asp.net - Granting Secure Access from one website to another -


i'm looking see how folly in below suggestion security perspective.

i have 2 websites. 1 administration portal , other members portal.

within administration portal administrators can retrieve listing of members , need offer ability administrators login member portal without having enter members login credentials.

both separate websites within iis , discussion lets on different servers.

both websites access same sql server database.

i thinking on administrator clicking "login member" link create random code string , save database along member number.

i pass code , member number member portal query string parameters.

the member portal read in these values , checks them in database verify code string exists , if matches member number being passed. login member , set flag in database set code being used , therefore invalid future requests.

i'm thinking bypass hacker need guess random code , pass page alongside corresponding member number code , combination marked unused in database.

this seem unlikely given seconds pass between code being generated , code being used.

if necessary check ip address of request users of administration portal share same fixed ip address.

so think above stand scrutiny on security review or need go down sso route?

your approach sound. can confirm because have implemented such solution such reason. analyzed options , exposure. , after implementation, our application passed pci complaince audit.

reasons:

  • ssl esential! protects against sniffers. essential. without encryption, sniffers detect guid , may have window use it)

  • as tony pointed out, the guid unguessable.

  • guid tokens expiring should expire within 24 hours.

suggestions:

  • checking against ip good. don't fooled feeling of security it. can fake ip's in headers. secure against xss , csrf using antiforgery tokens.

the antiforgery token cookie populates httpheaders __requestverificationtoken hard guess guid.

  • consider using established authentication framework .net identity 2 , multitenancy.

an established framework takes burden of encrypting passwords. ms frameworks simple membership , identity integrate modern asp.net frameworks , give strong base of functionality lean on.

if you're using old framework classic asp or .net 2.0, classic membership provider more appropriate.

if creating new mvc 5 applications utilizing entity framework, suggest using identity 2.1.

  • consider mult-tenancy. while there nothing wrong solution, if admins , users shared membership provider, solution cleaner. admin log main site , "get" token db. no exposure.

Comments

Post a Comment

Popular posts from this blog

php - failed to open stream: HTTP request failed! HTTP/1.0 400 Bad Request -

this code i'm using find latitude , longitude of place: function coords($address){ echo $url="http://maps.googleapis.com/maps/api/geocode/json?address=".$address; $json = file_get_contents(urlencode($url)); $data = json_decode($json, true); print_r($data['results'][0]['geometry']['location']['lat']); print_r($data['results'][0]['geometry']['location']['lng']); } however returns warning: failed open stream: http request failed! http/1.0 400 bad request if use above code in simple procedure works fine not in function. note: have tried curl_init()... method produced same result? instead of encoding whole url encode address part. following code work fine $add='jamshoro phase 2'; $url="http://maps.googleapis.com/maps/api/geocode/json?address=".urlencode($add); $json = file_get_contents($url); $data = json_decode($json, true); print_r($data['r
Read more

java - How to filter a backspace keyboard input -

i have code gives message when key number pressed: txtvalueofclause.addeventfilter(keyevent.key_typed, new eventhandler<keyevent>() { @override public void handle(keyevent t) { char ar[] = t.getcharacter().tochararray(); char ch = ar[t.getcharacter().tochararray().length - 1]; if (!(ch >= '0' && ch <= '9')) { system.out.println("the char entered not number"); t.consume(); } } }); now if press on wrong button , press backspace remove it, error message. how can add backspace input if statement? i have found answer: txtvalueofclause.addeventfilter(keyevent.key_typed, new eventhandler<keyevent>() { @override public void handle(keyevent t) { char ar[] = t.getcharacter().tochararray(); char ch = ar[t.getcharacter().tochar
Read more

java - Show Soft Keyboard when EditText Appears -

i have code in android app, alert dialog , keyboard, , when dialog shown want keyboard appear. not , not sure why? here code: final alertdialog.builder alert = new alertdialog.builder(this); alert.settitle("title"); alert.setmessage("message"); final edittext input = new edittext(this); input.setinputtype(inputtype.type_class_number); alert.setview(input); input.setonfocuschangelistener(new view.onfocuschangelistener() { @override public void onfocuschange(view v, boolean hasfocus) { if (hasfocus) { log.i(tag, "in focus"); inputmethodmanager inputmethodmanager = (inputmethodmanager) getsystemservice(context.input_method_service); inputmethodmanager.showsoftinput(input, inputmethodmanager.show_implicit); } } }); but keyboard not appear though edit text in focus, , tell appear why, doesn't come up? thanks in advance.
Read more