tags:

views:

953

answers:

4
Q: 

IP check using ASP.NET Forms Authentication

I'm implementing simple authentication on an asp.net web site. Using the basic forms authentication is almost perfect: I set the auth mode to Forms and have a short credentials section in web.config, and use a simple Login aspx page that uses FormsAuthentication.Authenticate() and FormsAuthentication.RedirectFromLoginPage().

However, I would like to add the additional check for certain client IP addresses. If a request comes from a certain IP address, I want to automatically authorize the request and not redirect that request to the Login page. Is there an easy way to extend or override the built-in forms AuthenticateRequest? My other option is to create my own HttpModule to do this, but it seems if I do I lose the nice functionality of the FormsAuthentication methods and their interactions with the credentials section. Any suggestions?

+4  A: 

First, are you sure you want to do this? IP spoofing would be an ideal way to then attack your site if anyone could guess the range of IP addresses that you were not verifying! Even if they just knew the range of addresses, this makes a brute force attack trivial.

Second, you can just check the IP address in the login page and redirect from there...no need for an HttpModule. But, again, I would NOT do this if I were you.

UPDATE: R G - a couple of things. My thinking was that you would do an Authenticate() call before redirecting. This would avoid having the redirect loop back. But it looks like you don't even need that because...

Second, from your comment below (in Ben's post), you'll be using this code in a Web Service. If that is the case, couldn't you put the web service in the Web.Config page as a permitted access page? Just add this: 

<location path="YourWebService.asmx">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

This is what we do although we do require that the users of our web service send along a "magic phrase" before we'll process the web service request (it is also SSL encrypted).

Mark Brittingham  2009-07-22 00:23:32
+1 for NOT in caps
Jason  2009-07-22 00:27:47
The IP is an additional check not the only one.
Booji Boy  2009-07-22 00:32:25
Sure, I understand that this leaves the app open to IP spoofing, in this particular case it's not an issue. The login is just a simple deterrent, but if someone wants to go through the trouble of spoofing we don't really care.Regarding redirecting from the login page... This doesn't solve the problem, the redirect will get authenticated again, will redirect back to the login page, etc. I need to be able to check earlier in request, before the redirect to the login occurs.
R G  2009-07-22 00:35:40
Mark, thanks for the suggestions. Explicitly permitting access to the services might be the way to go. I'm still not sure about using Authenticate() or any other FormsAuthentication helper method calls in the login page, as the caller of the service won't be accepting cookies since it'll just be another web server making the request. It sounds like if I want total flexibility with the authentication, before it gets to the login page, I'll need to use my own HttpModule with that logic. Since it's a fairly simple scheme this shouldn't be too hard.
R G  2009-07-22 03:56:57
R G - With a separate ASMX page to handle your web requests and explicit permissions set for that page in the Web.config, you won't have to worry about FormsAuthentication or the login page at all. The user of the service will instead just go directly to the Web Service (ASMX) page, bypassing the login. Also, this eliminates the need for the HttpModule as well since they wouldn't need any special processing to gain access to the ASMX page (assuming that I fully understand your problem).
Mark Brittingham  2009-07-22 17:57:27
A: 

I agree with Mark.

If you'd like to make it extremely easy for clients to connect to your site after first verifying their credentials (properly), you can give them an essentially everlasting persistent cookie by modifying web.config:

<system.web>
    ...
    <authentication mode="Forms">
      <forms timeout="50000000" />
    </authentication>
    ...
</system.web>

Also call RedirectFromLoginPage() with createPersistentCookie set to true.

EDITED Caveat: if you do this (or indeed give persistent cookies of any duration), also give users the option to decline a persistent cookie with a checkbox of some kind. (Best if it works in reverse: they have to check it to get a persistent cookie, titled with "click this to remember me on this computer" or similar.)

Ben M  2009-07-22 00:31:32
this method doesn't always work... some machine.configs overwrite this to the default, which is 30. believe me, i've tried to get cookies to stay live and came across this stupidity
Jason  2009-07-22 00:34:28
Yeah--on a shared hosting environment that might be a problem. But if you control the web server, you're fine.
Ben M  2009-07-22 00:35:30
Here is why I am insisting on the IP check, without going through the login process, I probably should have stated this earlier as the original issue. There are several web services calls that the web site needs to handle (in addition to regular user page requests). These web services call will be from a specific IP range. They need to be handled without any authentication. So my real question is: Can I somehow exclude certain web service URLs from forms authentication, OR can I exclude certain IPs from forms authentication?
R G  2009-07-22 00:41:46
A: 

The REMOTE_ADDR server variable will give the requesters IP address and you can check it againt a list of allowed addresses.

http://msdn.microsoft.com/en-us/library/ms524602.aspx

Also, you can configure IIS to only allow certain IP address in the IIS management console and forgo the code, if that's an option for you.

Booji Boy  2009-07-22 00:37:35
It will give you _an_ address, that may or may not belong to the requester.
John Saunders  2009-07-22 01:29:43
Booji Boy  2009-07-23 03:33:22
A: 

hi any one know the solution how to make the login automaticaly by recognise the IP Address

I have to implement the same concept anyone help me..

troy  2009-10-02 05:49:24

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps