I have an ASP.NET MVC web app which requires the user to login with their domain username and password by validating against ActiveDirectoryMembershipProvider.
On login I use ValidateUser(username, password) to validate the user's credentials, and I then set the forms auth cookie so that in future requests the user is not asked to enter their username and password again
FormsAuthentication.SetAuthCookie(m.Username, true);
This is fine, but I need to periodically re-validate the user to make sure their domain password has not changed, and I don't want them to have to enter their credentials again.
One way of doing this would just be to store the user's password in plain text in the session object, or perhaps encrypting it then later decrypting it. Then I could call ValidateUser once more, and log the user out if necessary.
In other web apps where I've rolled my own auth I would simply store a hash of the user's password and compare that to the hash stored in the database.
There doesn't appear to be a single method on ActiveDirectoryMembershipProvider which would let me do that.
What is the logical thing to do here?
The answer is to periodically (every 30 minutes or so) check User.IsApproved and User.LastPasswordChangedDate to make sure the users credentials are still valid.
To do this you need to manually create the FormsAuthenticationTicket and cookie, rather than using FormsAuthentication.SetAuthCookie.
Put the date you validated the user inside UserData and compare this against LastPasswordChangedDate.
I've implemented this and it works perfectly.
More information here
Check if Active Directory password is different from cookie
Related
I have an MVC 4 web application that requires user to login. Most of the users don't have email accounts. If someone forgot his password, how do I reset it? All the reset password systems I find require some sort of email account. I just want something simple, such as reset it to a default password, and the user can change his password once he logon using that default password. The problem is the password is encrypted in SQL Server. I can't find a tool that encrypt password.
First off the most widely used authentication implementations go to considerable lengths to prevent user credentials being stored in a reversible (i.e. plane text, or something that could be encrypted) format. Instead you should hash & salt plane text credentials and compare with a stored value.
Next to securely reset a users credentials you need to authenticate them through some other means, this is as you mention most commonly achieved through email, but if this isn't possible you should look at other out-of-band methods of authentication, perhaps send the user a SMS with a one time code, or make them answer a series of security questions. Once you have validated the users identity, force them to set a new password and override your stored hash for the user.
How to correctly implement abstract getUserId(request) method in these Google OAuth2 abstract servlets?
As code says, it is used to lookup and store google credential. I've seen example which returns session id, but that won't work correctly after session expiration:
User visits auth url, his access and refresh token are stored in storage under sessionId key
Within session lifetime, everythings works fine, so if this user visits auth url again, his stored tokens are found with the same sessionId key
But after session expiration (server restart etc) when this user visits auth url again, he gets new sessionId, no stored tokens are found, so new tokens (this time only access token) are requested and stored again under new sessionId key
So the question is - how to generate userId that will work in all cases? GoogleAppEngine implementation uses logged user, which is perfectly fine - but how do I generate such userId from just HttpRequest parameter?
BTW this (https://developers.google.com/gmail/api/auth/web-server) python implementation seems to generates parallel userinfo request to get user email manually...
First, make sure you need offline access to the user's credentials.
The reason all of these examples you cite use logged in user is because the user id is necessary to store the credentials against the correct user in the credential store.
In those use cases, Google OAuth is used to authorize the web server to undertake some action in the user's Google account.
One idea for user id to create a long lived coookie (using secure random generator) and use that to identify the user, so you know who they are when the visit the site again, and can reuse the credential (if you asked for offline access). This is not very robust, as the user can clear their cookies, but there is no other way short of logging the user in.
(Yes, Google Oauth can be used to log in the user, but you are still looking at a sending the user to Google every time, so you really gain nothing by doing that).
In my iOS app I have my user authenticate against our Domino server and store the username and password. I have some web pages that I want the user to see and am loading them in a UIWebView. However, every time I try to go to the page I am being challenged for authentication. I think I need to send a post to the server with my username and password but I am not sure how to do that?
I've never done that with iOS, so take this with a grain of salt, but I think there are generally two ways to do it:
You can likely pass the UN/password combination along as HTTP Basic authentication in each request. I believe it's the case that Domino will honor those credentials even when session auth is enabled.
If you're using session auth, you can do what you intimate: POST to a Domino URL containing the ?Login command (typically, "/names.nsf?Login" is a good choice) with Username and Password parameters (along the lines of How can I login to Domino via Ajax? ). The resultant value of a successful login will contain an authentication token cookie (typically DomAuthSessId or LtpaToken, depending on whether or not you're using SSO). By including that in the Cookie header in future requests, you should be able to continue the login.
I don't know much about web authorization, but there is one page which after login into gives the user coockie of name AUTH_WEBSITE, and this website redirects to my website which is mvc. Now I would like to only check if this user has that auth cookie and if it has, then I would like to authorize it in my website as well.
Now, I assume that checking cookies this way and givin admin rights based on cookie is NOT safe because other user can create this cookie for him self right ? so what would be better ?
And what is best place in mvc to check if other user is already authorized or has this cookie to prevent forcing user to click login button ?
To solve this issue you can use 2 ways:
When you create your custom cookie, use encryption methods. Encrypt user's role, password, even id etc. So other people can not decrypt them all to create other legal cookie.
For security, the best way is that to check user is exist in system or not in every action start. In your Authorize attribute, take values from cookie and check user, if it just exist continue, else alert : cookie values are wrong.
I am implementing a login process for my app, for that I have created a login screen and a sign-in button. So if the user is not signed in I have a register button which opens another form so that the user can register himself, after which I have provided a Done button which when clicked will send the information to the server and sends an authentication code to the users email address that the user entered in the iPhone app. Then the user will be registered.
So now I want to know what are the best ways to send the username and password to the server once the user is logged in? How is it possible to save the user name and password so that when at later time when the user opens an application he should not be allowed to login again?
The easiest way for secure transmission of the credentials is to use Https. On successful authentication you'll receive a "cookie" that you can store locally in the user defaults. That cookie will typically expire. So, on subsequent logins, you can check that the cookie hasn't expired, and continue to use it for your server communication.
If the cookie does expire, then you prompt the user to login again, thereby receiving a new cookie from the server.
Storing any user credentials on the device is a big no no. The only way you can do it is to store a hash of the password. You would still need to check a hash of the entered password with the stored hash to check they are equal. It doesn't really give you anything other than a local - no server required - authentication.
Of course don't forget that without having to login again, the app will be vulnerable. Someone else could use the app and the owner's server session would still be active.