views:

255

answers:

1

My question is rather similar to this Return “correct” error code, or protect privacy?, but I'd like to hear some different answers.

We have WEB site most pages of which may be visited by not logged in user. But when not logged in user tries to access resource (Page) that requires authorization (user must have FooRole role), we automatically redirect him to Login page and after providing correct credentials return back to restricted resources. What WEB site should do if user has provided correct credentials, but his access rights has happen to be not enough (he has BarRole but not FooRole)?

In current implementation we return HTTP 403 response (forbidden). But some developers argue that 404 code must be returned because it provides better security - user should not distinguish not existing and not accessible resources. From the point of security it maybe better to return 404, but in described situation user was redirected to Login page and that behavior "hints" that such page exists so it is not very logically return 404 (it is my thoughts). If user has been already authorized and tries to access restricted resources (directly modifying URL) then, well, it may be logically return 404 error.

Maybe such "auto redirect to Login" feature is not good? Can you suggest me what behavior is more "standard/good/user-friendly/hacks-free" in such situation?

Thanks!

+1  A: 

I believe it is more suitable to return an accurate 403 error-code for login-failures.

As for your issue of obscuring what files actually exist in general "security through obscurity" (buzzwords) is considered a very poor security model and there really should be no benefit to a user to know those URL's if they don't have access to them anyway (And if they break the access control I presume there's a fairly simple way to find the URL's to the files).

If it is important to obfuscate the file names however I would recommend returning 403 for any file in the folder (Existing or not) for unauthenticated users (Essentially you're denying them access to see what's in the folder, so the error code seems legitimate to me). I'd probably recommend doing this via a CustomErrors handler which distinguishes whether you're logged in or not before deciding how much to tell you (That way you still maintain accurate 404 errors for people who are authenticated) or a HttpModule catching the exception a 404 throws and rendering a different result for authenticated vs unauthenticated users.

Tim Schneider
On the other hand, there are good reasons to not allow anyone to know that certain files exist. IIRC when Survivor was a new tv show, someone discovered who won before the end of season by finding what unlisted files existed and hat files didnt. Alternatively, financial statements may not be allowed, but good and bad statements may have a difference in the filename - or when they're prepared early. Such side channels could be avoided by not even saying that the file exists...
atk
Oh, and it's important to note that security requires the keeping of secrets. It almost reads like your post confuses this with true "security through obscurity", which would be making something fully available, but not telling anyone about it - different from the OP, where access is *denied*, but security through obscurity wouldn't deny access, since the resource would be otherwise unprotected.
atk
Yeah, I take your point atk, I got more of an impression he was saying that if the users knew the file existed it increased their chances of hacking the site by targeting them rather than that the name of the file actually contained private information itself (In which case I don't think the security gained is significant). With your examples I can see a potential for scenarios when you would serve a 404, or perhaps simply redirect the user to a 403/404 combo-page ("Either this file doesn't exist or you don't have access to view it" and don't tell them which).
Tim Schneider
Well, if it is secret, how about not putting the info on a publically-available webserver? Standards are there for a reason. 403 and 404 are well-defined. Use them accordingly.
Martin Hohenberg
Fyjham, combo 403/404 is rather interesting idea, I also thought about it. But one thing isn't still obvious: should we always redirect not logged in user to Login page, even if he has entered non existing URL, or maybe such feature (redirecting to Login for restricted resource) is a bad idea for public site and should be used only for intranet sites?
Roman
That approach only really makes sense on a site where the user knows access is restricted - not just random files laying around a public site. If your site is indeed public and has mostly non-authenticated areas I think the best balance is to have a "Secure folder" and redirect any request into there to a login prompt, whether the file exists or not (Which is relatively easy to do either using a location tag in the web.config or a config in the folder itself), and let the rest of the site behave as the user would expect
Tim Schneider
@Martin Hohenberg : not all webservers are publicly accessible. Consider an organization that uses an internal-facing web server, which front-ends a financial web application. Not everyone in the finance department needs access to all financial information.
atk