Solved

Authenticating UserId in every page through AD

Posted on 2012-03-25
6
220 Views
Last Modified: 2012-04-20
Hello,

We have an old web app in ASP.NET 1.1. This web app has been working as an intranet application (only inside our LAN). As we have opened offices outside our local building, we are planning to let our web app be accessed by our outside users through Internet. All users (inside or outside) have an Active Directory account.

Beacuse this web app has sql statements inside the vb code source, we are afraid of sql injections.

For minimizing risk of sql injection and for other security reasons, we are planning to authenticate access to our web app through Active Directory.

We have developed a component (dll) that receives UserId and Password as parameters and checked  them with AD. We are planning to use our function in the Login page and also every aspx.vb page, in its Page_Load procedure,  will call our function Authentication_In_AD(UserId, password), so we will be sured that every page is authenticated.

Example:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
    If Not Page.IsPostBack Then

        sUserId = Context.Items("UserId").ToString;
        sPassword = Context.Items("Password").ToString;

        '' if it's not possible to use Context.Items in the page, 
        '' then we will use Session("UserId") and Session("Password")

        If Authenticate_In_AD(sUserId,sPassword) = False Then
            '' Don't get access to page
            Return
        End If
        
        '' Get access to page
        '' rest of code

    End If
End Sub

Open in new window



We think that the only way to store UserId and Password and be accesible in every page or passed as parameters from page to page, is using session variables like Session("UserId") and Session("Password"). My question is:

- Are Session variables a safe way to store sensitive values like UserId or Password? Would be another safer way?
- Is it a good idea to authenticate user in every aspx page?
0
Comment
Question by:miyahira
  • 2
  • 2
  • 2
6 Comments
 
LVL 7

Assisted Solution

by:mr_nadger
mr_nadger earned 250 total points
ID: 37764665
I wouldn't use AD credentials for this, if someone intercepts a log into your webpage they'll have a proper network log in too.
Have you looked at the .Net authentication methods? We use it for a clinical tools review website, and it's passed several penetration test reviews.
0
 
LVL 1

Author Comment

by:miyahira
ID: 37765755
I still think that AD authentication is a good idea. Our web application was developed in NET Framework 1.1, so we can't use .Net authetication methods of 2.0 or 3.5.
0
 
LVL 7

Accepted Solution

by:
mr_nadger earned 250 total points
ID: 37765837
I really advise against the AD route, having those details on the open web is asking for trouble. Are you using https for the login at least?
You should really push for the time to redevelop this in .Net 4, and have all SQL commands run through stored parameters on your database server, rather than piping the queries across from the site.

If you're insisting on going this route, I'd suggest using a master page to hold the authentication DLL, and have a valid access session variable with just true or false, and code in something to kill the session variable on leaving the site or browser closing.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 250 total points
ID: 37769621
Using AD Authentication for this is a really bad idea for the reasons the others have brought up, but mainly that if the credentials are stolen they have network access of the compromised user account.

At least take the extra time on the db backend and move the stored procs out. Put the procs in a schema by themselves and create an id on the schema that only has permissions to execute the procs. This is the ID that your web page should be using to access the db. At least this way, it minimizes the impact when someone hacks you. Because it is not a matter of if, but when someone gets in.
0
 
LVL 1

Author Comment

by:miyahira
ID: 37773157
I didn't realize that using AD authentication for web apps on Internet is a bad idea.

I thought that it would be OK since I connect to our Sharepoint portal with AD authentication over Internet. That's not for anonymous users that visit our portal, that AD authentication is only for domain users to certain options.

That kind of AD connections in a Sharepoint could be dangerous as well?
0
 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 250 total points
ID: 37774840
I am not real familiar with Sharepoint authentication, but apparently it is a little more secure out of the box and uses forms of AD for authentication for remote employees.

http://technet.microsoft.com/en-us/library/cc262350.aspx

The main thing in my mind it that you don't want to store user name / passwords in the session variables and pass them around on every page. I would create a single log in point that returns a boolean value and use that in your session variables. Put in a check on each page looking for the variable and if it is null or nothing, send the user to the log in page.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
maxJsonLength exceeded error on ajax Post to ASP.NET MVC Controller Action method 5 123
ASP.NET reading ATOM 2 51
Error in page 3 46
Connection String 16 43
Lots of people ask this question on how to extend the “MembershipProvider” to make use of custom authentication like using existing database or make use of some other way of authentication. Many blogs show you how to extend the membership provider c…
Sometimes in DotNetNuke module development you want to swap controls within the same module definition.  In doing this DNN (somewhat annoyingly) swaps the Skin and Container definitions to the default admin selections.  To get around this you need t…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now