i am writing an asp.net mvc c# site which will not use sessions... What are my options for prividing login functionality without sessions?
System.Web.Security.FormsAuthentication uses cookies:
FormsAuthentication.SetAuthCookie(userName, rememberMe);
No session is used there. Of course, if you want more than a username and isAuthenticated, you'll need some other way to store that state. Your only real alternatives are cookies or the URL, neither one of which are generally acceptable for other reasons.
Session is not evil, especially given your options to host session data on a shared server or on a SQL Server instance.
Session can certainly be abused and your scalability will suffer, but I would not eschew session completely unless there were other overriding concerns.
If you must toss out session entirely, you will have to either recreate state on each call, an expensive proposition generally, or you will have to create your own state storage mechanism which brings us back to standard ASP.NET session storage alternatives.
You basically have 3 options, that I can think of, to authenticate HTTP requests.
1) Cookies only, where you set a cookie on the users machine with the necessary information you need to identify them on their next request
2) Sessions. Session will typically also use cookies (to store session information), but don't have to (see http://msdn.microsoft.com/en-us/library/aa479314.aspx)
3) Stateless authentication. This is really only used for non-browser HTTP clients calling webservices. This includes the client signing the http request with a public/private key combination that the server can then authenticate. An example of a stateless HTTP authentication protocol is OAuth (though OAuth as a spec is really geared towards authorization, but authorization by it's nature requires authentication).
See Web authentication state - Session vs Cookie vs? for additional discussion on Cookies and Sessions.
The common approach is to use cookies. See Securing and ASP.NET MVC Application.
Related
I have been reading a lot about not saving the tokens in the user agent storage and I agree with the risks mentioned.
But going through some of the Auth0 quickstart examples, I see the tokens being saved in the session and using session cookies to track them.
Others mention saving the actual token as an httpOnly cookie with lower risks involved.
My questions are:
How is that considered stateless? especially with scalability and the potential use of load balancers.
Are the alternatives, memory cache and database stores? Is it that any different from sessions?
In the case of SPAs, how to maintain remember me functionality?
Asi Kavindu wrote, localStorage is a good place. If you want to protect the application against XSS attacks, use Content Security Policy, so a browser executes only your JavaScript code. There is a recent RFC about best practices for OAuth 2.0 and Browser-Based Apps, so you can check it.
If you want to keep state (session) on your backend with multiple backend nodes (cluster), you can use some shared data storage such as database or Hazelcast. The architecture is stateful in the same way as a single backend node with an in-memory session.
If you have a session on your backend and a cookie, you don't need an access token anymore, since yor SPA calls just your backend and the token would serve the same purpose as the session ID from the cookie.
The remember me functionality can be implemented using a cookie either at your authentication provider (probably better choice from the security standpoint) or your own application.
Architecture choices are usually trade-offs between simplicity and scalability. If you are just starting developing the application and not sure what to choose, I would go for simplicity, because even if you want to change it later, it should be easier to refactor.
Maintaining a session is applicable only when there is a backend to your application. From purely SPA perspective, storing a token in localstorage is acceptable and relatively secure. Modern browsers have capability to protect loaclsotrage compared to other means.
If you have a backend, correlating access token to a session is better than storing it in a cookie. Also one advantage you get get with this is the ability to get a refresh token, which can be stored in backend.
Having a cookie means loosing statelessness. Cookies are there to maintain a state between server and client end. Session maintaining require server resources but I do not think you need to worry much on that. Scaling must be done targeting your specific requirement.
Remember me functionality is yet again something built with cookies. It is a functionality provided by authorisation server. Think it as your browser remembering your Facebook's logged in status. It uses cookies and your application does not have to worry on that .!
I'm using devise_token_auth for a rails application with react on the frontend and rails as the backend acting as the backend.
In the readme the author states that
If you're building SPA or a mobile app, and you want authentication,
you need tokens, not cookies.`
Why? I understand the basic differences between tokens and cookies, but don't understand why you couldn't just use cookies (simply including the headers with any XHR requests)?
There are a few major reasons.
First of all most SPA's are designed as stateless and using cookie based authentication is not stateless. Using cookies also makes every request take a little bit longer because there is a lookup on every request.
Cookies are also tied to a domain. Most SPA's use multiple services across multiple domains which is a no go with cookie based authentication. This also applies to SPA's which have a web app and mobile app, using token based authentication means scaling this is much easier.
Tokens can also be used to store data and only need to be generated once, after that there is no work involved except for the server reading the token. This means you can store user permissions in there etc and the server can get this information with very little work.
I've been reviewing how we should handle OAuth authentication in our browser application (SPA), and there's a whole bunch of articles out there that makes it all really confusing... I'm really missing something concrete and best practice guidance for a very simple setup.
We have this ASP.NET Web API 2 that's protected using tokens issued by IdSvr3. So far so good. Works with native clients and server apps.
Now to the browser stuff... Looking at a sample such as JavaScriptImplicitClient which uses the oidc-client-js library to retrieve tokens using the implicit flow. The token is stored in the browser which is accessible using JavaScript and there by open to XSS attacks.
In order to avoid that, suggestions indicates storing the token in a cookie and then setup a mechanism to prevent CSRF attacks.
Seems simple, but what sets that cookie?
Is it the IdSvr? Doesn't make sense since it's the API that needs the cookie.
Is it the API? During Implicit Flow login, are the user then redirected to the API which sets up the session and then redirects the user back to the SPA with a Set-Cookie header? Then the cookie will be present to the API on subsequent requests.
Third solution? Some is mentioning creating a second 'API' that proxies requests to the 'real' API, but sets the auth header.
Do you have any samples of such a setup, or can you maybe provide some hints about how you'd do it?
Personally, most of the times the avoidance of Web Storage for tokens due to XSS seems to be exacerbated a bit. There is one important question, if your application is vulnerable to XSS, will the impact of this vulnerability be significantly increased because you also leaked tokens or you already got totally pwned even if you didn't store tokens there and you're in the same type of trouble.
I made a comparison of the pros and cons of a few approaches to store access tokens in web browser application which you can check in this answer to a related question.
In the end each case ends up having their own specifics which may tip the balance between one approach versus the other (cookies or web storage). Just don't ignore any option from the start and look at all of them based on your requirements.
I bet that there are implementations out there that store them in HTTP-Only cookies to avoid the XSS issue with Web Storage and then end-up using a CSRF mitigation strategy that is vulnerable in the face of XSS.
My team currently uses WebForms for projects, but I'm trying to convince everyone to switch to MVC. One of the problems that I'm running into is with authentication. I can't figure how to to implement our login process to work with MVC.
Our authentication is done via mostly a web service (we pass username & password and are told if it is valid or not), but occasionally we use ActiveDirectory for logins.
Right now we are using sessionstate to store information about the logged in person. How would I translate this to ASP.NET MVC? I've read a lot about various things -- Claims, Roles, MembershipProvider, IProvider, ASP.NET Identity, OWIN, but ASP.NET has been evolving so rapidly that I'm afraid that I'm reading old information on StackOverflow.
Right now we are using sessionstate to store information about the logged in person.
Don't do this. Ever. Not in WebForms, or MVC. It's highly insecure and easily spoofed. Session should never be used for anything to do with Authentication or Authorization. Plus, Sessionstate is volatile, and IIS can dump your session at any time, losing synchronization with your authentication.
The solution to your problem is very simple. You already have the authentication in your web service (though I question whether this would be secure either, given your Sessionstate authentication methods, but that's a different argument). All you need is the Authentication portion, which is easily provided by FormsAuthentication to set the cookie to allow logins.
You Validate against your service, if you succeed, you call FormsAuthentication.SetCookie(), and then you add [Authorize] to all the MVC action methods you want to protect. It's really that simple.
If you need to have information available about the user, then you would create a custom IIdentity and/or IPrincipal implementation that provides that information, making it secure (secured by encrypted cookie) and easy to access.
I'm using ASP MVC application + WCF service with custom session behavior implementation. Clients receive, store and use (for authorization) session tokens. Now I'm searching for most secured way to store session token at client side in ASP MVC.
I see few ways:
Hidden field. Drawback: user can open page source code and get token.
Route value. Drawback: token is actually open. User can get it from address bar.
Session. I've read a lot articles with one conclusion: using Session in MVC application is a bad practice. But Session have a lot advantages as well: can be widely
configured, can store token at server side, etc.
I'm sure there are some best practices for solving my problem. Any help will be appreciated.
Require HTTPS connections, encrypt secure data, place in cookie.
You could also pass the token around your site, encrypted of course via a hidden field or something but your scenario is actually what cookies are made to do.
My bank sets a cookie, they should be good enough for what you are doing.