How do I protect my login page from prying eyes (forms authentication)?

[Alan Silver]

Hello,

Sorry this is a bit wordy, but it's a pretty simple question...


I have a web site, http://domain/ which is a public site, part of which
(http://domain/a/) is protected by forms authentication.

I would like to configure it so that anyone not logged in, trying to
access the protected part will not be redirected to the login page, but
will be sent to the main site's home page. The reason is because I have
a page in the protected part where the site owner prints out order
details to send to the customer. As most browsers put the URL at the
bottom of a printed web page, the customer will see
http://domain/a/orders.aspx?orderid=23 and will then try to load that
page. If they are redirected to a login page, it encourages hackers to
try and break in. If they are redirected to the main home page, or given
a 404, they will not know of the existence of the protected part.

So, any ideas how I do this? I tried setting the loginUrl (in
web.config) to the home page, but this stops anyone from logging in,
even if they enter the URL to the login page.

Currently, the main site does not have a web.config, and the protected
part (which is a separate application) has the following...

<configuration>
<system.web>
<compilation defaultLanguage="c#" />
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>

This works, except it shows the login page to everyone. Any idea how I
can prevent this? TIA

 

[KMA]

If I understand correctly.....

.... you want to permit authorised users to be allowed to visit domain/a, but
you don't want to invoke the asp standard response of sending all unauth'd
requests to the login page. In this case you need to make your own link to
the username/password page from somewhere in domain/. Then you should
protect the domain/a directory with Forms authentication, but using as the
login page something like a 404, with no reference to logging in. This means
that genuine users need to know they should login officially using the link
you provide - they can't just navigate to domain/a and get redirected to the
login page. Otherwise I don't see how you can distinguish between genuine
"not logged in yet" users, and nasty creatures of the night.

 

[Damien]

Hello,

Sorry this is a bit wordy, but it's a pretty simple question...


I have a web site, http://domain/ which is a public site, part of which
(http://domain/a/) is protected by forms authentication.

I would like to configure it so that anyone not logged in, trying to
access the protected part will not be redirected to the login page, but
will be sent to the main site's home page. The reason is because I have
a page in the protected part where the site owner prints out order
details to send to the customer. As most browsers put the URL at the
bottom of a printed web page, the customer will see
http://domain/a/orders.aspx?orderid=23 and will then try to load that
page. If they are redirected to a login page, it encourages hackers to
try and break in. If they are redirected to the main home page, or given
a 404, they will not know of the existence of the protected part.

So, any ideas how I do this? I tried setting the loginUrl (in
web.config) to the home page, but this stops anyone from logging in,
even if they enter the URL to the login page.

Currently, the main site does not have a web.config, and the protected
part (which is a separate application) has the following...

<configuration>
<system.web>
<compilation defaultLanguage="c#" />
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>

This works, except it shows the login page to everyone. Any idea how I
can prevent this? TIA

Hi Alan,

Sounds a bit like chicken and egg. The forms authentication needs to
know which page is the login page, otherwise it cannot provide access
to that page and bypass the authentication for it.

That being said, you may be able to check the RETURNURL parameter in
the querystring during Page Load of your login page, and if you've come
from somewhere else, redirect to the homepage. (I don't use Forms
Authentication myself, and for all I know ASP.NET may sneakily hide
that parameter from you)

At the end of the day though, you're just practicing security through
obscurity. Sure, do this if you want to, but I'd rather devote time and
energy to making my site secure even if someone discovers the
"protected" site. And this page will only stay hidden for so long. Once
it's out in the open (and if it's believed the contents are high
valued, and people suspect that you've hidden the login page as a
security measure), you may be *more* likely to be attacked.

The simple fact of the matter is: all web servers/web sites which are
exposed to the internet get attacked.

Damien

 

[Alan Silver]

Sounds a bit like chicken and egg. The forms authentication needs to

know which page is the login page, otherwise it cannot provide access
to that page and bypass the authentication for it.

Guess so. I suppose I could have the login page in the main site (ie not
in the secured bit), so there wouldn't be any problem getting at it when
not logged in.

At the end of the day though, you're just practicing security through
obscurity. Sure, do this if you want to, but I'd rather devote time and
energy to making my site secure even if someone discovers the
"protected" site. And this page will only stay hidden for so long. Once
it's out in the open (and if it's believed the contents are high
valued, and people suspect that you've hidden the login page as a
security measure), you may be *more* likely to be attacked.

OK, maybe I didn't make myself quite clear enough. The problem I have is
that one of the pages in the secured folder generates a printable
invoice. This means that when the site owner prints an invoice, the URL
of this page will be shown in the footer. This is basically an
invitation to try loading the page. If an unauthorised user tries to
load the page, they get sent to the login page, which is an invitation
to try gaining access.

So, without any security measures, the simple act of sending out
invoices encourages ordinary people to try and hack the site.

My intention is to use URL rewriting so that the URL shown at the bottom
of the page is something like http://domain/order23.aspx, which is a
non-existent page. If they try to load it, they get a 404, which will
discourage 99.999% of people. That's a very good start.

Obviously there will always be determined hackers. This approach is not
expected to stop them, it is intended to keep the vast majority of
curious customers away from the protected part of the site. The issue of
securing the protected part from serious hackers is a separate one.

The simple fact of the matter is: all web servers/web sites which are
exposed to the internet get attacked.

Correct, and anything you can do to protect the server is worthwhile.
This approach is intended to keep the vast majority of interested, but
non-malicious people away from the private section of the site.

Thanks for the reply. Any further comments?

 

[Alan Silver]

If I understand correctly.....

... you want to permit authorised users to be allowed to visit domain/a, but
you don't want to invoke the asp standard response of sending all unauth'd
requests to the login page.

Correct so far ;-)

In this case you need to make your own link to
the username/password page from somewhere in domain/. Then you should
protect the domain/a directory with Forms authentication, but using as the
login page something like a 404, with no reference to logging in. This means
that genuine users need to know they should login officially using the link
you provide - they can't just navigate to domain/a and get redirected to the
login page. Otherwise I don't see how you can distinguish between genuine
"not logged in yet" users, and nasty creatures of the night.

OK, I tried that, but couldn't get it to work. I modified the web.config
file shown below to have the loginUrl set to the main home page. Trouble
was that even if I tried to load the login page directly, I just got
sent back to the home page!!

Any more ideas? Thanks

 

[Guest]

Hey Alan...create another folder and in there put all pages that you want to
be accessed by everyone without login. That's what I normally do. In the
Web.Config file of that folder allow all users to access it.

Kev.

 

[Damien]

Guess so. I suppose I could have the login page in the main site (ie not
in the secured bit), so there wouldn't be any problem getting at it when
not logged in.



OK, maybe I didn't make myself quite clear enough. The problem I have is
that one of the pages in the secured folder generates a printable
invoice. This means that when the site owner prints an invoice, the URL
of this page will be shown in the footer. This is basically an
invitation to try loading the page. If an unauthorised user tries to
load the page, they get sent to the login page, which is an invitation
to try gaining access.

So, without any security measures, the simple act of sending out
invoices encourages ordinary people to try and hack the site.

My intention is to use URL rewriting so that the URL shown at the bottom
of the page is something like http://domain/order23.aspx, which is a
non-existent page. If they try to load it, they get a 404, which will
discourage 99.999% of people. That's a very good start.

Obviously there will always be determined hackers. This approach is not
expected to stop them, it is intended to keep the vast majority of
curious customers away from the protected part of the site. The issue of
securing the protected part from serious hackers is a separate one.

Have the secure website generate invoices in the non-secure site,
redirect to there, prompt for printing (and have a service that deletes
these temp files after (5, 30, 2400)) minutes, depending on your
security requirements. Or generate the invoices as rtf files (which
should download locally before printing).

Either way, accept the fact that people will attempt to hack your site.
There's nowt you can do to affect that.

Damien

 

[Alan Silver]

Have the secure website generate invoices in the non-secure site,

redirect to there, prompt for printing (and have a service that deletes
these temp files after (5, 30, 2400)) minutes, depending on your
security requirements. Or generate the invoices as rtf files (which
should download locally before printing).

Some good ideas there, thank you.

Either way, accept the fact that people will attempt to hack your site.
There's nowt you can do to affect that.

Oh I know that. I have other security measures in place and am looking
into others.

Thanks for the reply.