Securing a webpage for a short time period - asp.net-mvc

I need to create a webpage for a specific customer to use only during certain time frames.
I would like to make this page as secure as possible, by not allowing anybody else to see this page during this time frame. I would also like to make it as easy as possible for this customer to open this page.
My thinking is:
Open time frame
Send customer link via email
Email contains passcode to use to enter the page
After task is complete or time frame expires, the passcode also expires
To me, this seems pretty secure.
My concerns are:
The customer forwarding the email (I don't see why they would do this, so may be a mute point)
There is an inherent flaw in my thinking that I am not aware of.
The time frame is kept in a database. Each user action will have the passcode checked against the time frame to ensure that it is valid.
Is this method secure, within a reasonable degree, or is there a better way that you know of, or an existing technology that deals with this problem already?

As i gather, you want to limit access to third-parties as much as possible. i think you'd want something login-based - have a simple registration procedure with which you can connect the email to a user, let the client choose their own password, give the user rights to access the page, share the link (either use encryption with email or do it with the user account), restrict multiple sessions. Once the client has the information, you can't really ensure that they don't misuse it..

Related

Parse iOS Destroy Button (Password Validation Dependent) Client side

I'm starting to create a lot more features for users in my app. I've run into some app structure issues.
lets say I have User Fooman
Fooman wants to edit his account, delete some objects(wall posts), update his friends list etc.
Fooman is logged in to do all of these. But footman isn't the one using the device at the moment. It's fooman son (foobaby). Foobaby decides to just be a son and delete things erroneously. I have an option for users to delete their account client side. I present them an alert view to confirm that's the choice they meant to select. After they confirm that, another view populates with a 'Destroy' (or delete button) that will delete the User, plus all relations/pointers/data connected to it. Before that button is enabled a password validation check is required so it's not done by a foobaby. However, with Parse, this has proved to be problematic client side. I don't use cloud functions because, well, simply put, at this point in time my app is one platform and doesn't really need to use it.
Is there any workaround anyone has come up with that's quick/efficient, API friendly for validating a textField.text with the [PFUser currentUser].password whilst maintaining security of course.
I code in Objective-C :)
Note: I have tried numerous things but nothing seems to work outside of trying to log them in against the user input (UITextField), which doesn't feel like the right way to do it in my opinion.
I think it's an unusual requirement. The idea of a logged-in user is that the app trusts the user. A persisted logged-in user on the device means that the app trusts whomever is holding the device. So FooBaby is trusted, because FooDad let him hold the phone.
Some apps put up a barrier to establish thoughtfulness, like the Parse data browser requiring that you type the name of a class before you drop it. But this establishes thoughtfulness, not trust. (For a child, I guess it also establishes minimal competence, in case FooBaby knows how to press buttons, but not how to spell).
Otherwise, I can't think of how to do it besides requiring a login, which you mentioned you find unappealing (though you didn't say why). Excluding that, I don't think there's a way to do it without spoiling security with something like keeping an in-the-clear copy of the password.

Are manual activation and password reset pages still necessary?

I'm currently coding all of the account management functionality for my site, and have already implemented the account activation and password reset systems by e-mail. The e-mails each contain a link to a servlet (with the appropriate parameters attached to the end), which does all the processing. Tests for the systems have gone well, however I have one question.
If the link's text is the same as its address, is there any reason to include traditional manual activation/password reset page (a page with a form where the request parameters in the activation or reset link would be entered in to the appropriate fields)? If the link doesn't work in the e-mail, the user can always copy and paste it. Is there any particular reason why sites still have seperate pages dedicated to these actions? And should I allow it?
You never know for certain the kind of transformations your email will undergo before being displayed to the person that will eventually use your reset facility. Combined with clueless users this may pose a problem.
An example: Since reset/activation links can be quite long they may be partially wrapped onto a new line after a transformation from HTML to plain text. Inevitably this will someday happen to a user that does not know how to deal with that situation.
Therefore it might prudent to provide the backup method of just entering the code in a text field which on submit performs the GET that was intended in the first place.
You are of course free to decide that your site does not need the business of said type of user and skip implementation of the manual method!

A web app with logins in a kiosk situation

We are looking at setting up an internal web application (ASP.NET MVC) as a kiosk for the employees that don't have a dedicated computer. We currently do not have this kiosk setup. Each employee will have their own login to look at some basic payroll information and request leaves of absence. This same web application will be used by the office workers with a dedicated PC at their desk.
I am going to go out on a limb and say that no matter how many times we tell the employees, the employees will not click log off when they walk away from the kiosk. What would you do to help prevent this from happening?
lets try to fix the users instead of the code :) , i guess that your log out button is like the one here on stackoverflow. its a little text link "logout" some where in the upper right corner. thats perfect for people who use webapps day by day and are aware of the fact that they need to logout before someone comes along a does havoc to thier facebook profile, but less tech savy users wont think of that and walk away.
you need to the get the attention of your users to this logout-button and teach them that logging-out is a good thing.
try the following
give the logout button more visual weight then usally make it bigger, make it a real button instead of a textlink and even change its color to something more alerting (red, orange, ... whatever fits your ci)
if they dont loggout, use the session timeout and some javascript the refresh the page after any amount of inactivity, but also set a flag that this user has not logged out after his last visit. that way you can greet him on his next login with a nice confirmation dialog, and tell him once again why logging out is so important and where your logout-button is located.
The naive solution would be to enforce a timeout. If there's no activity from the user within a certain time limit (say, a minute or so), log them out. Of course, this won't prevent someone from walking up immediately after an employee is done and seeing how much money they make.
ATMs handle this, I think, by timing out after a minute or two, which isn't super-secure but at least offers some minimal security.
If the employees have any kind of RFID card or other security token, you could require them to put it in a reader slot, and log them out whenever the card disappears. Handling this within a web app, though, could get complicated.
The simple way is to use a little javascript.
Just have it set to something like 30 seconds of inactivity. If the user hasn't clicked on anything have the javascript send it back to a login page.
Here's a link to get you started.
Assuming you've already thought of the obvious (aggressive session timeouts, non-persistent authentication cookies, etc); how about a bit of an "out there" suggestion?
I'm not sure how do-able this would be with a web-based interface; but what about using some form of IR sensor with a usb/serial interface and an API you can tie into? This may make it possible to invoke some form of "logout" operation when someone walks away from the kiosk.
Perhaps someone has a better suggestion for external hardware, but this was the first thing that lept to my mind as a out-of-the-box approach.
I found a jQuery version that seems to work quite well. I'll start by using that and see how that goes.

How do I track users of my app without forcing them to register?

What is the most common strategy for tracking users with cookies without forcing them to register?
Do I create a guest account, assign a GUID, and then put that GUID value in their cookie? Is there a more generally accepted method of doing this?
Although this is a general web app question, I'm using ASP.NET MVC.
One popular solution, as you write, is to send the GUID to the user inside a cookie.
Obviusly this solution work only if the user has cookies enabled.
Please note that the contents of cookies is perfectly readable by the user who receives it.
Also the session is a good place to store temporary data.
Its duration depends on the configuration of your site and if desired, with a little 'work, it is extremely durable and can have a low impact on server memory (sessions in the db)
A guid in a cookie is one way of doing it.
If the user didn't have cookies enabled, I suppose you could do it another way which which involves creating small hashes (like bit.ly, j.mp et al) and inserting them into the url. All your routes would be populated with this hash (either created at the start of the request, or taken from the url if they already have one).
It's not exactly the cleanest of methods, but it gets around situations where the user doesn't have a cookie enabled and inserts a very small string into the url.
For example http://example.com/fG3Er/Home/Index or http://example.com/Home/Index?guestId=fG3Er where fG3Er is the unique guest id.
Alternatively, you could just append it on to the end of each url as a querystring.
Either way, I definitely favour the guid-based approach, and if the user doesn't want to use cookies on your site, you can always explain to them that their experience will be impaired. You could always find out what proportion of your users disable cookies by creating a test one, and comparing that against the number of actual hits (unless Analytics has a way of determining cookies being enabled - not sure).

voting - stopping abuse from client side - ASP.NET MVC

so I have designed this voting thing which does not let somebody vote for the same article twice in 24 hours. However, suppose a person votes and after seeing the person was able to cast vote or that he is falling in that 24 hour window, I disable the vote-casting button (and this is all Ajax btw).
But what to do when a person closes his/her browser and comes back up or even refreshes the page? Obviously, he would not be able to cast vote, because of my algorithm, but the person would still end up succeeding in making call to the server. So if he really wanted, he would keep refreshing the page and clicking on the vote and put unnecessary load on the server. How to avoid that by doing some sort of client-side thing or something?
I am using ASP.NET MVC, so session variables are out of question.
Am I being over-concerned by this?
If voting happens only from logged in (known) members then you shouldn't have any problem.
If, on the other hand, everyone can vote then you need to store all user vote events:
timestamp
poll
poll_vote
ip
user agent
user uniqueness cookie
So you'll need a random hash sent out as cookie. This will ensure that you don't accept another vote for the same poll from the same person.
If the user deletes his cookies you fallback to plan B, where you don't allow more than (say) 10 votes from the same IP and user agent combination for 24 hours.
The system is not perfect since users can change IPs and (more easily) user agents. You'd need advanced pattern detection algorithms to detect suspicious votes. The good thing about storing all user vote events is that you can process these later on using a scheduler, or outsource the votes to someone else who can process them for you.
Good luck
Refreshing is not a problem
If you're doing all this voting using Ajax, refreshing a page won't do anything except load the page using GET.
If you're not using Ajax you should make sure you call RedirectToAction/RedirectToRoute action result, that would as well help you avoid refresh problems.
How do you recognise users
If you use some sort of user authentication this re-voting is not a problem. But if your users are plain anonymous, you should store IP address with your votes. This is how things are usually done. This makes it possible to avoid session variables as well. But you have to be aware of this technique because it's not 100% perfect.
Cookies?
You could of course also use absolute expiration cookies. They'd expire in an day. Advanced users would of course be able to avoid your voting restrictions, but they would be able to avoid other ways as well. Sessions BTW are also based on cookies anyway.
Combination
But when you'd like to make you system as great as possible, you'll probably use a combination of the above.
The best way would be to track who voted for what and when on the server (probably storing it in a database). In order to do this you must use an authentication system on your site (probably forms authentication) to identify users. So every time someone tries to vote you check first in your data storage if he already voted and when and decide whether to validate the vote or not. This is the most reliable way.
If your site is anonymous (no authentication required to vote) then you could store a persistent cookie on the client computer that will last for 24 hours and indicate that a vote has already been cast from this computer. Remember though that cookies might be disabled, removed and are not a reliable way to identify a given user.
I am using ASP.NET MVC, so session
variables are out of question.
Any reason for that? Sessions are perfectly fine in ASP.NET MVC applications. It is in your case that they won't work because if the user closes the browser he will lose the session.
Obviously, he would not be able to
cast vote, because of my algorithm,
but the person would still end up
succeeding in making call to the
server. So if he really wanted, he
would keep refreshing the page and
clicking on the vote and put
unnecessary load on the server
Automated bots could also put unnecessary load to your server which is much more important than a single user clicking on F5.
If you just want to ensure the user can only vote once on an article then you just need to store a Set (i.e. HashSet) of all article id's that they've already voted on, then just check before allowing the vote.
If you still wanted a 24hr limit then you need to store a Dictionary<articleId,DateTime> then you can check if he has already voted for that article and if he has when it was.

Resources