Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Authenticating UserId in every page through AD

Posted on 2012-03-25
6
Medium Priority
?
228 Views
Last Modified: 2012-04-20
Hello,

We have an old web app in ASP.NET 1.1. This web app has been working as an intranet application (only inside our LAN). As we have opened offices outside our local building, we are planning to let our web app be accessed by our outside users through Internet. All users (inside or outside) have an Active Directory account.

Beacuse this web app has sql statements inside the vb code source, we are afraid of sql injections.

For minimizing risk of sql injection and for other security reasons, we are planning to authenticate access to our web app through Active Directory.

We have developed a component (dll) that receives UserId and Password as parameters and checked  them with AD. We are planning to use our function in the Login page and also every aspx.vb page, in its Page_Load procedure,  will call our function Authentication_In_AD(UserId, password), so we will be sured that every page is authenticated.

Example:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
    If Not Page.IsPostBack Then

        sUserId = Context.Items("UserId").ToString;
        sPassword = Context.Items("Password").ToString;

        '' if it's not possible to use Context.Items in the page, 
        '' then we will use Session("UserId") and Session("Password")

        If Authenticate_In_AD(sUserId,sPassword) = False Then
            '' Don't get access to page
            Return
        End If
        
        '' Get access to page
        '' rest of code

    End If
End Sub

Open in new window



We think that the only way to store UserId and Password and be accesible in every page or passed as parameters from page to page, is using session variables like Session("UserId") and Session("Password"). My question is:

- Are Session variables a safe way to store sensitive values like UserId or Password? Would be another safer way?
- Is it a good idea to authenticate user in every aspx page?
0
Comment
Question by:miyahira
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 7

Assisted Solution

by:mr_nadger
mr_nadger earned 1000 total points
ID: 37764665
I wouldn't use AD credentials for this, if someone intercepts a log into your webpage they'll have a proper network log in too.
Have you looked at the .Net authentication methods? We use it for a clinical tools review website, and it's passed several penetration test reviews.
0
 
LVL 1

Author Comment

by:miyahira
ID: 37765755
I still think that AD authentication is a good idea. Our web application was developed in NET Framework 1.1, so we can't use .Net authetication methods of 2.0 or 3.5.
0
 
LVL 7

Accepted Solution

by:
mr_nadger earned 1000 total points
ID: 37765837
I really advise against the AD route, having those details on the open web is asking for trouble. Are you using https for the login at least?
You should really push for the time to redevelop this in .Net 4, and have all SQL commands run through stored parameters on your database server, rather than piping the queries across from the site.

If you're insisting on going this route, I'd suggest using a master page to hold the authentication DLL, and have a valid access session variable with just true or false, and code in something to kill the session variable on leaving the site or browser closing.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 1000 total points
ID: 37769621
Using AD Authentication for this is a really bad idea for the reasons the others have brought up, but mainly that if the credentials are stolen they have network access of the compromised user account.

At least take the extra time on the db backend and move the stored procs out. Put the procs in a schema by themselves and create an id on the schema that only has permissions to execute the procs. This is the ID that your web page should be using to access the db. At least this way, it minimizes the impact when someone hacks you. Because it is not a matter of if, but when someone gets in.
0
 
LVL 1

Author Comment

by:miyahira
ID: 37773157
I didn't realize that using AD authentication for web apps on Internet is a bad idea.

I thought that it would be OK since I connect to our Sharepoint portal with AD authentication over Internet. That's not for anonymous users that visit our portal, that AD authentication is only for domain users to certain options.

That kind of AD connections in a Sharepoint could be dangerous as well?
0
 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 1000 total points
ID: 37774840
I am not real familiar with Sharepoint authentication, but apparently it is a little more secure out of the box and uses forms of AD for authentication for remote employees.

http://technet.microsoft.com/en-us/library/cc262350.aspx

The main thing in my mind it that you don't want to store user name / passwords in the session variables and pass them around on every page. I would create a single log in point that returns a boolean value and use that in your session variables. Put in a check on each page looking for the variable and if it is null or nothing, send the user to the log in page.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this Article, I will provide a few tips in problem and solution manner. Opening an ASPX page in Visual studio 2003 is very slow. To make it fast, please do follow below steps:   Open the Solution/Project. Right click the ASPX file to b…
User art_snob (http://www.experts-exchange.com/M_6114203.html) encountered strange behavior of Android Web browser on his Mobile Web site. It took a while to find the true cause. It happens so, that the Android Web browser (at least up to OS ver. 2.…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question