Restrict access to web site based on Referrer, cookies or something else

views:

170

answers:

+1 Q:

Restrict access to web site based on Referrer, cookies or something else

We have a scenario whereby we are hosting an ASP.NET MVC web site on behalf of someone else.

The customer in this case wants us to restrict access to the web site, to those users who have logged in to their main portal. They should then only be able to get to our web site via a link from that portal.

At this point I'm not yet sure what technology or authentication mechanism the 3rd party are using but just wanted to clarify what the possible options might be.

If we call our hosted site B, and their portal web site A,as I see it we could:

Check the referrer for all requests to B, unless they've come from A they can't get in
Check for a specific cookie (assuming A uses cookies)

I'm sure there are other options, anyone any ideas?

+3 A:

Check the referrer for all requests to B, unless they've come from A they can't get in

Can be faked, but most normal users won't do it.

Check for a specific cookie (assuming A uses cookies)

Ask them to embed in their portal some code portion from your site. This way visiting their portal will resulting in you setting a cookie for your domain. Then you can easily read it later.

One more thing to mention. If you're talking about public sites, then it will suffice for a search engine to somehow discover these hidden urls once, after which the game is over. It will index the pages and keep a cache of it. You may want to consider including some noindex/nocache meta tags in these pages.

But seriously, if you wish to have it done properly and secure, you're going to need some form of shared user authentication that that portal and your site both support.

Developer Art 2010-02-22 10:10:17

Seriously, is it considered good practice to post a single sentence answer with no clarification and edit it after 5 minutes, making it a whole new answer?

Marek 2010-02-22 10:20:05

Actually, it is ubiquitous practice here. Post a short answer first then elaborate. Sometimes you only have one small thing to say, but five more come to mind a minute later. Also happens. No abuse intended.

Developer Art 2010-02-22 10:28:09

No offence taken. It's not massively sensitive data, and whilst the 3rd party aren't keen that just anyone could access the site, they equally aren't going to be concerned if the odd person manages to.As always I guess it boils down to acceptable risk.So given all the SSO systems which are available, does anyone have a feel for which are the easiest/most popular to use with C#?

jonhilt 2010-02-22 11:33:53

In this case, referrer based restrictions are fine. Agree with the comments though that for any kind of serious security, this would not be adequate.

jonhilt 2010-03-01 22:01:35

+1 A:

The solutions you have posted are not secure.

In case this is an enterprise application with real requirements for security, you may want to look at some single sign-on solutions.

List of single sign-on implementations

Marek 2010-02-22 10:12:36

ansaurus

tags:

views:

answers:

Restrict access to web site based on Referrer, cookies or something else

related questions