I want to detect certain browsers (IE6) and redirect them to a page that tells them to get a better browser.
Same thing for detection of Javascript being enabled, if the browser has it disabled I want to send them to a page which explains this fact.
Is there an elegant or preferred way to do this in mvc?
you should first Detect Browser Types by System.Web.HttpBrowserCapabilities browser = Request.Browser and then you can send users to a page which tells them to get a better browser .
and see for more information How to: Detect Browser Types and Browser Capabilities in ASP.NET Web Pages
This is a clean and great way of doing it.
http://ie6update.com/
Related
this is a basic question:
I have an angular 2 app, and I'm trying to use Office's dialog API. Basically, I have a route https://domain/success that I want to open up in the dialog.
More specifically, here is what I'm trying
I am at the route https://domain/splash, which renders the splash component.
In splashComponent.ts, I call
this.microsoftService.doStuff
In microsoftService, doStuff method, I call
Office.context.ui.displayDialogAsync('https://domain/success');
This is supposed to render the success component.
However, I see the splash component.
The url of the dialog is
https://domain/success?_host_info=blahblah|isDialog|#/splash
Why is this the case? And how do i render the success component?
This is more partial diagnosis than solution, but it's a bit too involved for a comment.
Regardless of whether Outlook adds the query parameter, your router is adding "#/splash" to the end of the URL and that is why it is opening splash. I think the problem is in the routing configuration and routing strategy.
Related to this is the fact that the Office dialog opens in a completely separate browser instance with a completely separate JavaScript engine instance and execution context. So a complete second copy of your web application is opening in the dialog. This means that the root routing is going to be triggered.
If you are determined to use a route in your web app in the dialog, then you need some kind of conditional logic where the app tests whether it is being opened in the dialog and routes accordingly.
That said, I recommend that when using the Office Dialog API in an Angular-based add-in, you deviate from the "single page" principle, and just create a success.html page that you host in your domain. This I much simpler and less error prone.
By the way, you shouldn't need to put your own add-in's domain in the <AppsDomains> in the manifest. The add-in trusts itself and anything in its own domain.
For more information, see Use the Office Dialog API with single-page applications and client-side routing, and the rest of that article too.
I am working on Asp.Net MVC 5. When i click a link (placed in another website) I navigate to UserDetails.cshtml page. Basically that 3rd party site is passing the UserName & Password to my site & using that I authorize & display further user info.
It's fine but the Url is looking like this
localhost:8080//Admin/UserDetails/UserName/PWD.
I don't want to show the UserName & Password in URL i.e URL should look something like :
localhost:8080//Admin/UserDetails/
One possible solution could be rewrite the URL in IIS (http://www.hanselman.com/blog/ASPNETMVCAndTheNewIIS7RewriteModule.aspx)
But I believe there is an easier way to handle this by using the routing mechanism of MVC.
Please help me to figure out the same.
EDIT :
As many of you are confused why I am not doing a Form Post here, let me re-frame my question. I have no control over the third party application, so I cant request them to do a form Post to my MVC application. Again the 3rd party application is a Oracle Reporting application (OBI), so doing a POST from that application might not be feasible too...
Let me reverse engineer your requirements from your question:
I want to have an URI that when invoked will give access to a secured section of my website. This URI must be clicked by visitors of a third-party site, whom I give that URI to. I want to hide the credentials from the URI.
You cannot do this, the requirements are conflicting. You cannot hand out URIs that will authenticate anyone who fires a request to that URI.
You could do something with a token (like http://your-site/auth/$token), but then still, anyone with access to that URI can use it to authenticate themselves, or simply put it up on their own website.
If you have data you want to expose to a third-party site, let that site perform an HTTP request (with tokens, usernames, headers or whatever you want to use to authenticate) in the background to your site, and display the response in their site. Then the visitor won't see that traffic, can't share the URI and all will be secure.
No. No. NO. Like seriously, NO. Any sensitive information should be sent via a post body over a secure connection (HTTPS). You can't "hide" information in a GET request, because it's all part of the URI, or the location of a particular resource. If you remove a portion, it's an entirely different location.
UPDATE
I find it extremely hard to believe that any third-party application that needs to authenticate via HTTP and isn't designed by a chimp with a typewriter, wouldn't support a secure method to do so, especially if it's an Oracle application. I'm not familiar with this particular app, but, and no offense meant here, but I would more easily believe that you've missed something in the documentation or simply haven't found the right way to do it yet before I'd believe you have to send clear-text credentials over GET.
Regardless, as I said previously, there's no way to hide information in a GET request. All data in a GET is part of the URL, and therefore is plainly visible in the browser location bar or whatever. Unfortunately, I have no advice for you other than to look closer at the documentation, even reach out to Oracle if you have to. Whether by post or something like OAuth, there almost has to be another way.
I am preparing to work on a project where I need to display a dashboard from an online application. Unfortunately, the use of an API is currently not possible. The dashboard can be embedded in an iFrame. However, when it is displayed it will prompt the user viewing the dashboard to login to an account.
I have one paid account to this service. Are there any rails gems to login to the service before the iFrame is processed?
Or would a proxy within my rails app be a better route to go?
Any pointers are appreciated!
Neither a Rails gems nor a proxy within your rails will work and they same have the same limitation.
They are both running on the back-end, server side.
The authentication you need is client side.
Unless you mean proxy the ENTIRE thing, the auth request and all subsequent requests and user interactions with this dashboard. That should work but (see below)
The way authentication works (pretty much universally) is: once you log in to any system, it stores a cookie on your browser and then the browser sends that cookie for every subsequent request.
If you authenticate on the backend, that cookie will be sent to your rails code and will die there, and the users browser will never know about it.
Also - it is not possible to do the auth server side and capture the cookie and then have the user browse the site with their browser directly, for two reasons:
Sometimes auth cookies use information about the browser or HTTP client to encrypt the cookie, so sending the same cookie from a different client wont work
You can not tell a browser to send a cookie to a domain different than your own.
So your options are, off the top of my head right now:
If there is a login page that accepts form submissions from other domains, you could try to simulate a form submission directly to that sites "after login" page. (The page the user gets directed to once they fill up the login form). Any modern web framework as XSRF protection (Cross Site Request Forgery protection) and will disallow this approach for security reasons.
See if the auth this site uses has any kind of OAUTH, Single Sign On (SSO) or similar type of authentication integration that you can do. (Similar to an API, so you may have already explored this option)
Proxy all requests to this site through your server. You will have to rewrite the entire HTML so that all images, CSS, stylesheets, and all other assets are also routed through the proxy or else the URLs are rewritten in the HTML to not be relative. You might hit various walls if a site wasn't designed for this use case. From things like the site using relative URL's for assets that you aren't proxying, the site referencing non-relative URL's causing cross-domain errors, etc. Note its really hard to re-write every single last assets reference, its not only the HTML you're worried about, Javascript can have URL's in it too, and CSS can as well.
You could write a bookmarklet or a browser extension that logs the user into the site.
Have everyone install Lastpass
Have everyone install the TamperMonkey browser extension (and others like it for other browser), and write a small User Script to run custom javascript automatically to log the user in on that site
Scrape that site for the info you need and serve it on your own site.
OK I'm out of ideas. :)
I have an ASP.MVC application. There are some sites in the application which are accesible only with certain user permissions. If user doesn't have required permissions I am redirecting to another controller and displaying page with Not authorized message.
When user without permission tries to visit restricted page using a link, browser caches destination. So always after clicking this link user will be redirected to Not Authorized page, even if permissions are granted. Browser skips directly to cached destination.
I have disabled caching on server side but, this doesn't seem to work in this case, any ideas how I can prevent browser from remembering links destination?
Thanks in advance,
Konrad
There's no logical reason for such a behavior to occur. First, check to make sure that the user is authorized like you think they are and that your redirect code is functioning properly (such that it only redirects if indeed the user is unauthorized). Short of that, make sure you're using a temporary redirect, and not redirect permanent. Although the browser shouldn't decide to just cache the resulting page indefinitely either way, it would perhaps have more cause to think it could if you're sending a permanent redirect.
Without seeing your code I'm not entirely sure there isn't something else going on, but here's a thought:
You can programmatically construct a hyperlink in your razor page to build a unique URL each time the page is refreshed. Just tack on a ?token=#uniqueVar onto the end of the url. The token need not be used in any place in your code, but if your uniqueVar is a timestamp or a Guid or something, your URL will be different every time.
I am developing a web site with MVC 5.2 and ASP.NET Identity 2.1. As long as my site is in beta, I want to keep random visitors away from my website.
I am looking for a simple 2-step-protection mechanism:
When I hit the website with my browser the default browser dialog should pop up and ask me for username and password (IIS user credentials). When I enter valid data, my site appears (with it's homepage).
Here I have to login to my application (with application specific credentials).
I enabled Basic Authentication in IIS 8.5 (and disabled Anonymous Authentication), because I was hoping this would bring up the browser dialog (from step 1). But this didn't do the trick. Instead, when I hit the page, the browser returns an error message saying that my request ended in an endless loop. No popup dialog appears. My request is obviously hitting my MVC application already and this tries to redirect me to the login form again and again.
Any ideas?
I just want to keep visitors away with a simple mechanism (does not have to be secure!!). And if possible I don't want to change my MVC code.
Thanks for any help!!
Look at this:
ASP.NET MVC - HTTP Authentication Prompt
You can also use the [Authorize] attribute for your landing actions.
Make sure [AllowAnonymous] action is not used.