How do I protect my login page from prying eyes (forms authentication)?

Discussion in 'ASP .Net' started by Alan Silver, Jan 3, 2006.

  1. Alan Silver

    Alan Silver Guest


    Sorry this is a bit wordy, but it's a pretty simple question...

    I have a web site, http://domain/ which is a public site, part of which
    (http://domain/a/) is protected by forms authentication.

    I would like to configure it so that anyone not logged in, trying to
    access the protected part will not be redirected to the login page, but
    will be sent to the main site's home page. The reason is because I have
    a page in the protected part where the site owner prints out order
    details to send to the customer. As most browsers put the URL at the
    bottom of a printed web page, the customer will see
    http://domain/a/orders.aspx?orderid=23 and will then try to load that
    page. If they are redirected to a login page, it encourages hackers to
    try and break in. If they are redirected to the main home page, or given
    a 404, they will not know of the existence of the protected part.

    So, any ideas how I do this? I tried setting the loginUrl (in
    web.config) to the home page, but this stops anyone from logging in,
    even if they enter the URL to the login page.

    Currently, the main site does not have a web.config, and the protected
    part (which is a separate application) has the following...

    <compilation defaultLanguage="c#" />
    <authentication mode="Forms">
    <forms loginUrl="~/Login.aspx" />
    <deny users="?"/>

    This works, except it shows the login page to everyone. Any idea how I
    can prevent this? TIA
    Alan Silver, Jan 3, 2006
    1. Advertisements

  2. Alan Silver

    KMA Guest

    If I understand correctly.....

    .... you want to permit authorised users to be allowed to visit domain/a, but
    you don't want to invoke the asp standard response of sending all unauth'd
    requests to the login page. In this case you need to make your own link to
    the username/password page from somewhere in domain/. Then you should
    protect the domain/a directory with Forms authentication, but using as the
    login page something like a 404, with no reference to logging in. This means
    that genuine users need to know they should login officially using the link
    you provide - they can't just navigate to domain/a and get redirected to the
    login page. Otherwise I don't see how you can distinguish between genuine
    "not logged in yet" users, and nasty creatures of the night.
    KMA, Jan 3, 2006
    1. Advertisements

  3. Alan Silver

    Damien Guest

    Hi Alan,

    Sounds a bit like chicken and egg. The forms authentication needs to
    know which page is the login page, otherwise it cannot provide access
    to that page and bypass the authentication for it.

    That being said, you may be able to check the RETURNURL parameter in
    the querystring during Page Load of your login page, and if you've come
    from somewhere else, redirect to the homepage. (I don't use Forms
    Authentication myself, and for all I know ASP.NET may sneakily hide
    that parameter from you)

    At the end of the day though, you're just practicing security through
    obscurity. Sure, do this if you want to, but I'd rather devote time and
    energy to making my site secure even if someone discovers the
    "protected" site. And this page will only stay hidden for so long. Once
    it's out in the open (and if it's believed the contents are high
    valued, and people suspect that you've hidden the login page as a
    security measure), you may be *more* likely to be attacked.

    The simple fact of the matter is: all web servers/web sites which are
    exposed to the internet get attacked.

    Damien, Jan 3, 2006
  4. Alan Silver

    Alan Silver Guest

    Sounds a bit like chicken and egg. The forms authentication needs to
    Guess so. I suppose I could have the login page in the main site (ie not
    in the secured bit), so there wouldn't be any problem getting at it when
    not logged in.

    OK, maybe I didn't make myself quite clear enough. The problem I have is
    that one of the pages in the secured folder generates a printable
    invoice. This means that when the site owner prints an invoice, the URL
    of this page will be shown in the footer. This is basically an
    invitation to try loading the page. If an unauthorised user tries to
    load the page, they get sent to the login page, which is an invitation
    to try gaining access.

    So, without any security measures, the simple act of sending out
    invoices encourages ordinary people to try and hack the site.

    My intention is to use URL rewriting so that the URL shown at the bottom
    of the page is something like http://domain/order23.aspx, which is a
    non-existent page. If they try to load it, they get a 404, which will
    discourage 99.999% of people. That's a very good start.

    Obviously there will always be determined hackers. This approach is not
    expected to stop them, it is intended to keep the vast majority of
    curious customers away from the protected part of the site. The issue of
    securing the protected part from serious hackers is a separate one.
    Correct, and anything you can do to protect the server is worthwhile.
    This approach is intended to keep the vast majority of interested, but
    non-malicious people away from the private section of the site.

    Thanks for the reply. Any further comments?
    Alan Silver, Jan 3, 2006
  5. Alan Silver

    Alan Silver Guest

    If I understand correctly.....
    Correct so far ;-)
    OK, I tried that, but couldn't get it to work. I modified the web.config
    file shown below to have the loginUrl set to the main home page. Trouble
    was that even if I tried to load the login page directly, I just got
    sent back to the home page!!

    Any more ideas? Thanks
    Alan Silver, Jan 3, 2006
  6. Alan Silver

    Guest Guest

    Hey Alan...create another folder and in there put all pages that you want to
    be accessed by everyone without login. That's what I normally do. In the
    Web.Config file of that folder allow all users to access it.

    Guest, Jan 3, 2006
  7. Alan Silver

    Damien Guest

    Have the secure website generate invoices in the non-secure site,
    redirect to there, prompt for printing (and have a service that deletes
    these temp files after (5, 30, 2400)) minutes, depending on your
    security requirements. Or generate the invoices as rtf files (which
    should download locally before printing).

    Either way, accept the fact that people will attempt to hack your site.
    There's nowt you can do to affect that.

    Damien, Jan 3, 2006
  8. Alan Silver

    Alan Silver Guest

    Have the secure website generate invoices in the non-secure site,
    Some good ideas there, thank you.
    Oh I know that. I have other security measures in place and am looking
    into others.

    Thanks for the reply.
    Alan Silver, Jan 3, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.