Authentication loop-hole?

Discussion in 'ASP .Net Security' started by Griff, Oct 6, 2006.

  1. Griff

    Griff Guest

    In the design stage, so I don't have the ability to test this scenario at
    the moment, so I would be grateful if someone could prove to me that the
    following scenario does not exist...

    The idea is that we will have one website with multiple URLs pointing to it.
    For example www.mySite.com and another being www.theirSite.com.

    There will be a common authentication database holding the role information
    etc (in ASP.NET 2.x).

    So, envisage the following scenario:

    I log on to the site www.mySite.com and it immediately asks me to
    authenticate myself by re-directing me to the log-on page. I put in my
    credentials user="john" and password="somethingSecure". The system then
    recognises me and issues me with a security token. It then re-directs me to
    the web page www.mySite.com/editYourCompanysData.aspx.

    Having come to that page, I can see all my sensitive company's data which I
    can edit because I'm in the correct membership role.

    I then edit the URL in my browser to now say
    www.theirSite.com.editYourCompanysData.aspx.

    My question is will the website now accept my security token and give me
    access to their data or will it barf and force me to re-log on?

    If anyone can answer this and provide any links to resources to back up
    their answer then I'd be extremely grateful (I've failed to find this
    information myself)

    Thanks

    Griff
    Griff, Oct 6, 2006
    #1
    1. Advertising

  2. Griff

    Leon Mayne Guest

    > I log on to the site www.mySite.com and it immediately asks me to
    > authenticate myself by re-directing me to the log-on page. I put in my
    > credentials user="john" and password="somethingSecure". The system then
    > recognises me and issues me with a security token. It then re-directs me to
    > the web page www.mySite.com/editYourCompanysData.aspx.
    >
    > I then edit the URL in my browser to now say
    > www.theirSite.com.editYourCompanysData.aspx.
    >
    > My question is will the website now accept my security token and give me
    > access to their data or will it barf and force me to re-log on?


    Depends on your setup. MySite.com and TheirSite.com should be set up to
    autneticate using different realms / domains, so you should get prompted
    again when switching sites. Also, you may be confusing authentication and
    authorisation. Even if the two sites are using the same authentication realm
    / domain, the user 'john' will not be able to access secure pages in
    theirsite.com because he should not have the role or permissions to.

    For example, If the machine is in a domain, as are all the users of the two
    sites, then you should have at least two active directory groups called e.g.
    "Theirsite Admin Users" and "Yoursite Admin Users". Only the users who were
    allowed in each of the website's protected sections would be in the selected
    groups.
    Leon Mayne, Oct 6, 2006
    #2
    1. Advertising

  3. depends on how you are storing the authentication ticket. with standard
    forms authentication it stored in a cookie. a cookie could not be shared
    between the two domains. you will need to find a way to send the token from
    one site to the other. typically this is done with a one time ticket passed
    in the query string on the redirect. if you implement this correctly, then
    the token can not be passed to a second site.

    -- bruce (sqlwork.com)


    "Griff" <> wrote in message
    news:...
    > In the design stage, so I don't have the ability to test this scenario at
    > the moment, so I would be grateful if someone could prove to me that the
    > following scenario does not exist...
    >
    > The idea is that we will have one website with multiple URLs pointing to
    > it. For example www.mySite.com and another being www.theirSite.com.
    >
    > There will be a common authentication database holding the role
    > information etc (in ASP.NET 2.x).
    >
    > So, envisage the following scenario:
    >
    > I log on to the site www.mySite.com and it immediately asks me to
    > authenticate myself by re-directing me to the log-on page. I put in my
    > credentials user="john" and password="somethingSecure". The system then
    > recognises me and issues me with a security token. It then re-directs me
    > to the web page www.mySite.com/editYourCompanysData.aspx.
    >
    > Having come to that page, I can see all my sensitive company's data which
    > I can edit because I'm in the correct membership role.
    >
    > I then edit the URL in my browser to now say
    > www.theirSite.com.editYourCompanysData.aspx.
    >
    > My question is will the website now accept my security token and give me
    > access to their data or will it barf and force me to re-log on?
    >
    > If anyone can answer this and provide any links to resources to back up
    > their answer then I'd be extremely grateful (I've failed to find this
    > information myself)
    >
    > Thanks
    >
    > Griff
    >
    >
    >
    bruce barker \(sqlwork.com\), Oct 6, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. LL

    Security hole?

    LL, Oct 21, 2003, in forum: ASP .Net
    Replies:
    3
    Views:
    503
    Jerry III
    Oct 23, 2003
  2. nicholas
    Replies:
    3
    Views:
    824
    nicholas
    Oct 4, 2004
  3. Griff

    Authentication loop-hole?

    Griff, Oct 6, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    327
    bruce barker \(sqlwork.com\)
    Oct 6, 2006
  4. Replies:
    1
    Views:
    85
    Mary Chipman
    Feb 17, 2004
  5. Isaac Won
    Replies:
    9
    Views:
    350
    Ulrich Eckhardt
    Mar 4, 2013
Loading...

Share This Page