Current I'm working on an a project using MVC4 in which we have a service reference looking into the Database to return our content. The service reference requires me to provide the username/password each time I make a call.
What would be best practices for this? Should I encrypt the password then save it to a cookie or should I issue the user an Auth Token? Or would there be a third option?
First. Don't. Just don't. NEVER ever ever ever ever ever ever store the users password. Never. I mean it. Never. Under no circumstances. There are no mitigating factors. There is nothing so important that you should ever break this rule. Ever. If your only choice is to break this rule (say, from a third party service that you don't control), then refuse to do it. Make someone, somewhere budge on it. Quit your job if you have to. I'm that serious.
If you save the users password, you are breaking the trust between the user and the software. You're making passwords discoverable, if hacked, and those passwords can be re-used to do nasty things (such as getting into someones bank account and taking all their money). If you save passwords, you are part of the internet security problem as a whole. I don't care how small you think you are, or how irrelevant the data might be. Someones password controls access to many important things you may not know about.
So don't do it. Just don't.
Now, on to solving your real problem. How to deal with this issue varies depending on the situation. Is this service on the same domain as the web server? Is it under your control? Can you change the interface? Are you developing the service? Please explain the circumstances.
Related
I'm not sure that this is a stack overflow appropriate question. If not, I'd appreciate a pointer to a more appropriate forum, as I haven't been able to find one.
I have a small website project that gets a few hundred daily unique users and on average I get one or two people to create an account per day. Yesterday I noticed that more users were signing up (like about 50) and today another 150 users signed up. Wonderful, right? Except that then I noticed that while the emails look legitimate, all of the usernames ended in same letters. My site requires that email be confirmed before a user gets any additional access and none of these accounts have confirmed their email. There is no apparent regularity to the creation of these accounts other than that it is happening with slowly increasing frequency.
My first question is, what is the most effective way to prevent this with the least user impact. The only thing that I can think of is adding a captcha step as part of account registration. I really dislike captcha so if anyone has a better idea for a general solution to this I'd appreciate it.
I'm also interested in this: What could this malicious user be gaining by doing this? It's not yet anything other than a minor nuisance to me. The accounts are easily identifiable and they're not (yet) being created at a rate that could represent anything like a denial of service attack. The only thing I can think is that they're trying to confirm that these emails are registered on my site. But I can't think why that would be useful. Also, if the email addresses are real, they're using my site to spam those email, but the spam is a registration confirmation for my site. So I guess they might eventually get my email provider to shut me down if they keep this up.
Thanks in advance for any help, even if that's a redirect to a different forum.
Other possibly useful information:
My site is hosted on Azure using asp.net mvc5 with identity framework
I believe that the emails are legitimate because my email provider
shows a very small bounce rate (like 1%) on these emails.
There are 2 more options which are SMS-Confirmation(by limiting the phone number), and IP restriction.
I need to create a webpage for a specific customer to use only during certain time frames.
I would like to make this page as secure as possible, by not allowing anybody else to see this page during this time frame. I would also like to make it as easy as possible for this customer to open this page.
My thinking is:
Open time frame
Send customer link via email
Email contains passcode to use to enter the page
After task is complete or time frame expires, the passcode also expires
To me, this seems pretty secure.
My concerns are:
The customer forwarding the email (I don't see why they would do this, so may be a mute point)
There is an inherent flaw in my thinking that I am not aware of.
The time frame is kept in a database. Each user action will have the passcode checked against the time frame to ensure that it is valid.
Is this method secure, within a reasonable degree, or is there a better way that you know of, or an existing technology that deals with this problem already?
As i gather, you want to limit access to third-parties as much as possible. i think you'd want something login-based - have a simple registration procedure with which you can connect the email to a user, let the client choose their own password, give the user rights to access the page, share the link (either use encryption with email or do it with the user account), restrict multiple sessions. Once the client has the information, you can't really ensure that they don't misuse it..
I am developing an ASP.Net MVC4 app that uses windows authentication. One of the requirements of the app is to prompt for credentials when an item is edited, even though the app is already aware of the user's credentials (User.Identity.Name). This requirement is necessary to meet FDA software validation standards.
I read I can do Response.StatusCode = 401 and that will force a login prompt, but I am not aware of a way to capture that information so I can save it with the data. I also read doing this has other side-affects.
Would I have to use a mix of forms and windows authentication? If so, does anyone know of examples that might help me get started? Like I said, I have to capture the user credentials so I can save it with the data.
The basic purpose of the prompt is to ensure that the person editing the data is who they say they are. For instance, I can walk away from my computer with the app still open and someone else can come along and change data in my name. Hope that makes sense.
Thanks.
Anything dealing with reauthorization will need to be customized for your specific needs.
My recommendation would be to open a (client-side) modal with username/password, and pass that information along with the rest of your POST data. Obviously you will need to have a fallback for <noscript>, if that's a requirement as well.
What's the best way to keep users from sharing session cookies in Rails?
I think I have a good way to do it, but I'd like to run it by the stack overflow crowd to see if there's a simpler way first.
Basically I'd like to detect if someone tries to share a paid membership with others. Users are already screened at the point of login for logging in from too many different subnets, but some have tried to work around this by sharing session cookies. What's the best way to do this without tying sessions to IPs (lots of legitimate people use rotating proxies).
The best heuristic I've found is the # of Class B subnets / Time (some ISPs use rotating proxies on different Class Cs). This has generated the fewest # of false positives for us so I'd like to stick with this method.
Right now I'm thinking of applying a before filter for each request that keeps track of which Subnets and session_ids a user has used in memcached and applies the heuristic to that to determine if the cookie is being shared.
Any simpler / easier to implement ideas? Any existing plugins that do this?
You could tie the session information to browser information. If people are coming in from 3 or 4 different browser types within a certain time period, you can infer that something suspicious may be going on.
An alternative answer relies on a bit of social-engineering. If you have some heuristic that you trust, you can warn users (at the top of the page) that you suspect they are sharing their account and that they are being watched closely. A "contact us" link in the warning would allow legitimate users to explain themselves (and thus be permanently de-flagged). This may minimize the problem enough to take it off your radar.
One way I can think of would be to set the same random value in both the session and a cookie with every page refresh. Check the two to make sure they are the same. If someone shares their session, the cookie and session will get out of sync.
I'm looking at implementing some form of anonymous user system in Rails. I need to let people do things (creating records, looking at what they've created, etc), without actually creating an account. Once they create an account, everything persists without risk of losing it by clearing cookies or something.
Right now, I'm thinking it's pretty straightforward. Have an is_anonymous field in the User model, and use something like this to access the currently logged in user:
def find_user
session[:user_id] ||= create_new_anonymous_user.id
end
Assuming the session persists for some reasonable period of time, and the session cookie doesn't expire, that should keep everything running smoothly.
However, there is this piece of me that is convinced that I'm missing something security-related. Has anyone done something like this before? Am I missing something super-obvious?
Thanks!
The only real security issue is going to be if these anonymous users can perform critical operations.
Your system means that anyone with the specific cookie will gain access to the site. Not necessarily a big deal, but it really depends on the type of information your users are providing.
I have done something similar in the past (in my case I was tracking progress through a site and when the user logged in or registered, I attached the "guest" data to their account. When you do the switch, make sure you delete the anonymous record to prevent further access and it should be fine.
I just found a pretty cool example of "trial users" using Authlogic: http://github.com/gisikw/authlogic_trial
Assuming the session persists for some
reasonable period of time, and the
session cookie doesn't expire, that
should keep everything running
smoothly.
Perhaps you should set a separate long lived cookie for the new user, so they can have multiple sessions (at least from that browser).
Are you sure that you want to let people create objects that are tied to accounts that may not exist? Unfortunately I don't know much about what your application is actually doing but I would think that going down this path might leave you with a bunch of orphaned objects not really "owned" by any real users.
If you really do want to do this I think what you have is decent. You could be creating a real user, flagged as "guest" (or whatever) and once the user wants to really register they are prompted for other information and unflagged. You should add access control for guest vs non-guest, etc.