How do I protect my login page from prying eyes (forms authentication)?

Discussion in 'ASP .Net' started by Alan Silver, Jan 3, 2006.

  1. Alan Silver

    Alan Silver Guest

    Hello,

    Sorry this is a bit wordy, but it's a pretty simple question...


    I have a web site, http://domain/ which is a public site, part of which
    (http://domain/a/) is protected by forms authentication.

    I would like to configure it so that anyone not logged in, trying to
    access the protected part will not be redirected to the login page, but
    will be sent to the main site's home page. The reason is because I have
    a page in the protected part where the site owner prints out order
    details to send to the customer. As most browsers put the URL at the
    bottom of a printed web page, the customer will see
    http://domain/a/orders.aspx?orderid=23 and will then try to load that
    page. If they are redirected to a login page, it encourages hackers to
    try and break in. If they are redirected to the main home page, or given
    a 404, they will not know of the existence of the protected part.

    So, any ideas how I do this? I tried setting the loginUrl (in
    web.config) to the home page, but this stops anyone from logging in,
    even if they enter the URL to the login page.

    Currently, the main site does not have a web.config, and the protected
    part (which is a separate application) has the following...

    <configuration>
    <system.web>
    <compilation defaultLanguage="c#" />
    <authentication mode="Forms">
    <forms loginUrl="~/Login.aspx" />
    </authentication>
    <authorization>
    <deny users="?"/>
    </authorization>
    </system.web>
    </configuration>

    This works, except it shows the login page to everyone. Any idea how I
    can prevent this? TIA

    --
    Alan Silver
    (anything added below this line is nothing to do with me)
     
    Alan Silver, Jan 3, 2006
    #1
    1. Advertising

  2. Alan Silver

    KMA Guest

    If I understand correctly.....

    .... you want to permit authorised users to be allowed to visit domain/a, but
    you don't want to invoke the asp standard response of sending all unauth'd
    requests to the login page. In this case you need to make your own link to
    the username/password page from somewhere in domain/. Then you should
    protect the domain/a directory with Forms authentication, but using as the
    login page something like a 404, with no reference to logging in. This means
    that genuine users need to know they should login officially using the link
    you provide - they can't just navigate to domain/a and get redirected to the
    login page. Otherwise I don't see how you can distinguish between genuine
    "not logged in yet" users, and nasty creatures of the night.


    "Alan Silver" <> wrote in message
    news:...
    > Hello,
    >
    > Sorry this is a bit wordy, but it's a pretty simple question...
    >
    >
    > I have a web site, http://domain/ which is a public site, part of which
    > (http://domain/a/) is protected by forms authentication.
    >
    > I would like to configure it so that anyone not logged in, trying to
    > access the protected part will not be redirected to the login page, but
    > will be sent to the main site's home page. The reason is because I have a
    > page in the protected part where the site owner prints out order details
    > to send to the customer. As most browsers put the URL at the bottom of a
    > printed web page, the customer will see
    > http://domain/a/orders.aspx?orderid=23 and will then try to load that
    > page. If they are redirected to a login page, it encourages hackers to try
    > and break in. If they are redirected to the main home page, or given a
    > 404, they will not know of the existence of the protected part.
    >
    > So, any ideas how I do this? I tried setting the loginUrl (in web.config)
    > to the home page, but this stops anyone from logging in, even if they
    > enter the URL to the login page.
    >
    > Currently, the main site does not have a web.config, and the protected
    > part (which is a separate application) has the following...
    >
    > <configuration>
    > <system.web>
    > <compilation defaultLanguage="c#" />
    > <authentication mode="Forms">
    > <forms loginUrl="~/Login.aspx" />
    > </authentication>
    > <authorization>
    > <deny users="?"/>
    > </authorization>
    > </system.web>
    > </configuration>
    >
    > This works, except it shows the login page to everyone. Any idea how I can
    > prevent this? TIA
    >
    > --
    > Alan Silver
    > (anything added below this line is nothing to do with me)
     
    KMA, Jan 3, 2006
    #2
    1. Advertising

  3. Alan Silver

    Damien Guest

    Alan Silver wrote:
    > Hello,
    >
    > Sorry this is a bit wordy, but it's a pretty simple question...
    >
    >
    > I have a web site, http://domain/ which is a public site, part of which
    > (http://domain/a/) is protected by forms authentication.
    >
    > I would like to configure it so that anyone not logged in, trying to
    > access the protected part will not be redirected to the login page, but
    > will be sent to the main site's home page. The reason is because I have
    > a page in the protected part where the site owner prints out order
    > details to send to the customer. As most browsers put the URL at the
    > bottom of a printed web page, the customer will see
    > http://domain/a/orders.aspx?orderid=23 and will then try to load that
    > page. If they are redirected to a login page, it encourages hackers to
    > try and break in. If they are redirected to the main home page, or given
    > a 404, they will not know of the existence of the protected part.
    >
    > So, any ideas how I do this? I tried setting the loginUrl (in
    > web.config) to the home page, but this stops anyone from logging in,
    > even if they enter the URL to the login page.
    >
    > Currently, the main site does not have a web.config, and the protected
    > part (which is a separate application) has the following...
    >
    > <configuration>
    > <system.web>
    > <compilation defaultLanguage="c#" />
    > <authentication mode="Forms">
    > <forms loginUrl="~/Login.aspx" />
    > </authentication>
    > <authorization>
    > <deny users="?"/>
    > </authorization>
    > </system.web>
    > </configuration>
    >
    > This works, except it shows the login page to everyone. Any idea how I
    > can prevent this? TIA
    >

    Hi Alan,

    Sounds a bit like chicken and egg. The forms authentication needs to
    know which page is the login page, otherwise it cannot provide access
    to that page and bypass the authentication for it.

    That being said, you may be able to check the RETURNURL parameter in
    the querystring during Page Load of your login page, and if you've come
    from somewhere else, redirect to the homepage. (I don't use Forms
    Authentication myself, and for all I know ASP.NET may sneakily hide
    that parameter from you)

    At the end of the day though, you're just practicing security through
    obscurity. Sure, do this if you want to, but I'd rather devote time and
    energy to making my site secure even if someone discovers the
    "protected" site. And this page will only stay hidden for so long. Once
    it's out in the open (and if it's believed the contents are high
    valued, and people suspect that you've hidden the login page as a
    security measure), you may be *more* likely to be attacked.

    The simple fact of the matter is: all web servers/web sites which are
    exposed to the internet get attacked.

    Damien
     
    Damien, Jan 3, 2006
    #3
  4. Alan Silver

    Alan Silver Guest

    >Sounds a bit like chicken and egg. The forms authentication needs to
    >know which page is the login page, otherwise it cannot provide access
    >to that page and bypass the authentication for it.


    Guess so. I suppose I could have the login page in the main site (ie not
    in the secured bit), so there wouldn't be any problem getting at it when
    not logged in.

    <snip>
    >At the end of the day though, you're just practicing security through
    >obscurity. Sure, do this if you want to, but I'd rather devote time and
    >energy to making my site secure even if someone discovers the
    >"protected" site. And this page will only stay hidden for so long. Once
    >it's out in the open (and if it's believed the contents are high
    >valued, and people suspect that you've hidden the login page as a
    >security measure), you may be *more* likely to be attacked.


    OK, maybe I didn't make myself quite clear enough. The problem I have is
    that one of the pages in the secured folder generates a printable
    invoice. This means that when the site owner prints an invoice, the URL
    of this page will be shown in the footer. This is basically an
    invitation to try loading the page. If an unauthorised user tries to
    load the page, they get sent to the login page, which is an invitation
    to try gaining access.

    So, without any security measures, the simple act of sending out
    invoices encourages ordinary people to try and hack the site.

    My intention is to use URL rewriting so that the URL shown at the bottom
    of the page is something like http://domain/order23.aspx, which is a
    non-existent page. If they try to load it, they get a 404, which will
    discourage 99.999% of people. That's a very good start.

    Obviously there will always be determined hackers. This approach is not
    expected to stop them, it is intended to keep the vast majority of
    curious customers away from the protected part of the site. The issue of
    securing the protected part from serious hackers is a separate one.

    >The simple fact of the matter is: all web servers/web sites which are
    >exposed to the internet get attacked.


    Correct, and anything you can do to protect the server is worthwhile.
    This approach is intended to keep the vast majority of interested, but
    non-malicious people away from the private section of the site.

    Thanks for the reply. Any further comments?

    --
    Alan Silver
    (anything added below this line is nothing to do with me)
     
    Alan Silver, Jan 3, 2006
    #4
  5. Alan Silver

    Alan Silver Guest

    >If I understand correctly.....
    >
    >... you want to permit authorised users to be allowed to visit domain/a, but
    >you don't want to invoke the asp standard response of sending all unauth'd
    >requests to the login page.


    Correct so far ;-)

    > In this case you need to make your own link to
    >the username/password page from somewhere in domain/. Then you should
    >protect the domain/a directory with Forms authentication, but using as the
    >login page something like a 404, with no reference to logging in. This means
    >that genuine users need to know they should login officially using the link
    >you provide - they can't just navigate to domain/a and get redirected to the
    >login page. Otherwise I don't see how you can distinguish between genuine
    >"not logged in yet" users, and nasty creatures of the night.


    OK, I tried that, but couldn't get it to work. I modified the web.config
    file shown below to have the loginUrl set to the main home page. Trouble
    was that even if I tried to load the login page directly, I just got
    sent back to the home page!!

    Any more ideas? Thanks

    >"Alan Silver" <> wrote in message
    >news:...
    >> Hello,
    >>
    >> Sorry this is a bit wordy, but it's a pretty simple question...
    >>
    >>
    >> I have a web site, http://domain/ which is a public site, part of which
    >> (http://domain/a/) is protected by forms authentication.
    >>
    >> I would like to configure it so that anyone not logged in, trying to
    >> access the protected part will not be redirected to the login page, but
    >> will be sent to the main site's home page. The reason is because I have a
    >> page in the protected part where the site owner prints out order details
    >> to send to the customer. As most browsers put the URL at the bottom of a
    >> printed web page, the customer will see
    >> http://domain/a/orders.aspx?orderid=23 and will then try to load that
    >> page. If they are redirected to a login page, it encourages hackers to try
    >> and break in. If they are redirected to the main home page, or given a
    >> 404, they will not know of the existence of the protected part.
    >>
    >> So, any ideas how I do this? I tried setting the loginUrl (in web.config)
    >> to the home page, but this stops anyone from logging in, even if they
    >> enter the URL to the login page.
    >>
    >> Currently, the main site does not have a web.config, and the protected
    >> part (which is a separate application) has the following...
    >>
    >> <configuration>
    >> <system.web>
    >> <compilation defaultLanguage="c#" />
    >> <authentication mode="Forms">
    >> <forms loginUrl="~/Login.aspx" />
    >> </authentication>
    >> <authorization>
    >> <deny users="?"/>
    >> </authorization>
    >> </system.web>
    >> </configuration>
    >>
    >> This works, except it shows the login page to everyone. Any idea how I can
    >> prevent this? TIA
    >>
    >> --
    >> Alan Silver
    >> (anything added below this line is nothing to do with me)

    >
    >


    --
    Alan Silver
    (anything added below this line is nothing to do with me)
     
    Alan Silver, Jan 3, 2006
    #5
  6. RE: How do I protect my login page from prying eyes (forms authenticat

    Hey Alan...create another folder and in there put all pages that you want to
    be accessed by everyone without login. That's what I normally do. In the
    Web.Config file of that folder allow all users to access it.

    Kev.

    "Alan Silver" wrote:

    > Hello,
    >
    > Sorry this is a bit wordy, but it's a pretty simple question...
    >
    >
    > I have a web site, http://domain/ which is a public site, part of which
    > (http://domain/a/) is protected by forms authentication.
    >
    > I would like to configure it so that anyone not logged in, trying to
    > access the protected part will not be redirected to the login page, but
    > will be sent to the main site's home page. The reason is because I have
    > a page in the protected part where the site owner prints out order
    > details to send to the customer. As most browsers put the URL at the
    > bottom of a printed web page, the customer will see
    > http://domain/a/orders.aspx?orderid=23 and will then try to load that
    > page. If they are redirected to a login page, it encourages hackers to
    > try and break in. If they are redirected to the main home page, or given
    > a 404, they will not know of the existence of the protected part.
    >
    > So, any ideas how I do this? I tried setting the loginUrl (in
    > web.config) to the home page, but this stops anyone from logging in,
    > even if they enter the URL to the login page.
    >
    > Currently, the main site does not have a web.config, and the protected
    > part (which is a separate application) has the following...
    >
    > <configuration>
    > <system.web>
    > <compilation defaultLanguage="c#" />
    > <authentication mode="Forms">
    > <forms loginUrl="~/Login.aspx" />
    > </authentication>
    > <authorization>
    > <deny users="?"/>
    > </authorization>
    > </system.web>
    > </configuration>
    >
    > This works, except it shows the login page to everyone. Any idea how I
    > can prevent this? TIA
    >
    > --
    > Alan Silver
    > (anything added below this line is nothing to do with me)
    >
     
    =?Utf-8?B?S2V2Lk5FVA==?=, Jan 3, 2006
    #6
  7. Alan Silver

    Damien Guest

    Alan Silver wrote:
    > >Sounds a bit like chicken and egg. The forms authentication needs to
    > >know which page is the login page, otherwise it cannot provide access
    > >to that page and bypass the authentication for it.

    >
    > Guess so. I suppose I could have the login page in the main site (ie not
    > in the secured bit), so there wouldn't be any problem getting at it when
    > not logged in.
    >
    > <snip>
    > >At the end of the day though, you're just practicing security through
    > >obscurity. Sure, do this if you want to, but I'd rather devote time and
    > >energy to making my site secure even if someone discovers the
    > >"protected" site. And this page will only stay hidden for so long. Once
    > >it's out in the open (and if it's believed the contents are high
    > >valued, and people suspect that you've hidden the login page as a
    > >security measure), you may be *more* likely to be attacked.

    >
    > OK, maybe I didn't make myself quite clear enough. The problem I have is
    > that one of the pages in the secured folder generates a printable
    > invoice. This means that when the site owner prints an invoice, the URL
    > of this page will be shown in the footer. This is basically an
    > invitation to try loading the page. If an unauthorised user tries to
    > load the page, they get sent to the login page, which is an invitation
    > to try gaining access.
    >
    > So, without any security measures, the simple act of sending out
    > invoices encourages ordinary people to try and hack the site.
    >
    > My intention is to use URL rewriting so that the URL shown at the bottom
    > of the page is something like http://domain/order23.aspx, which is a
    > non-existent page. If they try to load it, they get a 404, which will
    > discourage 99.999% of people. That's a very good start.
    >
    > Obviously there will always be determined hackers. This approach is not
    > expected to stop them, it is intended to keep the vast majority of
    > curious customers away from the protected part of the site. The issue of
    > securing the protected part from serious hackers is a separate one.
    >

    Have the secure website generate invoices in the non-secure site,
    redirect to there, prompt for printing (and have a service that deletes
    these temp files after (5, 30, 2400)) minutes, depending on your
    security requirements. Or generate the invoices as rtf files (which
    should download locally before printing).

    Either way, accept the fact that people will attempt to hack your site.
    There's nowt you can do to affect that.

    Damien
     
    Damien, Jan 3, 2006
    #7
  8. Alan Silver

    Alan Silver Guest

    >Have the secure website generate invoices in the non-secure site,
    >redirect to there, prompt for printing (and have a service that deletes
    >these temp files after (5, 30, 2400)) minutes, depending on your
    >security requirements. Or generate the invoices as rtf files (which
    >should download locally before printing).


    Some good ideas there, thank you.

    >Either way, accept the fact that people will attempt to hack your site.
    >There's nowt you can do to affect that.


    Oh I know that. I have other security measures in place and am looking
    into others.

    Thanks for the reply.

    --
    Alan Silver
    (anything added below this line is nothing to do with me)
     
    Alan Silver, Jan 3, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. feng
    Replies:
    2
    Views:
    501
    Curt_C [MVP]
    Feb 4, 2004
  2. Peter Rilling
    Replies:
    1
    Views:
    632
    John Saunders
    Jun 7, 2004
  3. Pascal Blanchard
    Replies:
    0
    Views:
    278
    Pascal Blanchard
    Aug 17, 2004
  4. Pascal Blanchard
    Replies:
    1
    Views:
    309
    Pascal Blanchard
    Aug 18, 2004
  5. Dave Schwimmer
    Replies:
    11
    Views:
    203
Loading...

Share This Page