Authenticating UserId in every page through AD

Hello,

We have an old web app in ASP.NET 1.1. This web app has been working as an intranet application (only inside our LAN). As we have opened offices outside our local building, we are planning to let our web app be accessed by our outside users through Internet. All users (inside or outside) have an Active Directory account.

Beacuse this web app has sql statements inside the vb code source, we are afraid of sql injections.

For minimizing risk of sql injection and for other security reasons, we are planning to authenticate access to our web app through Active Directory.

We have developed a component (dll) that receives UserId and Password as parameters and checked  them with AD. We are planning to use our function in the Login page and also every aspx.vb page, in its Page_Load procedure,  will call our function Authentication_In_AD(UserId, password), so we will be sured that every page is authenticated.

Example:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
    If Not Page.IsPostBack Then

        sUserId = Context.Items("UserId").ToString;
        sPassword = Context.Items("Password").ToString;

        '' if it's not possible to use Context.Items in the page, 
        '' then we will use Session("UserId") and Session("Password")

        If Authenticate_In_AD(sUserId,sPassword) = False Then
            '' Don't get access to page
            Return
        End If
        
        '' Get access to page
        '' rest of code

    End If
End Sub

Open in new window



We think that the only way to store UserId and Password and be accesible in every page or passed as parameters from page to page, is using session variables like Session("UserId") and Session("Password"). My question is:

- Are Session variables a safe way to store sensitive values like UserId or Password? Would be another safer way?
- Is it a good idea to authenticate user in every aspx page?
LVL 1
miyahiraAsked:
Who is Participating?
 
mr_nadgerCommented:
I really advise against the AD route, having those details on the open web is asking for trouble. Are you using https for the login at least?
You should really push for the time to redevelop this in .Net 4, and have all SQL commands run through stored parameters on your database server, rather than piping the queries across from the site.

If you're insisting on going this route, I'd suggest using a master page to hold the authentication DLL, and have a valid access session variable with just true or false, and code in something to kill the session variable on leaving the site or browser closing.
0
 
mr_nadgerCommented:
I wouldn't use AD credentials for this, if someone intercepts a log into your webpage they'll have a proper network log in too.
Have you looked at the .Net authentication methods? We use it for a clinical tools review website, and it's passed several penetration test reviews.
0
 
miyahiraAuthor Commented:
I still think that AD authentication is a good idea. Our web application was developed in NET Framework 1.1, so we can't use .Net authetication methods of 2.0 or 3.5.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Jerry MillerCommented:
Using AD Authentication for this is a really bad idea for the reasons the others have brought up, but mainly that if the credentials are stolen they have network access of the compromised user account.

At least take the extra time on the db backend and move the stored procs out. Put the procs in a schema by themselves and create an id on the schema that only has permissions to execute the procs. This is the ID that your web page should be using to access the db. At least this way, it minimizes the impact when someone hacks you. Because it is not a matter of if, but when someone gets in.
0
 
miyahiraAuthor Commented:
I didn't realize that using AD authentication for web apps on Internet is a bad idea.

I thought that it would be OK since I connect to our Sharepoint portal with AD authentication over Internet. That's not for anonymous users that visit our portal, that AD authentication is only for domain users to certain options.

That kind of AD connections in a Sharepoint could be dangerous as well?
0
 
Jerry MillerCommented:
I am not real familiar with Sharepoint authentication, but apparently it is a little more secure out of the box and uses forms of AD for authentication for remote employees.

http://technet.microsoft.com/en-us/library/cc262350.aspx

The main thing in my mind it that you don't want to store user name / passwords in the session variables and pass them around on every page. I would create a single log in point that returns a boolean value and use that in your session variables. Put in a check on each page looking for the variable and if it is null or nothing, send the user to the log in page.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.