| Groups | Blog | Home |
dotnet security : Session Issue
I have an application where users have to log in to view their account
information. The problem is, if I log in as user A, then in another browser I log in as user B, and copy over a url from user B to user A (with GET arguments specific to user B), user A will now see user B's account info. I told the programmer at every access point permissions and user credentials must be checked. Does dotnet support this type of authentication, or do I need to custom program the application to check permissions with each page access? What is the best way to go about this?
Shabam,
DotNet definitely supports this via the URLAuthorizatoin module. Read the following informtion: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconaspnetauthorization.asp hth Jorge [quoted text, click to view] "Shabam" wrote:
> I have an application where users have to log in to view their account > information. The problem is, if I log in as user A, then in another browser > I log in as user B, and copy over a url from user B to user A (with GET > arguments specific to user B), user A will now see user B's account info. > > I told the programmer at every access point permissions and user credentials > must be checked. Does dotnet support this type of authentication, or do I > need to custom program the application to check permissions with each page > access? > > What is the best way to go about this? > >
I missunderstood Shabams question, I thought it was just permissions based on
the URL path, I totally missed the GET arguments that were mentioned. Nicole is right, you'd have to roll your own authorization for this and implementing it in the business logic is probably your best bet. Another option would be to create your own HTTP module or override the Authorize_Request() event in the global.asax file to perform security checks on the GET parameters. [quoted text, click to view] "Nicole Calinoiu" wrote:
> That level of permissions granularity is not provided by functionality build > into the .NET Framework, so you'll need to implement it yourself. > > As for the best approach, that's a bit subjective. My own preference is for > screening for permissions when retrieving the data from the underlying data > store (usually a database). This way, any data that the user does not have > the right to view will not be returned from the data store and, without any > additional programming in the business or UI tiers, it will simply appear > that the requested data does not exist (assuming, of course, that the page > handles the case where no matching data is found <g>). Since I generally > prefer not to allow mis-users of an application to know that a piece of data > actually exists to which they have no rights, this outcome is fine by me, > but YMMV... > > > "Shabam" <blislecp@hotmail.com> wrote in message > news:V9idnVJ6bOiVEOrcRVn-qw@adelphia.com... > >I have an application where users have to log in to view their account > > information. The problem is, if I log in as user A, then in another > > browser > > I log in as user B, and copy over a url from user B to user A (with GET > > arguments specific to user B), user A will now see user B's account info. > > > > I told the programmer at every access point permissions and user > > credentials > > must be checked. Does dotnet support this type of authentication, or do I > > need to custom program the application to check permissions with each page > > access? > > > > What is the best way to go about this? > > > > > >
That level of permissions granularity is not provided by functionality build
into the .NET Framework, so you'll need to implement it yourself. As for the best approach, that's a bit subjective. My own preference is for screening for permissions when retrieving the data from the underlying data store (usually a database). This way, any data that the user does not have the right to view will not be returned from the data store and, without any additional programming in the business or UI tiers, it will simply appear that the requested data does not exist (assuming, of course, that the page handles the case where no matching data is found <g>). Since I generally prefer not to allow mis-users of an application to know that a piece of data actually exists to which they have no rights, this outcome is fine by me, but YMMV... [quoted text, click to view] "Shabam" <blislecp@hotmail.com> wrote in message news:V9idnVJ6bOiVEOrcRVn-qw@adelphia.com... >I have an application where users have to log in to view their account > information. The problem is, if I log in as user A, then in another > browser > I log in as user B, and copy over a url from user B to user A (with GET > arguments specific to user B), user A will now see user B's account info. > > I told the programmer at every access point permissions and user > credentials > must be checked. Does dotnet support this type of authentication, or do I > need to custom program the application to check permissions with each page > access? > > What is the best way to go about this? > >
The built-in URL authorization module does not accomodate authorization
based on query string values. Even if it did, supplying it with the various permitted values would be a maintenance nightmare. [quoted text, click to view] "Jorge Matos" <JorgeMatos@discussions.microsoft.com> wrote in message news:9B2C454C-DBBA-4302-AA14-1A4EE19D7462@microsoft.com... > Shabam, > > DotNet definitely supports this via the URLAuthorizatoin module. Read the > following informtion: > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconaspnetauthorization.asp > > hth > Jorge > > "Shabam" wrote: > >> I have an application where users have to log in to view their account >> information. The problem is, if I log in as user A, then in another >> browser >> I log in as user B, and copy over a url from user B to user A (with GET >> arguments specific to user B), user A will now see user B's account info. >> >> I told the programmer at every access point permissions and user >> credentials >> must be checked. Does dotnet support this type of authentication, or do >> I >> need to custom program the application to check permissions with each >> page >> access? >> >> What is the best way to go about this? >> >> >>
[quoted text, click to view] "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message news:%233sSKb4tEHA.2980@tk2msftngp13.phx.gbl... > That level of permissions granularity is not provided by functionality build > into the .NET Framework, so you'll need to implement it yourself. > > As for the best approach, that's a bit subjective. My own preference is for > screening for permissions when retrieving the data from the underlying data > store (usually a database). This way, any data that the user does not have > the right to view will not be returned from the data store and, without any > additional programming in the business or UI tiers, it will simply appear > that the requested data does not exist (assuming, of course, that the page > handles the case where no matching data is found <g>). Since I generally > prefer not to allow mis-users of an application to know that a piece of data > actually exists to which they have no rights, this outcome is fine by me, > but YMMV... > > > "Shabam" <blislecp@hotmail.com> wrote in message > news:V9idnVJ6bOiVEOrcRVn-qw@adelphia.com... > >I have an application where users have to log in to view their account > > information. The problem is, if I log in as user A, then in another > > browser > > I log in as user B, and copy over a url from user B to user A (with GET > > arguments specific to user B), user A will now see user B's account info. > > > > I told the programmer at every access point permissions and user > > credentials > > must be checked. Does dotnet support this type of authentication, or do I > > need to custom program the application to check permissions with each page > > access? > > > > What is the best way to go about this? > > > > > >
[quoted text, click to view]
> That level of permissions granularity is not provided by functionality build > into the .NET Framework, so you'll need to implement it yourself. > > As for the best approach, that's a bit subjective. My own preference is for > screening for permissions when retrieving the data from the underlying data > store (usually a database). This way, any data that the user does not have > the right to view will not be returned from the data store and, without any > additional programming in the business or UI tiers, it will simply appear > that the requested data does not exist (assuming, of course, that the page > handles the case where no matching data is found <g>). Since I generally > prefer not to allow mis-users of an application to know that a piece of data > actually exists to which they have no rights, this outcome is fine by me, > but YMMV... Checking for existence of data is good, but how about checking also when the client attempts to submit data? For instance, if user A were somehow able to pull up a configuration page for user B, (perhaps by copying user A's html source code), then try to submit that. Shouldn't the application check permissions again then?
[quoted text, click to view]
"Shabam" <blislecp@hotmail.com> wrote in message news:Eq2dnS0UOqgGlOXcRVn-gg@adelphia.com... > Checking for existence of data is good, but how about checking also when > the > client attempts to submit data? For instance, if user A were somehow able > to pull up a configuration page for user B, (perhaps by copying user A's > html source code), then try to submit that. Shouldn't the application > check > permissions again then? Of course. You had mentioned GET requests which, by convention, do not submit data for storage on the server, so I only covered reads. For writes, you should probably also keep in mind that updates and additions may have different permissions rules on at least some pages. In addition to read and write operations, you might also need to consider deletions if your application allows these.
Centralizing this type of permissions assessment in either an HTTP module or
a request-level event isn't likely to be practical in most applications. Aside from the potential for the permissions rules to take very different forms on different pages, one would also need to consider that the same query string parameter name may represent very different things across pages. For example, how many pages might use a query string parameter named "ID"? The case statement for handling the different meaning of this named parameter alone across pages would be a maintenance nightmare. It really does make quite a bit more sense to handle such granular rules within the pages themselves. When rules are shared by multiple pages, using a common base page class would be convenient, but I can't imagine many applications would share such rules across all pages. [quoted text, click to view] "Jorge Matos" <JorgeMatos@discussions.microsoft.com> wrote in message news:0332B235-3720-4EBF-985B-7B1FFFD2DBC2@microsoft.com... >I missunderstood Shabams question, I thought it was just permissions based >on > the URL path, I totally missed the GET arguments that were mentioned. > Nicole > is right, you'd have to roll your own authorization for this and > implementing > it in the business logic is probably your best bet. Another option would > be > to create your own HTTP module or override the Authorize_Request() event > in > the global.asax file to perform security checks on the GET parameters. > > "Nicole Calinoiu" wrote: > >> That level of permissions granularity is not provided by functionality >> build >> into the .NET Framework, so you'll need to implement it yourself. >> >> As for the best approach, that's a bit subjective. My own preference is >> for >> screening for permissions when retrieving the data from the underlying >> data >> store (usually a database). This way, any data that the user does not >> have >> the right to view will not be returned from the data store and, without >> any >> additional programming in the business or UI tiers, it will simply appear >> that the requested data does not exist (assuming, of course, that the >> page >> handles the case where no matching data is found <g>). Since I generally >> prefer not to allow mis-users of an application to know that a piece of >> data >> actually exists to which they have no rights, this outcome is fine by me, >> but YMMV... >> >> >> "Shabam" <blislecp@hotmail.com> wrote in message >> news:V9idnVJ6bOiVEOrcRVn-qw@adelphia.com... >> >I have an application where users have to log in to view their account >> > information. The problem is, if I log in as user A, then in another >> > browser >> > I log in as user B, and copy over a url from user B to user A (with GET >> > arguments specific to user B), user A will now see user B's account >> > info. >> > >> > I told the programmer at every access point permissions and user >> > credentials >> > must be checked. Does dotnet support this type of authentication, or >> > do I >> > need to custom program the application to check permissions with each >> > page >> > access? >> > >> > What is the best way to go about this? >> > >> > >> >> >>
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |