My colleague have made our site that we can log in using external login. They way it works is that the code checks if the username from external site exist in Mvc Entityframeworks UserProfile table in the database, if it doesnt exist it will create a new user. What we want to do is only to bind the external to a user in the databse and not to create a new user. And we decided to use the email to bind, so the program will check if the external email exist in email column that is related to userid.
If the external email exist in the database you can log in with this account and get the correct priviliges that this userid have.
My question is how can i get the email from external with a simple code and maybe even put it in a property so i can compare with the emails in database
Related
I have 2 MVC web apps, lets call it MVC_A and MVC_B.
I want to be able to login to MVC_A through a link which is on MVC_B.
I have on MVC_B a page with some text on it and a link to MVC_A. When users click this link, they should automaticly login on MVC_A in another tab of their browser.
Keep in mind that for both apps I have different User tables (with hashed passwords).
Is this possible to do? And if so, could you tell me which way I have to go to do this?
If you share the same database or if you can access the database of MVC_A from MVC_B i suggest the following:
Change all your links from MVC_A to MVC_B pages from http://MVC_B/etc... to /redir?url=....&sessionid=...
In the redir page, generate a unique SessionID in the database, assigned to the currect user name. You should use a table similar to: [ID, UserName, SessionID (Guid maybe?), Used]. Then redirect to the MVC_B page with the generated SessionID in QS (Ex: http://MVC_B/url?sessionid=...).
In the MVC_B, when you have sessionid in QS, read the UserName from the database based on the SessionID just received, mark the SessionID as used (so it cannot be used again) and authenticate it (if you have an user with the same UserName in the database).
Setup
I have a Rails application where users register for an account, and a subdomain is created for them. They can then proceed to the subdomain and log in with their credentials. The workflow looks something like this:
User visits base domain fills out a form that with email/username/password and subdomain fields
From the submitted info, the server creates an account in the global/public database. Server then creates a database that will be specific to that particular subdomain/account, and stores the user record in it.
User is redirected to their subdomain, and asked to log in.
(note: to implement the separate "databases", I'm using postgres schemas, but that should be irrelevant.)
The question
My question involves step 3. I would like to redirect the user to their subdomain and log them in automatically instead of asking them to log in. However, I do not want to share a single session across all of the subdomains.
I would like to somehow securely transmit auto login request.
Possible Solution
I have considered using a single-use, random token that I would store in a cookie and in the users table. After the user successfully creates an account, he would be redirected to the subdomain. At that point the token would be consumed/destroyed and the user would be automatically logged in.
I would also need to have a short window for the token to be used before expiring.
Thoughts? Thanks!
I had the same issue, the possible solution you suggest does not work because the session is not shared between subdomains.
I solved it the following way (same idea you propossed, different implementation):
Create a new model (I called it LoginKey) that contains the user_id and a random SHA1 key.
When the user is authenticated at the parent domain (for example: mydomain.com/users/sign_in), a new LoginKey is created and the user is redirected to the corresponding subdomain to an action that I called login_with_key (for example: user_subdomain.mydomain.com/users/login_with_key?key=f6bb001ca50709efb22ba9b897d928086cb5d755322a3278f69be4d4daf54bbb)
Automatically log the user in with the key provided:
key = LoginKey.find_by_login_key(params[:key])
sign_in(key.user) unless key.nil?
Destroy the key:
key.destroy
I didn't like this solution 100%, I tried out a lot of different approaches that do not require a db record to be created, but always faced security concerns, and I think this one is safe.
There's a subset of users which will not have access to the system I'm implementing in the beginning but I need a mechanism for them to capture data for one specific part of the process.
An authorized user creates the original record for a Person with some basic details i.e. First name, last name etc.
I then create a 'DataRequest' record which has a unique guid and the external user is sent an email with a path which is effectively http://sampleapplication/Person/Complete?guid=xxxx
The external user adds additional details like Date of Birth, Eye colour etc, submits and saves to the DB. The DataRequest for that guid is then expired and cannot be accessed again.
The Complete action doesn't have any authorization as these external users do not have user accounts.
My preference is to force these users to use the system but at this stage I'm not sure it's practical.
Is this a bad practice?
Should I be implementing some additional security on this like a one time password / passcode contained in the email? Are there alternative approaches I should consider?
There's nothing wrong with opening up a section of your site to the public. Tons of websites have secured and unsecured sections. However, there's also nothing saying that you have to expose your secure site at all. You can create another site that merely has access to that change those records and make that site alone, public.
As far as securing the information of the user, passcodes by email are the invention of some developer somewhere with limited mental ability or a severe lack of sleep. If the link is only available by email (not discoverable by search engines and not easily guessable), then anyone with the link will also have the passcode, making the passcode to access the link redundant.
You should however log when the email is used to finish the record and then disallow further uses.
I'm new to web security so I don't want to implement my own. I plan to use SimpleMembership via the VS2012 template for an ASP.NET MVC Internet Application. The problem is that I need to pass the data via a Web API.
I plan to use basic authentication for my Web API, so I just need to pass username/pass in the http headers. I can intercept the message using Thinktecure.IdentityModel. Here's an example that uses ASP.NET Membership:
authConfig.AddBasicAuthentication((userName, password) =>
Membership.ValidateUser(userName, password));
I can replace Membership.ValidateUser with my own bool function. I've successfully queried my custom database with username/password and everything worked fine. However, I'm using the template's user database because I DON'T want to store string (or even encoded) passwords.
I am unclear on how to manually validate the credentials using the SimpleMembership's database. I can grab a UserProfile, but can't figure out how to check the profile's password.
UserProfile user = context.UserProfiles.Find(1);
==OUTPUT==
user
UserId: 1
UserName: "bob"
Do you know how I can check if an inputted password matches that of an existing user?
Thanks for your help!
Why you are not using Membership.ValidateUser? This is not restricted to just ASP.NET Membership assuming you have your [InitializeSimpleMembership] (here) attribute in the correct places or have executed the logic inside it yourself elsewhere, and you have the correct references to WebMatrix etc you can still just call Membership.ValidateUser and it will use SimpleMemberships Validate user.
If you wanted to go to the database yourself, and assuming you are using hashed password etc then this article is probably going to help as you are going to need to hash your inputed password before selecting it out, the rest of which is just writing some EF or (any other db access method) to select from the User table where the username and hashed passwords match. But I can think of no obvious reason to do this as Membership.ValidateUser will do all this for you.
I know I can use the attribute [Authorize(Roles="client")] to make sure that only authenticated clients can access a page. But after that, how can I access this user's personal data? How do I programmatically get that user's account ID from that action controller?
For example, on Stack Overflow, how does my personal account page access my personal data which is stored in a database?
So far, googling "authentication", "authorization" only helped me limit access to a controller action, not how to access that user's stuff.
Assuming you're using the membership provider (which I'd assume so if you're using the attribute), the simplest way is:
var membership_user = Membership.GetUser();
which will return a MembershipUser for the currently logged-in user. From that, you can access any profile information you've set up, and also get the primary key to access anything else you've set up.
James