tags:

views:

120

answers:

2
+3  Q: 

How to make admin site safe ?

Hi guys,

very simple question: I have admin site in my web project. So, how can I make it safe?

What I have until now:

  • Database handled user with userID and userlevel
  • on the pageload of the admin master page (which includes all admin sites) there is a clause to check if userID is okay (get the user from database) and if userlevel is right
  • If Not, redirect to Default.aspx with normal master page
  • if yes, go trought

How safe is it really?

Edit:

  • The userID is saved in a session on the server.
  • There is no way to save the login (no cookies).
  • The user must login to get the userID in the session
  • The login is saved in a database table user_log with username, password, ip, loginsucceeded and userID
A: 

We use integrated windows authentication.

  1. In IIS manager, click the "Directory Security" tab
  2. Uncheck "Anonymous Access"
  3. Check "Integrated Windows Authentication"

This lets you administer who has rights to your admin site by modifying domain accounts instead of using a roll-your-own solution. You can still get the logged-in user's credentials via the Environment class, which can be used to associate any web-specific properties for each user that you want to store in your database. This also has the advantage of automatically handling timeouts, relogin requirement if browser was closed, etc.

Your solution looks almost fine, though it sounds as though you're adding individual user accounts to the SQL server instead of handling everything through the ASP.NET service account login. I'd avoid adding individual user accounts into your database. In ASP.NET, unless you're jumping through some useless hoops, the ASP.NET service account is what is authenticated for DB connectivity, not the user that's logged into the site.

David Lively  2009-11-04 17:12:06
I worte all user handling with own hands here, because a "user" is at the same time a "customer" with a lot of information and conditions (Email verification, blocked and deleted (not physical) user and so on).
Kovu  2009-11-04 17:17:54
Customers access the admin site? Or are you using the same authentication mechanism that you created for your public-facing site?
David Lively  2009-11-04 17:25:14
No customers access the admin site. I only use the same authentification. I used a int value "userlevel".
Kovu  2009-11-04 17:32:39
+1  A: 

The basic idea looks ok. It all comes down to how you are getting that UserID to make the checks against. If the userID is being passed as a querystring, then that is very bad. If it is stored in a session via sometype of pre authorization then it is better. If you are using SSL, IP checking, etc it will improve your level of security.

The main thing is HOW you are getting the userID to verify against. That is where the exploit will occur. Secure that process and you should be ok with your setup.

Edit: Based on your update this looks ok but it also depends on how secure you really need this to be. How secure is your sign in page? Are you using SSL? Any worries about session highjacking? Why not store an IP with the userID and verify the request IP against the stored IP when doing the UserID fetch from the session?

There are so many security solutions out there. You need to decide how far you need to safely go to ensure the level of security that is necessary for your particular application.

Kelsey  2009-11-04 17:12:49
My admin site should be as safe as possible, beause it is related to real money there from customers.I am not using SSL now, but there are plans for implimenting it nearly in future.The Idea with the IP is great, thank you.
Kovu  2009-11-04 17:33:53

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps