm only showing the relevant one)

<asp:RadioButton runat="Server" ID="RadioBetween" GroupName="DateGroup" CssClass="date_group_options_control_radio" />
[code]...

There is some client + server side validation code (the server side code does exactly the same thing and is skipped for brevity)

<script type="text/javascript">
function ValidateDateFields_Client(source, args) [code]...

There are two instances of this control in the page. When running the client side version it hits the wrong one (the version of the control which is disabled). You can see from the generated HTML both are correctly specified. I'm not sure how .NET works out which clientside function to call given they both have the same name.

<script type="text/javascript">
//<![CDATA[
var ctl00_MCPH1_QueryTextValidator = document.all ? document.all["ctl00_MCPH1_QueryTextValidator"] : document.getElementById("ctl00_MCPH1_QueryTextValidator");

[code]...
Do i need to add something in to scope it? What's the best way to achieve this? If I disable the loading of the second control everything works fine.

View 1 Replies

Add Per Request - Token Based Authentication To Mvc Site

Apr 4, 2011

I have an existing asp.net mvc website that uses basic forms authentication. The site has a login page that posts back to a login action, which logs the user in via FormsAuthentication.SetAuthCookie(). I am looking to add an api to the site, as an mvc2 area, where users would be authenticated based on a token passed as an http header. This area will consist of only json actions, so redirecting the user to a login page doesn't make sense. Instead, I want the users to just pass a token along with each request. That token is mapped to each user account and the user would be authenticated automatically.

I'm struggling with where to put this logic. At this point, the best choice seems to be adding the header lookup logic and authentication to the Global.asax in the Application_AuthenticateRequest method. I want to avoid needing to redirect the user after calling FormsAuthentication.SetAuthCookie(), though. I want the login action to be transparent to them. Am I approaching this the wrong way? As a side note: Requiring a username/password for api requests is not possible, as the site has a mix of users. Some joined using OpenID while the rest joined with a username/password.

View 1 Replies

How To Get Anonymous Authentication Token For Profile Support

Jun 14, 2010

So I have an asp.net Web Application (Not Web Site) that I am trying to support profiles for anonymous users. I have a form and I want anonymous users to be able to enter their name and email only once, and have that information automatically accessible on the next load for them.

In my Web.config I have anonymous ID setup like so:

<anonymousIdentification enabled="true" cookieless="AutoDetect" />

I have my profile section setup like this:

<profile defaultProvider="SqlProvider" enabled="true" inherits="QA_Web_Tools.UserProfile">
<providers>
<clear />
<add connectionStringName="QAToolsConnectionString" name="SqlProvider"
type="System.Web.Profile.SqlProfileProvider" />
</providers>
</profile>

Finally, due to my app being a Web App and not a Web Site, I am using the profiles via this custom object:

public class UserProfile : ProfileBase
{
public static UserProfile GetUserProfile(string username)
{
return Create(username) as UserProfile;
}
public static UserProfile GetUserProfile()
{
return Create(Membership.GetUser().UserName) as UserProfile;
}
[SettingsAllowAnonymous(true)]
public string FullName
{
get { return base["FullName"] as string; }
set { base["FullName"] = value; }
}
[SettingsAllowAnonymous(true)]
public string BuildEmail
{
get { return base["BuildEmail"] as string; }
set { base["BuildEvmail"] = value; }
}
}

This code is based off of this reference. The issue is that that code does not support anonymous users, or if it does I don't know how. I can't use the GetUserProfile() method with no parameters because if the user is anonymous, Membership.GetUser() is null. I could pass in the anonymous ID token into the first GetUserProfile(string username) method but I cant' find any way to get the anonymous ID token for the current user. Does anyone know how to get this information? Google doesn't seem to be returning useful results.

View 1 Replies

Security :: Is The Value Of Identity.Name Accessable At Client Side

Feb 25, 2010

I wonder if the value of Identity.Name is visible (any way) at the client side?

So, it is safe to use the userID as cookie name?

[Code]....

View 5 Replies

Security :: Deleting / Invalidating Server Side Authentication Ticket?

Dec 9, 2010

I'm having a problem trying to delete the form authentication ticket (.ASPXAUTH) from the server side. It would be the same to delete or invalidate the ticket so the client could not reuse it.

So far, the only solution I've found is to delete the ticket from the client side (through a "Set-Cookie: .ASPXAUTH=;") but nothing seems to be implemented and/or working for doing so in the server side. The final idea is that if someone steels that ticket

In particular, I'm working in C# but as it's rellated to the Dotnet Framework any implementation of the solution would be OK; I tried all the possible things and nothing worked out, even invalidating the session but nothing.

View 3 Replies

Security :: Client Certificate Authentication With Splash Screen?

Mar 21, 2011

I'm running into an issue which has me going in circles with the references I've been able to find online. I have an application which is using client certificate authentication (with a removable token). It works well as long as a user doesn't leave their computer. If the token is pulled and any timer events fire on the page causing a postback the application loses its authentication and ends up at an error page.

I've seen some sites which use a mix of (presumably) forms authentication and windows authentication so that the network authentication only has to happen one time and then a token is built which the session relies on for future requests. I had hoped to use something similar to this so that when a new user enters the application they are redirected to a secure page which will request the client certificate (same principal as windows authentication) and then create the token before sending the user back to
their requested page. So far no luck with this.

If I try to setup a subfolder in my website with a different authenication scheme from the root ("windows" vs "forms") I'm given an error in Visual Studio about requiring a separate application in IIS for this to be valid. Working in a development environment this is not practical. Every other technique I've run across which tries to force one page (or folder) to use a windows credential is leaving me with an empty identity object.

Has anyone come up with a way of using a mix of authentication methods to reach the goal I have and still work inside of Visual Studio for development activities?

View 1 Replies

Security :: Client Side Hashing Using Login Controls?

Aug 31, 2010

I am using ASP.NET 3.5 and SQL Server 2005.currently while creating users, the password will be stored in the database using SHA256 algorithm. And in the Log In time entered password will be hashed with a salt and this salted password only transmitted through network (javascript). This is for incresing security without using SSL connection.I am planning to use ASP.NET 3.5 login controls How can I use client side hashing (SHA256 salted hashing) along with ASP.NET Login Controls. And also each login attempt should be logged, in a separate database table with IP address, user agent and so on.

View 3 Replies

WCF / ASMX :: Not Acceable On Client Side / Https Security

Oct 2, 2010

im using wcf how can i make sure to my service file from client side.

my web service file (service.svc) should not acceable on client side....on https security(ssl)

View 6 Replies

Security :: Active Directory Authentication With Client Certificate Mapping?

Jun 24, 2010

I am trying to authenticate the users on a web application through their Active Directory credentials. What should I use? Client Certificate Mapping? or Forms? I am currently using a Form Authentication, but it is not working. It keep telling me my credentials are not correct. Should I switch over to something more recent? Client Certificate Mapping is installed, I just don't know how to set it up. Isn't there something about purchasing a certificate for the website? Is there anything else I can use that is secure and uses Active Directory credentials?

View 10 Replies

Security :: How To Security Token Transfer To J2EE Web Application

Mar 6, 2010

Here is 2 web applications: 1 is asp.net, another is J2EE base webapplication.Both them are using same AD ( e.g. DomainTest ) as authentication source.Question here:1. User log in the asp.net application ( form based log in DomainTest, not IE prompt authencation dialog ), on the left navigation ( link to J2EE web application), just click this link, SSO to J2EE application.I think should transfer identity token from asp.net to J2EE, but don't know how, and for JSP, how to modify it to use token tranferd from asp.net ?

View 3 Replies

Security :: Solution To Create Trial Version For Web Application At Client Side?

Jun 3, 2010

i am looking for solution to create trial version for web application at client side?

View 3 Replies

Web Forms :: How Do You Write To A Client-side Control (text Box) With Server-side Code

Jan 6, 2010

If I have a standard HTML textbox

[Code]....

but got a readonly error.

View 10 Replies

Web Forms :: Setting Hidden Value Server Side And Accessing On Client Side?

Jul 19, 2010

I am trying to set a hidden type value to x on Server Side and then access it with Javascript. I have tried multiple ways to accomplish this.

At the basic level this is what I am trying to do.

Aspx page
<asp:HiddenField ID="HidRowNumber" runat="server" />
CS Page
In IsPostBack
HidRowNumber.Value = EFileRowNumber.Text;
Javscript
var status = document.getElementById("<%= HidRowNumber.ClientID %>").value;

When I am debugin it say it HidRowNumber's Value has changed to x but when I access the value with JS it always returns ''.

View 23 Replies

Web Forms :: How To Unescape( Escaped HTML) By Server Side Not By Client Side

Aug 7, 2010

i can use escape() and unescape() functions by Client side easily, but the problem when i have use escape() method for peice of HTML , then i dont know how to unescape this piece of HTMl By Server Side not By Client Side. how i can unescape (escapped HTML) by server side?

View 2 Replies

Web Forms :: Retrieve Value If Server Side Control Value Is Updated On Client Side

Oct 26, 2010

I have a hidden variable and its value is being updated using javascript(client side) which I make a call from server side code. After making the call I am not able to retrieve the updated value from Server side variable. I went through this forum [URL] but not able find a way how to implement functionality with IFRAME. I am trying to call the client side code and retrieve the updated value from server side in page_load event.

View 5 Replies

Web Forms :: Get ListBox Client Side Set (Changed) Values On Server Side

Sep 20, 2015

Your example doesn't work, or I have missed something, I work on a website for information...

I have null in my variable ...

Protected Sub Submit(sender As Object, e As System.EventArgs)
Dim values As String = Request.Form(ListBox1.ID)
TextBox1.Text = values
End Sub

View 1 Replies

Web Forms :: Dynamic Control Server Side Event Is Not Firing If We Set Client Side Events?

Aug 27, 2010

I have created dynamic control with both server and client side events.. if i set client side event server side event is not firing.. I have created the link button which will validate and do some necessary actions.. Validation is working but click event of link button is not firing .. if we remove the client side event , server side event is firing.. how to avoid this.. I want both events..

View 2 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved