Solved

Authenticating UserId in every page through AD

Posted on 2012-03-25
6
219 Views
Last Modified: 2012-04-20
Hello,

We have an old web app in ASP.NET 1.1. This web app has been working as an intranet application (only inside our LAN). As we have opened offices outside our local building, we are planning to let our web app be accessed by our outside users through Internet. All users (inside or outside) have an Active Directory account.

Beacuse this web app has sql statements inside the vb code source, we are afraid of sql injections.

For minimizing risk of sql injection and for other security reasons, we are planning to authenticate access to our web app through Active Directory.

We have developed a component (dll) that receives UserId and Password as parameters and checked  them with AD. We are planning to use our function in the Login page and also every aspx.vb page, in its Page_Load procedure,  will call our function Authentication_In_AD(UserId, password), so we will be sured that every page is authenticated.

Example:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
    If Not Page.IsPostBack Then

        sUserId = Context.Items("UserId").ToString;
        sPassword = Context.Items("Password").ToString;

        '' if it's not possible to use Context.Items in the page, 
        '' then we will use Session("UserId") and Session("Password")

        If Authenticate_In_AD(sUserId,sPassword) = False Then
            '' Don't get access to page
            Return
        End If
        
        '' Get access to page
        '' rest of code

    End If
End Sub

Open in new window



We think that the only way to store UserId and Password and be accesible in every page or passed as parameters from page to page, is using session variables like Session("UserId") and Session("Password"). My question is:

- Are Session variables a safe way to store sensitive values like UserId or Password? Would be another safer way?
- Is it a good idea to authenticate user in every aspx page?
0
Comment
Question by:miyahira
  • 2
  • 2
  • 2
6 Comments
 
LVL 7

Assisted Solution

by:mr_nadger
mr_nadger earned 250 total points
ID: 37764665
I wouldn't use AD credentials for this, if someone intercepts a log into your webpage they'll have a proper network log in too.
Have you looked at the .Net authentication methods? We use it for a clinical tools review website, and it's passed several penetration test reviews.
0
 
LVL 1

Author Comment

by:miyahira
ID: 37765755
I still think that AD authentication is a good idea. Our web application was developed in NET Framework 1.1, so we can't use .Net authetication methods of 2.0 or 3.5.
0
 
LVL 7

Accepted Solution

by:
mr_nadger earned 250 total points
ID: 37765837
I really advise against the AD route, having those details on the open web is asking for trouble. Are you using https for the login at least?
You should really push for the time to redevelop this in .Net 4, and have all SQL commands run through stored parameters on your database server, rather than piping the queries across from the site.

If you're insisting on going this route, I'd suggest using a master page to hold the authentication DLL, and have a valid access session variable with just true or false, and code in something to kill the session variable on leaving the site or browser closing.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 250 total points
ID: 37769621
Using AD Authentication for this is a really bad idea for the reasons the others have brought up, but mainly that if the credentials are stolen they have network access of the compromised user account.

At least take the extra time on the db backend and move the stored procs out. Put the procs in a schema by themselves and create an id on the schema that only has permissions to execute the procs. This is the ID that your web page should be using to access the db. At least this way, it minimizes the impact when someone hacks you. Because it is not a matter of if, but when someone gets in.
0
 
LVL 1

Author Comment

by:miyahira
ID: 37773157
I didn't realize that using AD authentication for web apps on Internet is a bad idea.

I thought that it would be OK since I connect to our Sharepoint portal with AD authentication over Internet. That's not for anonymous users that visit our portal, that AD authentication is only for domain users to certain options.

That kind of AD connections in a Sharepoint could be dangerous as well?
0
 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 250 total points
ID: 37774840
I am not real familiar with Sharepoint authentication, but apparently it is a little more secure out of the box and uses forms of AD for authentication for remote employees.

http://technet.microsoft.com/en-us/library/cc262350.aspx

The main thing in my mind it that you don't want to store user name / passwords in the session variables and pass them around on every page. I would create a single log in point that returns a boolean value and use that in your session variables. Put in a check on each page looking for the variable and if it is null or nothing, send the user to the log in page.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now