Solved

Authenticating UserId in every page through AD

Posted on 2012-03-25
6
225 Views
Last Modified: 2012-04-20
Hello,

We have an old web app in ASP.NET 1.1. This web app has been working as an intranet application (only inside our LAN). As we have opened offices outside our local building, we are planning to let our web app be accessed by our outside users through Internet. All users (inside or outside) have an Active Directory account.

Beacuse this web app has sql statements inside the vb code source, we are afraid of sql injections.

For minimizing risk of sql injection and for other security reasons, we are planning to authenticate access to our web app through Active Directory.

We have developed a component (dll) that receives UserId and Password as parameters and checked  them with AD. We are planning to use our function in the Login page and also every aspx.vb page, in its Page_Load procedure,  will call our function Authentication_In_AD(UserId, password), so we will be sured that every page is authenticated.

Example:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
    If Not Page.IsPostBack Then

        sUserId = Context.Items("UserId").ToString;
        sPassword = Context.Items("Password").ToString;

        '' if it's not possible to use Context.Items in the page, 
        '' then we will use Session("UserId") and Session("Password")

        If Authenticate_In_AD(sUserId,sPassword) = False Then
            '' Don't get access to page
            Return
        End If
        
        '' Get access to page
        '' rest of code

    End If
End Sub

Open in new window



We think that the only way to store UserId and Password and be accesible in every page or passed as parameters from page to page, is using session variables like Session("UserId") and Session("Password"). My question is:

- Are Session variables a safe way to store sensitive values like UserId or Password? Would be another safer way?
- Is it a good idea to authenticate user in every aspx page?
0
Comment
Question by:miyahira
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 7

Assisted Solution

by:mr_nadger
mr_nadger earned 250 total points
ID: 37764665
I wouldn't use AD credentials for this, if someone intercepts a log into your webpage they'll have a proper network log in too.
Have you looked at the .Net authentication methods? We use it for a clinical tools review website, and it's passed several penetration test reviews.
0
 
LVL 1

Author Comment

by:miyahira
ID: 37765755
I still think that AD authentication is a good idea. Our web application was developed in NET Framework 1.1, so we can't use .Net authetication methods of 2.0 or 3.5.
0
 
LVL 7

Accepted Solution

by:
mr_nadger earned 250 total points
ID: 37765837
I really advise against the AD route, having those details on the open web is asking for trouble. Are you using https for the login at least?
You should really push for the time to redevelop this in .Net 4, and have all SQL commands run through stored parameters on your database server, rather than piping the queries across from the site.

If you're insisting on going this route, I'd suggest using a master page to hold the authentication DLL, and have a valid access session variable with just true or false, and code in something to kill the session variable on leaving the site or browser closing.
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 250 total points
ID: 37769621
Using AD Authentication for this is a really bad idea for the reasons the others have brought up, but mainly that if the credentials are stolen they have network access of the compromised user account.

At least take the extra time on the db backend and move the stored procs out. Put the procs in a schema by themselves and create an id on the schema that only has permissions to execute the procs. This is the ID that your web page should be using to access the db. At least this way, it minimizes the impact when someone hacks you. Because it is not a matter of if, but when someone gets in.
0
 
LVL 1

Author Comment

by:miyahira
ID: 37773157
I didn't realize that using AD authentication for web apps on Internet is a bad idea.

I thought that it would be OK since I connect to our Sharepoint portal with AD authentication over Internet. That's not for anonymous users that visit our portal, that AD authentication is only for domain users to certain options.

That kind of AD connections in a Sharepoint could be dangerous as well?
0
 
LVL 18

Assisted Solution

by:Jerry Miller
Jerry Miller earned 250 total points
ID: 37774840
I am not real familiar with Sharepoint authentication, but apparently it is a little more secure out of the box and uses forms of AD for authentication for remote employees.

http://technet.microsoft.com/en-us/library/cc262350.aspx

The main thing in my mind it that you don't want to store user name / passwords in the session variables and pass them around on every page. I would create a single log in point that returns a boolean value and use that in your session variables. Put in a check on each page looking for the variable and if it is null or nothing, send the user to the log in page.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In an ASP.NET application, I faced some technical problems. In this article, I list them out and show the solutions that I found.  I hope it will be useful. Problem: After closing a pop-up window, the parent page should be refreshed automaticall…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question