I have two web applications and both are developed in ASP.NET. Now I want to provide a feature which enables the user to click from one URL in application site (one virtual directory of IIS) A to the other URL in application site B (another virtual directory of IIS).
我有两个Web应用程序,都是在ASP.NET中开发的。现在我想提供一个功能,使用户能够从应用程序站点(IIS的一个虚拟目录)A中的一个URL单击应用程序站点B中的另一个URL(IIS的另一个虚拟目录)。
I have two ideas to implement them, but both of them have issues. I want to know what solution should be optimum solution?
我有两个想法来实现它们,但它们都有问题。我想知道什么解决方案应该是最佳解决方案?
Solution 1: using cookie, so from both application sites, we could retrieve user ID information from reading cookie, but I am afraid if cookie is disabled in browser, this "jump" feature never works.
解决方案1:使用cookie,因此从两个应用程序站点,我们都可以从读取cookie中检索用户ID信息,但我担心如果在浏览器中禁用cookie,这种“跳转”功能永远不会起作用。
Solution 2: When the user redirects to an URL in another site, I could append user ID after the URL, I could redirect to this URL in another site http://www.anotherapplicationsite.com/somesuburl?userID=foo, but I am afraird that in this way userID will be exposed easily which raise security issues.
解决方案2:当用户重定向到另一个站点中的URL时,我可以在URL后附加用户ID,我可以在另一个站点http://www.anotherapplicationsite.com/somesuburl?userID=foo中重定向到此URL,但是我很抱歉,这样会轻易暴露userID,从而引发安全问题。
6 个解决方案
#1
I don't think 1) will work due to browser security (cookies from one domain cannot be read by another domain). I would go with 2), except I would encrypt the querystring value.
我不认为1)由于浏览器安全性而起作用(来自一个域的cookie不能被另一个域读取)。我会选择2),除了我会加密查询字符串值。
EDIT: For more info on cookie privacy/security issues, check out the "Privacy and third-party cookies" section here.
编辑:有关cookie隐私/安全问题的更多信息,请查看此处的“隐私和第三方Cookie”部分。
#2
I work with this sort of thing a lot. What you're looking for sounds like a candidate Single Sign-on solution or Federated Security.
我经常使用这类东西。你正在寻找的东西听起来像候选单点登录解决方案或联邦安全。
You might try doing something similar to the following:
您可以尝试执行类似以下操作:
-
Create a simple db or other sort of table storage with two columns "nonce" and "username"
创建一个简单的数据库或其他类型的表存储,其中包含两列“nonce”和“username”
-
When you build the link to the other site create a GUID or other unique identifier to use as a one-time nonce, passing it as a querystring ?id=. Insert an entry into the table with the current authenticated username and the unique identifier you created.
当您构建到其他站点的链接时,创建一个GUID或其他唯一标识符以用作一次性随机数,并将其作为查询字符串传递?id =。使用当前经过身份验证的用户名和您创建的唯一标识符在表中插入一个条目。
-
When you reach the destination of your link, pass the unique identifier to call a webservice that will will match up the identifier with the username in the database you inserted before jumping to the second site (secure this with ssl).
当您到达链接的目的地时,传递唯一标识符以调用web服务,该服务将使标识符与您在跳转到第二个站点之前插入的数据库中的用户名相匹配(使用ssl保护此设置)。
-
If the nonce checks out with a valid username, you're all set. The webservice should remove the used entry and the table should stay more or less empty any time you are not in the middle of a transaction.
如果nonce使用有效的用户名签出,那么你已经完成了设置。 Web服务应删除已使用的条目,并且在您不处于事务中间时,表应保持或多或少为空。
It is also good to include a datetime in your nonce/username table and expire it in 60 seconds or less to minimize the risk of replay attacks. We also require client certificates for external applications to call the webservice in order to verify the identity of the caller. Internal applications don't really necessitate using client certificates.
在nonce / username表中包含日期时间并在60秒或更短时间内使其过期以最大限度地降低重放攻击的风险也是很好的。我们还要求外部应用程序的客户端证书调用Web服务以验证调用者的身份。内部应用程序并不需要使用客户端证书。
A nice thing about this is that it scales fairly well to as many sites as you would like to use
关于这一点的一个好处是,它可以很好地扩展到您想要使用的多个站点
Not perfect security, but we've never had a significant compromise with a such as system.
不完美的安全性,但我们从来没有与诸如系统的重大妥协。
#3
As long as you have a good authentication system in place on the second website I think solution 2 is the one for you, taking into account the remark Andrew made about the sensitive ID's of course.
只要您在第二个网站上有一个良好的身份验证系统,我认为解决方案2是适合您的,考虑到安德鲁对敏感ID的评论当然。
For more information on encryption: check the documentation of the FormsAuthentication.Encrypt Method . I think they even do something with writing a value in a cookie in that example.
有关加密的更多信息:请查看FormsAuthentication.Encrypt方法的文档。我认为他们甚至在这个例子中用cookie写一个值。
#4
If you put the userid in a query string and that's all the 2nd app uses to allow login, what's to keep me from manually typing in other users id's? You'd still have to prompt for password on the new site.
如果你把userid放在一个查询字符串中,并且所有第二个应用程序都用来允许登录,那么是什么让我不能手动输入其他用户id?您仍然需要在新网站上提示输入密码。
I'd use a database to hold login information, and have both sites reference that same db. Use it like you'd use a session.
我使用数据库来保存登录信息,并让两个站点引用相同的数据库。像使用会话一样使用它。
D
#5
What are you using as the user's id? If you are using their social security number or email (something sensitive) then you are going to want to encrypt the value before you put it on the query string. Otherwise (if the user's id is something ambiguous like an integer or a GUID) it should be fine to put the id on the query string.
您使用什么作为用户的ID?如果您使用他们的社会安全号码或电子邮件(敏感的东西),那么您将要在将值放入查询字符串之前加密该值。否则(如果用户的id是像整数或GUID那样模糊不清),将id放在查询字符串上应该没问题。
#6
using cross domain, you can not SHARE the session, so I was thinking about POST
使用跨域,你不能分享会话,所以我在考虑POST
idea 1
if afraid of "showing" the username in the address, why not sending a POST?
如果害怕“显示”地址中的用户名,为什么不发送POST?
<form name="myForm" action="http://www.mydomain.com/myLandingPage.aspx">
<input type="hidden" id="userid" value="myUsername" />
<a href="javascript:myForm.Submit();">click here</a>
</form>
but then... off course, "View Source Code" will show it
但是......当然,“查看源代码”会显示出来
idea 2
then.. I remembered that I do the same, but sending a Encrypted string like:
然后..我记得我也这样做,但发送一个加密的字符串,如:
http://www.anotherapplicationsite.com/somesuburl?userID=HhN01vcEEtMmwdNFliM8QYg+Y89xzBOJJG+BH/ARC7g=
you can use Rijndael algorithm to perform this, link below has VB and C# code:
您可以使用Rijndael算法执行此操作,下面的链接有VB和C#代码:
http://www.obviex.com/samples/EncryptionWithSalt.aspx
then in site 2, just Decrypt and check if the user exists... if it does, continue, if not saying that the user tried to temper the query string :)
然后在站点2中,只解密并检查用户是否存在...如果存在,继续,如果不是说用户试图调查查询字符串:)
#1
I don't think 1) will work due to browser security (cookies from one domain cannot be read by another domain). I would go with 2), except I would encrypt the querystring value.
我不认为1)由于浏览器安全性而起作用(来自一个域的cookie不能被另一个域读取)。我会选择2),除了我会加密查询字符串值。
EDIT: For more info on cookie privacy/security issues, check out the "Privacy and third-party cookies" section here.
编辑:有关cookie隐私/安全问题的更多信息,请查看此处的“隐私和第三方Cookie”部分。
#2
I work with this sort of thing a lot. What you're looking for sounds like a candidate Single Sign-on solution or Federated Security.
我经常使用这类东西。你正在寻找的东西听起来像候选单点登录解决方案或联邦安全。
You might try doing something similar to the following:
您可以尝试执行类似以下操作:
-
Create a simple db or other sort of table storage with two columns "nonce" and "username"
创建一个简单的数据库或其他类型的表存储,其中包含两列“nonce”和“username”
-
When you build the link to the other site create a GUID or other unique identifier to use as a one-time nonce, passing it as a querystring ?id=. Insert an entry into the table with the current authenticated username and the unique identifier you created.
当您构建到其他站点的链接时,创建一个GUID或其他唯一标识符以用作一次性随机数,并将其作为查询字符串传递?id =。使用当前经过身份验证的用户名和您创建的唯一标识符在表中插入一个条目。
-
When you reach the destination of your link, pass the unique identifier to call a webservice that will will match up the identifier with the username in the database you inserted before jumping to the second site (secure this with ssl).
当您到达链接的目的地时,传递唯一标识符以调用web服务,该服务将使标识符与您在跳转到第二个站点之前插入的数据库中的用户名相匹配(使用ssl保护此设置)。
-
If the nonce checks out with a valid username, you're all set. The webservice should remove the used entry and the table should stay more or less empty any time you are not in the middle of a transaction.
如果nonce使用有效的用户名签出,那么你已经完成了设置。 Web服务应删除已使用的条目,并且在您不处于事务中间时,表应保持或多或少为空。
It is also good to include a datetime in your nonce/username table and expire it in 60 seconds or less to minimize the risk of replay attacks. We also require client certificates for external applications to call the webservice in order to verify the identity of the caller. Internal applications don't really necessitate using client certificates.
在nonce / username表中包含日期时间并在60秒或更短时间内使其过期以最大限度地降低重放攻击的风险也是很好的。我们还要求外部应用程序的客户端证书调用Web服务以验证调用者的身份。内部应用程序并不需要使用客户端证书。
A nice thing about this is that it scales fairly well to as many sites as you would like to use
关于这一点的一个好处是,它可以很好地扩展到您想要使用的多个站点
Not perfect security, but we've never had a significant compromise with a such as system.
不完美的安全性,但我们从来没有与诸如系统的重大妥协。
#3
As long as you have a good authentication system in place on the second website I think solution 2 is the one for you, taking into account the remark Andrew made about the sensitive ID's of course.
只要您在第二个网站上有一个良好的身份验证系统,我认为解决方案2是适合您的,考虑到安德鲁对敏感ID的评论当然。
For more information on encryption: check the documentation of the FormsAuthentication.Encrypt Method . I think they even do something with writing a value in a cookie in that example.
有关加密的更多信息:请查看FormsAuthentication.Encrypt方法的文档。我认为他们甚至在这个例子中用cookie写一个值。
#4
If you put the userid in a query string and that's all the 2nd app uses to allow login, what's to keep me from manually typing in other users id's? You'd still have to prompt for password on the new site.
如果你把userid放在一个查询字符串中,并且所有第二个应用程序都用来允许登录,那么是什么让我不能手动输入其他用户id?您仍然需要在新网站上提示输入密码。
I'd use a database to hold login information, and have both sites reference that same db. Use it like you'd use a session.
我使用数据库来保存登录信息,并让两个站点引用相同的数据库。像使用会话一样使用它。
D
#5
What are you using as the user's id? If you are using their social security number or email (something sensitive) then you are going to want to encrypt the value before you put it on the query string. Otherwise (if the user's id is something ambiguous like an integer or a GUID) it should be fine to put the id on the query string.
您使用什么作为用户的ID?如果您使用他们的社会安全号码或电子邮件(敏感的东西),那么您将要在将值放入查询字符串之前加密该值。否则(如果用户的id是像整数或GUID那样模糊不清),将id放在查询字符串上应该没问题。
#6
using cross domain, you can not SHARE the session, so I was thinking about POST
使用跨域,你不能分享会话,所以我在考虑POST
idea 1
if afraid of "showing" the username in the address, why not sending a POST?
如果害怕“显示”地址中的用户名,为什么不发送POST?
<form name="myForm" action="http://www.mydomain.com/myLandingPage.aspx">
<input type="hidden" id="userid" value="myUsername" />
<a href="javascript:myForm.Submit();">click here</a>
</form>
but then... off course, "View Source Code" will show it
但是......当然,“查看源代码”会显示出来
idea 2
then.. I remembered that I do the same, but sending a Encrypted string like:
然后..我记得我也这样做,但发送一个加密的字符串,如:
http://www.anotherapplicationsite.com/somesuburl?userID=HhN01vcEEtMmwdNFliM8QYg+Y89xzBOJJG+BH/ARC7g=
you can use Rijndael algorithm to perform this, link below has VB and C# code:
您可以使用Rijndael算法执行此操作,下面的链接有VB和C#代码:
http://www.obviex.com/samples/EncryptionWithSalt.aspx
then in site 2, just Decrypt and check if the user exists... if it does, continue, if not saying that the user tried to temper the query string :)
然后在站点2中,只解密并检查用户是否存在...如果存在,继续,如果不是说用户试图调查查询字符串:)