Geeks With Blogs
Benjamin Howarth, Code Gecko

I came across an interesting problem on Friday (which is why I'm blogging about it on Sunday evening - I've been working to fix this problem over the weekend!), regarding pre-authenticated links for secured areas of ASP.NET websites.

A very large and reputable client of our firm has an email sent out to them daily containing business-critical development information and a link to an online reporting feature. They requested if we could possibly arrange for the link to bypass the normal login system so that when a recipient of this email clicked the link, it would automatically authenticate them and take them straight to the appropriate reporting screens.

Now, our problem was that the site we've built doesn't make use of any of the four built-in ASP.NET Authentication mechanisms - Forms, Windows, Passport or custom. It made use of an underlying "SecureAdmin" class which inherited from System.Web.UI.Page, which then had underlying code to perform the authentication for each page we wanted to be "protected", and auth data was stored in Session - not the greatest way to do things. So I couldn't make use of the AuthenticationProvider.SetAuthCookie() method which would've enabled me to create a nice easy method to auth against with an SHA1 key.

However, I did get it working. I added a "secret" field to the Users table in our database, and this secret changed for all users, every time notification emails were sent out. The link included in the email then made use of the new key and attached it to the URL so pre-auth could be achieved without exposing usernames or passwords.

I would love to post code... but because of it's nature, I can't. However, I'm sure you get the idea for now, and I'll knock together a sample this evening to put up over the next couple of days.

CodeGecko

N.B.: I'm now looking at Forms authentication and the ASP.NET membership provider model for version 4 of this project. I'm sure I'll find lots more to blog about it along the way!

Posted on Monday, February 23, 2009 10:29 AM | Back to top


Comments on this post: Pre-authentication and one-time passkeys (OTPs) using ASP.NET

# re: Pre-authentication and one-time passkeys (OTPs) using ASP.NET
Requesting Gravatar...
If I understand you correctly you have now provided a method to allow me to login to the application without authenticating?

You do this by appending a secret value to a URL and then e-mail it out?

If that is true then this is how I would be concerned about this:

1. The secret value can be compromised, e-mail is sent in the clear and you have no real control on how it gets from hither to you.

2. Does the secret value allow someone to pull up any URL in the system without authentication, even those URL's that have not been e-mailed out? I would be worried that the secret value can be used as a can opener to go through your entire site.

3. Once someone has traversed to an e-mailed URL can they then travel the system just as if they had authenticated completely?

4. Is the secret value predictable. Are you using inherent .Net randomization or the randomization provided in the security libraries.

Ultimately though I would mostly be concerned about the secret value not remaining secret.

I would try to come up with a design that keyed the URL to a specific user, to the specific content, and not allow an unauthorized user to continue anywhere else.

This would restrict a vulnerability to only those pages sent, and only for that user being compromised.

I would probably do something like this:

I would have an additional cookie (permanent) with a token representing the user. Whenever a user logs in they are given a new token in the cookie, and the previous one is removed from the Database.

This gives you a way to identify a particular user.

When the e-mail links are created I would create a unique token in the URL for each user.

When the person clicks on the link, they are taken to the page, it authorized the URL token to the particular user (using the cookie token). If they do not match you could either re-authorize the user or completely deny them.

If the user tried to continue after viewing the URL I would then require them to authorize unless they are already in-session.
Left by Mark Flory on Feb 23, 2009 2:53 PM

# re: Pre-authentication and one-time passkeys (OTPs) using ASP.NET
Requesting Gravatar...
Hi Mark,

To answer your questions:
1, 2, and 3: Yes. The token allows the user to authenticate into the system entirely and the user can browse through the system uninhibited (except by their normal permissions which we have imposed).
4: No, the token is not predictable, it’s a GUID generated by the SQL Server stored proc which returns the users that receive the email notification.

If I’d had more time, I would’ve had the GUID change on every login, but the client is insisting on ease-of-access and we’ve given them the disclaimer regarding the dissemination of these links. Plus, they’re a web hosting company so the email is *technically* internal (from the server we use for this software, to the server they use for their staff), so the email traffic is in a protected environment.
Left by CodeGecko on Feb 23, 2009 5:24 PM

# re: Pre-authentication and one-time passkeys (OTPs) using ASP.NET
Requesting Gravatar...
Interesting Approach. I Came across your site in search of a way to Authenticate the FBA user using code. You have the same problem as I do but mine is a FBA. I am just finding a way to authenticate the user in the code. So far no luck. Please share your finding.

Thanks & Regards
Senthil
Left by Senthil on Mar 19, 2009 12:30 PM

# re: Pre-authentication and one-time passkeys (OTPs) using ASP.NET
Requesting Gravatar...
Hi Ben,

I overlooked I came looking for the API AuthenticationProvider.SetAuthCookie()

It works. Thanks a Bunch,

<Senthil/>
Left by Senthil on Mar 19, 2009 12:58 PM

# re: Pre-authentication and one-time passkeys (OTPs) using ASP.NET
Requesting Gravatar...
Senthil,

Yeah, I thought I could use that too but because it was custom "secure" libraries, not Forms auth, I couldn't use that method, which kinda sucked cause it would've been perfect for what I needed.
Glad you got your problem solved.

CodeGecko
Left by CodeGecko on Apr 09, 2009 3:12 PM

# re: Pre-authentication and one-time passkeys (OTPs) using ASP.NET
Requesting Gravatar...
You could wipe the key out of the database when it is first used. You could also store a delimited list of authorized pages that the temporary key allows access to. You could also map the mac addresses of your workstations to the temp key or add a simple pin number that supposedly only your user knows. There's lots of stuff you could do with this to make it more secure/restrictive. You could also integrate this with a simple little smart card (they are cheap) and reader and maybe even push a limited number of these temporary keys out to the card / usb key.
Left by Wade on May 12, 2010 10:32 PM

# re: Pre-authentication and one-time passkeys (OTPs) using ASP.NET
Requesting Gravatar...
@Wade,

Yep, but I don't work for the firm any more, so it's not my problem :-) at the time I thought about PIN numbers but the client's requirement was that their account managers wanted one-click, no-input logins to their personalised screens in this web application (talk about utterly lazy). I gave them what they wanted and warned them of the consequences if they messed it up, so at least they were aware of it's shortcomings.
Left by CodeGecko on Jul 14, 2010 8:54 AM

Your comment:
 (will show your gravatar)


Copyright © TheInspiredGecko | Powered by: GeeksWithBlogs.net