Authentication loop-hole?

[Griff]

In the design stage, so I don't have the ability to test this scenario at
the moment, so I would be grateful if someone could prove to me that the
following scenario does not exist...

The idea is that we will have one website with multiple URLs pointing to it.
For example www.mySite.com and another being www.theirSite.com.

There will be a common authentication database holding the role information
etc (in ASP.NET 2.x).

So, envisage the following scenario:

I log on to the site www.mySite.com and it immediately asks me to
authenticate myself by re-directing me to the log-on page. I put in my
credentials user="john" and password="somethingSecure". The system then
recognises me and issues me with a security token. It then re-directs me to
the web page www.mySite.com/editYourCompanysData.aspx.

Having come to that page, I can see all my sensitive company's data which I
can edit because I'm in the correct membership role.

I then edit the URL in my browser to now say
www.theirSite.com.editYourCompanysData.aspx.

My question is will the website now accept my security token and give me
access to their data or will it barf and force me to re-log on?

If anyone can answer this and provide any links to resources to back up
their answer then I'd be extremely grateful (I've failed to find this
information myself)

Thanks

Griff

 

[Guest]

I log on to the site www.mySite.com and it immediately asks me to

authenticate myself by re-directing me to the log-on page. I put in my
credentials user="john" and password="somethingSecure". The system then
recognises me and issues me with a security token. It then re-directs me to
the web page www.mySite.com/editYourCompanysData.aspx.

I then edit the URL in my browser to now say
www.theirSite.com.editYourCompanysData.aspx.

My question is will the website now accept my security token and give me
access to their data or will it barf and force me to re-log on?

Depends on your setup. MySite.com and TheirSite.com should be set up to
autneticate using different realms / domains, so you should get prompted
again when switching sites. Also, you may be confusing authentication and
authorisation. Even if the two sites are using the same authentication realm
/ domain, the user 'john' will not be able to access secure pages in
theirsite.com because he should not have the role or permissions to.

For example, If the machine is in a domain, as are all the users of the two
sites, then you should have at least two active directory groups called e.g.
"Theirsite Admin Users" and "Yoursite Admin Users". Only the users who were
allowed in each of the website's protected sections would be in the selected
groups.

 

[bruce barker \(sqlwork.com\)]

depends on how you are storing the authentication ticket. with standard
forms authentication it stored in a cookie. a cookie could not be shared
between the two domains. you will need to find a way to send the token from
one site to the other. typically this is done with a one time ticket passed
in the query string on the redirect. if you implement this correctly, then
the token can not be passed to a second site.

-- bruce (sqlwork.com)