Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Authentication loop-hole?

Reply
Thread Tools

Authentication loop-hole?

 
 
Griff
Guest
Posts: n/a
 
      10-06-2006
In the design stage, so I don't have the ability to test this scenario at
the moment, so I would be grateful if someone could prove to me that the
following scenario does not exist...

The idea is that we will have one website with multiple URLs pointing to it.
For example www.mySite.com and another being www.theirSite.com.

There will be a common authentication database holding the role information
etc (in ASP.NET 2.x).

So, envisage the following scenario:

I log on to the site www.mySite.com and it immediately asks me to
authenticate myself by re-directing me to the log-on page. I put in my
credentials user="john" and password="somethingSecure". The system then
recognises me and issues me with a security token. It then re-directs me to
the web page www.mySite.com/editYourCompanysData.aspx.

Having come to that page, I can see all my sensitive company's data which I
can edit because I'm in the correct membership role.

I then edit the URL in my browser to now say
www.theirSite.com.editYourCompanysData.aspx.

My question is will the website now accept my security token and give me
access to their data or will it barf and force me to re-log on?

If anyone can answer this and provide any links to resources to back up
their answer then I'd be extremely grateful (I've failed to find this
information myself)

Thanks

Griff



 
Reply With Quote
 
 
 
 
Leon Mayne
Guest
Posts: n/a
 
      10-06-2006
> I log on to the site www.mySite.com and it immediately asks me to
> authenticate myself by re-directing me to the log-on page. I put in my
> credentials user="john" and password="somethingSecure". The system then
> recognises me and issues me with a security token. It then re-directs me to
> the web page www.mySite.com/editYourCompanysData.aspx.
>
> I then edit the URL in my browser to now say
> www.theirSite.com.editYourCompanysData.aspx.
>
> My question is will the website now accept my security token and give me
> access to their data or will it barf and force me to re-log on?


Depends on your setup. MySite.com and TheirSite.com should be set up to
autneticate using different realms / domains, so you should get prompted
again when switching sites. Also, you may be confusing authentication and
authorisation. Even if the two sites are using the same authentication realm
/ domain, the user 'john' will not be able to access secure pages in
theirsite.com because he should not have the role or permissions to.

For example, If the machine is in a domain, as are all the users of the two
sites, then you should have at least two active directory groups called e.g.
"Theirsite Admin Users" and "Yoursite Admin Users". Only the users who were
allowed in each of the website's protected sections would be in the selected
groups.
 
Reply With Quote
 
 
 
 
bruce barker \(sqlwork.com\)
Guest
Posts: n/a
 
      10-06-2006
depends on how you are storing the authentication ticket. with standard
forms authentication it stored in a cookie. a cookie could not be shared
between the two domains. you will need to find a way to send the token from
one site to the other. typically this is done with a one time ticket passed
in the query string on the redirect. if you implement this correctly, then
the token can not be passed to a second site.

-- bruce (sqlwork.com)


"Griff" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In the design stage, so I don't have the ability to test this scenario at
> the moment, so I would be grateful if someone could prove to me that the
> following scenario does not exist...
>
> The idea is that we will have one website with multiple URLs pointing to
> it. For example www.mySite.com and another being www.theirSite.com.
>
> There will be a common authentication database holding the role
> information etc (in ASP.NET 2.x).
>
> So, envisage the following scenario:
>
> I log on to the site www.mySite.com and it immediately asks me to
> authenticate myself by re-directing me to the log-on page. I put in my
> credentials user="john" and password="somethingSecure". The system then
> recognises me and issues me with a security token. It then re-directs me
> to the web page www.mySite.com/editYourCompanysData.aspx.
>
> Having come to that page, I can see all my sensitive company's data which
> I can edit because I'm in the correct membership role.
>
> I then edit the URL in my browser to now say
> www.theirSite.com.editYourCompanysData.aspx.
>
> My question is will the website now accept my security token and give me
> access to their data or will it barf and force me to re-log on?
>
> If anyone can answer this and provide any links to resources to back up
> their answer then I'd be extremely grateful (I've failed to find this
> information myself)
>
> Thanks
>
> Griff
>
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Failed Authentication, Status "Unsupported Authentication Algorithm" Rafael Cisco 1 11-26-2004 03:57 PM
Basic Authentication v. Integrated Windows Authentication w/ Delegation Mark ASP .Net 0 01-20-2004 03:13 PM
ASP.Net Forms authentication with basic authentication popup Brett Porter ASP .Net 2 01-20-2004 02:17 PM
Moving from Baisc Authentication to Forms Authentication raj mandadi ASP .Net 0 12-22-2003 12:16 AM
Forms Authentication, external authentication server, & rerouting to orig. req. URL Andrew Connell ASP .Net 1 10-21-2003 05:41 PM



Advertisments