views:

522

answers:

10

Hello everyone,

I have two web applications all are developed by ASP.Net. Now I want to provide a feature which enables the user to click from one URL in application site (one virtual directory of IIS) A to the other URL in application site B (another virtual directory of IIS).

I have two ideas to implement them, but both of them have issues. I want to know what solution should be optimum solution?

Solution 1: using cookie, so from both application sites, we could retrieve user ID information from reading cookie, but I am afraid if cookie is disabled in browser, this "jump" feature never works.

Solution 2: When the user redirects to an URL in another site, I could append user ID after the URL, I could redirect to this URL in another site http://www.anotherapplicationsite.com/somesuburl?userID=foo, but I am afraird that in this way userID will be exposed easily which raise security issues.

Any advice?

thanks in advance, George

A: 

I don't think 1) will work due to browser security (cookies from one domain cannot be read by another domain). I would go with 2), except I would encrypt the querystring value.

EDIT: For more info on cookie privacy/security issues, check out the "Privacy and third-party cookies" section here.

Kevin Tighe
Thanks Kevin Tighe!"I don't think 1) will work due to browser security (cookies from one domain cannot be read by another domain). " -- I am interested to learn more about this security restriction, do you have any more related documents about cookie restrictions?regards,George
I am very interested in how you "encrypt the querystring value". I have never did this before. Could you recommend me some sample codes to learn?
If he's simply re-directing from one virtual directory to another in the same website, cookies will absolutely work. Cookies will even work for sub-domains (app1.myDomain.com can read cookies from app2.myDomain.com).
Chris Pebble
Thanks Chris, I have scenarios in the future which cross domains. Cookie not working in this scenario, correct?
Chris is right about the cookie issue, but if you're going to be using two completely different domains then cookies won't work (for example, what if the browser allowed any website to read your gmail cookie? Then any site you visit could hijack your gmail account).
Kevin Tighe
Thanks Kevin! I did some search but can not find out there mentioned cross domain cookie access is a security violation. Could you provide some links please?
don't go using Cookies, how about if the browser is set up to not support them?
balexandre
A: 

What are you using as the user's id? If you are using their social security number or email (something sensitive) then you are going to want to encrypt the value before you put it on the query string. Otherwise (if the user's id is something ambiguous like an integer or a GUID) it should be fine to put the id on the query string.

Andrew Hare
Thanks Andrew Hare,About your ideas of "encrypt the value before you put it on the query string", I am very interested and thinks it should be a good idea. Could you recommend me some tutorial or sample codes to learn? I never did this before. :-)
A: 

Thanks Kevin Tighe,

1.

I am very interested in how you "encrypt the querystring value". I have never did this before. Could you recommend me some sample codes to learn?

2.

"ill work due to browser security (cookies from one domain cannot be read by another domain)." -- I am interested to learn more about this security restriction, do you have any more related documents about cookie restrictions?

regards, George

George: You shouldn't add 'answers' (what this post is called) unless you're actually answering your own question. SO is not a discussion forum. If you want to comment on Kevin's post, then click 'add comment' right below his post. If you want to amend your original question, click 'edit' on it.
George Stocker
Sorry, my mistake. :-)
A: 

As long as you have a good authentication system in place on the second website I think solution 2 is the one for you, taking into account the remark Andrew made about the sensitive ID's of course.

For more information on encryption: check the documentation of the FormsAuthentication.Encrypt Method . I think they even do something with writing a value in a cookie in that example.

Gerrie Schenck
If FormsAuthentication.Encrypt Method uses cookie, but could another domain using the cookie? I think cookie information could not be retrieved from another domain? :-)
A: 

Thanks Andrew Hare,

The user ID is my internal used user ID, since I use it internally in my ASP.Net application and also used it as my database primary key, I do not want to expose it.

About your ideas of "encrypt the value before you put it on the query string", I am very interested and thinks it should be a good idea. Could you recommend me some tutorial or sample codes to learn? I never did this before. :-)

regards, George

George, check the link in my answer. I think that is what you need.
Gerrie Schenck
The link introduces the encryption algorithms, very useful. Now I missed a whole picture about how to from one place to encrype user name and send by POST to another site? Any samples to learn?
A: 

using cross domain, you can not SHARE the session, so I was thinking about POST

idea 1

if afraid of "showing" the username in the address, why not sending a POST?

<form name="myForm" action="http://www.mydomain.com/myLandingPage.aspx"&gt;
  <input type="hidden" id="userid" value="myUsername" />
  <a href="javascript:myForm.Submit();">click here</a>
</form>

but then... off course, "View Source Code" will show it

idea 2

then.. I remembered that I do the same, but sending a Encrypted string like:

 http://www.anotherapplicationsite.com/somesuburl?userID=HhN01vcEEtMmwdNFliM8QYg+Y89xzBOJJG+BH/ARC7g=

you can use Rijndael algorithm to perform this, link below has VB and C# code:

http://www.obviex.com/samples/EncryptionWithSalt.aspx

then in site 2, just Decrypt and check if the user exists... if it does, continue, if not saying that the user tried to temper the query string :)

balexandre
I did not see how in your javascript code, you send by POST and encrypt user ID? Confused.
they are 2 ideas, only after writing the first I realized that you should avoid writing the username into a Hidden Field. the 2nd idea is using the .NET code in the link to pass the username encrypted.
balexandre
A: 

If you put the userid in a query string and that's all the 2nd app uses to allow login, what's to keep me from manually typing in other users id's? You'd still have to prompt for password on the new site.

I'd use a database to hold login information, and have both sites reference that same db. Use it like you'd use a session.

D

Dana
Thanks. My current confusion is how to write code which could encrypt user ID and send to another site through POST method? Any sample codes to learn?
A: 

Thanks balexandre,

I did not see how in your javascript code, you send by POST and encrypt user ID? Confused.

regards, George

A: 

Thanks Gerrie Schenck,

If FormsAuthentication.Encrypt Method uses cookie, but could another domain using the cookie? I think cookie information could not be retrieved from another domain? :-)

regards, George

A: 

I work with this sort of thing a lot. What you're looking for sounds like a candidate Single Sign-on solution or Federated Security.

You might try doing something similar to the following:

  1. Create a simple db or other sort of table storage with two columns "nonce" and "username"

  2. When you build the link to the other site create a GUID or other unique identifier to use as a one-time nonce, passing it as a querystring ?id=. Insert an entry into the table with the current authenticated username and the unique identifier you created.

  3. When you reach the destination of your link, pass the unique identifier to call a webservice that will will match up the identifier with the username in the database you inserted before jumping to the second site (secure this with ssl).

  4. If the nonce checks out with a valid username, you're all set. The webservice should remove the used entry and the table should stay more or less empty any time you are not in the middle of a transaction.

It is also good to include a datetime in your nonce/username table and expire it in 60 seconds or less to minimize the risk of replay attacks. We also require client certificates for external applications to call the webservice in order to verify the identity of the caller. Internal applications don't really necessitate using client certificates.

A nice thing about this is that it scales fairly well to as many sites as you would like to use

Not perfect security, but we've never had a significant compromise with a such as system.

Chris Ballance