I am trying to reduce the number of redirects at my website login page in order for the page to load faster. My final task is deciding if it's possible to remove the redirect for the login page and still keep the site secure.
Should I make a landing page with a link to a secure login page, thus reducing the number of redirects?
Allow the login page to run under HTTP?
This will obviously be introducing a big security risk to a page where users enter their login credentials, which is generally a pretty bad idea. I would suggest no, but it depends what information the site will provide once logged in. If there's no accounting, no personal data, etc. then maybe it's okay, but i still wouldn't do it.
Edit: Updated due to question change
As stated, a static landing page with a link to the secure login page is a good solution here. It would be advisable to keep the http-to-https redirect on the login page though, as some users may try to type the address manually from memory, be using anold bookmark, or using a cached link from a search engine. Alternatively, the http login page could redirect to a different landing page, alerting the user about the insecure page they have navigated to, and also serving the https login link.
A 'landing page' in http is the optimal way to remove the http to https redirect on a login page. The user can click a link to get to the secure https login page, therefore the login page is only available under https.
If a user wishes to have a url directly to the login page to make access faster, they can bookmark this after clicking 'login'.
Related
I am writing a Reddit client that uses OAuth to authenticate the user. One of the features I would like to implement is the ability to use multiple accounts simultaneously. This requires the user to authorize my client on each account they want to use. The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
Is there a way to force the user to re-enter their credentials? I would rather not have to put some kind of disclaimer on my Add Account screen that says "Please log out of Reddit in any open browser windows".
I tried opening the Reddit login page in a WebView so the request is sandboxed, and while that worked, it gives the user access to the entire login page (including all the links that navigate to elsewhere on the site). I don't mind that experience when I'm popping an external browser, but in an embedded WebView I really just want to present a username and password box along with the OAuth validation prompt.
Note: I do kind of prefer the embedded experience because it doesn't interfere with the users existing browser cookies, I just don't like how cluttered the login page is this way and I'm not sure how to prevent the user from navigating away from login. Also, for completeness, this is a UWP app, though this problem is largely technology independent.
The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
It may be caused by the authorization server. If so, we can not do anything in our client app.
But if it is not the server issue, in UWP, there is a WebAuthenticationBroker class witch can help you to authorize your app to access the user info from Resource server by getting a token. You can try to use the class to implement OAuth authorization. You don't need to use the in a WebView so that you can authorize your app with multiple users if you can manage all the user with the token properly in your code logic.
See the Web authentication broker topic and the sample to learn more details.
I have a page with public access, role based authentication, on it. Now when I surf to this page I see my login page, but the url is still the one of the protected page.
Why is this? Can we change this so it redirects normal to the login page?
The built in behaviour of Umbraco is to keep the protected URL in the browser and then display the login page on it. As far as I know, you can't change this behaviour out of the box, but if it bothers you, you can add a check to your login view to check of the request URL matches the URL of the login node (it shouldn't do in in your case), and do a redirect to the actual login page if they're different.
I believe this is done so that it doesn't have to redirect you once you've logged in, as you're still on the URL that you originally requested.
I have page where are secured by session. In case session does exists, then navigate to login page. This works fine.
Now, Let's say I am at some page like abc.aspx. Session does not exists. System navigates to th login page. So, once login, can i navigate the user to the page which was originally requested ?
Usually it is performed by adding the requested URL as a query parameter to Login page URL http://fakehost/Login?retUrl=originalpage
so app code can redirect it back. Forms authentication mechanism does it for you.
yes you can however it would be recommended to add a ReturnUrl querystring which contains the page they came from or need to go to after they logged in. you can also use Request.UrlReferrer I believe which gives you the page they came from but means if for example they came from google to your site to login and you redirect, it would go back to google.
Let's say I have the following sites: ClientSiteA.com, ClientSiteB.com, ClientSiteC.com, MainServer.com
I am distributing a software to client sites. Anyone will be able to install the software so a site can not be considered trusted. MainServer.com will contain user information.
Users will interact with the software on client sites. A user will be able to click a login link on any client site which will bring up a popup. The popup can reside on MainServer.com. When a user logs in on any client, they will be logged in on ALL client sites as well as the MainServer.com. Remember, MainServer.com contains all user information.
I've done a lot of reading on SAML and OAuth2. Can someone tell me what is possible? If it is possible, which tools/workflows should I use? If this isn't possible, can someone tell me something I can accomplish that is similar to this?
FYI - I am trying to accomplish something like what Disqus does. If you login to Disqus on any site, you are logged into all the sites.
You can accomplish this with SAML, although it will involve browser redirects not popups.
The first time use hits a protected site (ClientA) it redirects to MainServer.com. The user logs in, MainServer gives them a session and redirects them back to the service provider with a SAML authentication statement which then lets them in.
When the user then visits ClientB.com, it also redirects to MainServer.com for authentication. Because the user is already logged at MainServer it can invisibly bounce them straight back to ClientB.com with a new authentication statement. The user barely if at all notices.
The problem with the pop-up window approach is that users have to give their credentials for site A to site B. This is a big security hole if site B isn't owned and controlled by Site A. Users should only give their credentials to the site that is authenticating them to prevent them being compromised. SAML and other federated/distributed auth mechanisms were designed with that in mind. I wouldn't want to give the keys to my email account to random sites on the internet but with this method I can log into stackoverflow with my gmail account.
I'm developing a mobile application using MVC 4. And I'm securing it. The application has 2 pages ("home" and "Clientes")
When the application starts it asks me for a username and password, with this being its URL http://localhost:59170/Account/Login?ReturnUrl=%2f.
I login and go to the home page. This is the url I can see on IE http://localhost:59170/Account/Login?ReturnUrl=%2f.
From this page I go to the Clientes page. This is the url that I can see on IE http://localhost:59170/Account/Login?ReturnUrl=%2f#/Clientes. At the moment all works ok (Though url like something stranger).
The problem occurs when I press the back button on IE. It must go to the home page but I go to http://localhost:59170/Account/Login?ReturnUrl=%2f#/Account/Login?ReturnUrl=%2f where it asks me to login.
What might cause this behaviour and how do I solve it?
Each time you request a page that requires authentication, .NET will redirect you to your designated login page and append the requested URL to the URL. That way, once the user has logged in successfully it will redirect them to the page they requested automatically. In your first URL for example the return URL encoded representation of / i.e. the root/ homepage of your site
It will keep redirecting you until you have authenticated. If you don't want to have authentication on your homepage then just annotate your account controller with [Authorize] and not your home controller