MVC Site Authentication application only

Question

I need to limit access for my MVC site and accept only requests that come from another site. Inside a main site i have a link that will re-direct in child site users that are already authenticated. So i would like to process this request and authorize users if they clicked in this link. I'm thinking to share a token in both applications, but when i re-direct user i can't attach this token to the request (true ?) but only in query string.

My query string have alredy the userId and two integer values.

Here is my code from Main site

public void Redirect(HttpResponse response)
{
    var userId = HttpUtility.UrlEncode(_encryptor.Encrypt(_userId.ToString(CultureInfo.InvariantCulture)));
    var year = HttpUtility.UrlEncode(_encryptor.Encrypt(_compilationYear.ToString(CultureInfo.InvariantCulture)));
    var month = HttpUtility.UrlEncode(_encryptor.Encrypt(_compilationMonth.ToString(CultureInfo.InvariantCulture)));
    const string baseUrl = "http://localhost:63415/Home/Index"; //external site

    response.Redirect(String.Format("{0}?userId={1}&year={2}&month={3}", baseUrl, userId, year, month));
}

and in child site side

public HomeController : Controller
{
    [HttpGet]
    public ActionResult Index()
    {
            //if request come from the main site 
            var encUserId = Request.QueryString["userId"];
            var encYear = Request.QueryString["year"];
            var encMonth = Request.QueryString["month"];
            //else show unauthorized page error
    }
 }

What about set cookie with token ?

I can change code but not in aspx where i have

<foo:MyButton Alt="redirect" 
 Enabled="true" Height="22" Id="btn"
 OnClickJs="Foo()" runat="server"
 />

Now i'm thinking to perform post action via jQuery inside Foo() method... but i have the error

 No 'Access-Control-Allow-Origin' header is present on the requested resource.

I don't have code... the problem is not how to implement it but what is the best practice — Gianpolo, Mar 20 '15 at 09:33

score 0 · Answer 1 · answered Mar 20 '15 at 10:17

Sharing a token could be a good solution in case that this token is dynamic and not static (new token for each redirect) because otherwise once somebody gets this token he will be able to share it and access yous site directly.

About sharing token there are 2 ways that I am aware of:

Sharing the same storage: your main application stores a token and a user identity somewhere in database and your secondary MVC application can retrieve this token from DB and invalidate it.
Implementing a common library that will be used for encryption\decryption of user data: Once user clicks on a link in your main site his credentials are encrypted into a token, this token is posted to your MVC site which is going to use the same library to decrypt the token and extract user credentials from there. If you are going to use this approach you will need to use some strong encryption algorithm (probably symmetric one that uses the same key for encryption\decryption because you probably don't want to deal with key distribution and using a public key to encrypt a message is not a solution in your case). You also have to insure that algorithm that you are using doesn't generate the same token for the same user every time.

when i re-direct user i can't attach this token to the request (true ?)

If you are using a redirect from server you are right, but you could take a different approach (Assuming that your main site is MVC):

When user clicks on a link (your link should have a "_blank" target so it could be opened in a new browser window in your main site you go to an action in your main site that generates a token and passes it as a model to it's view:

public class RedirectModel
{
   public string Token { get; set; }
   public string Url { get; set; }
}

public ActionResult Redirect()
{
    var model = new RedirectModel{
       Token = GenerateToken(),
       Url = //url of your secondary site login action
    }
    return View(model);
}

View has a form that is going to be submitted on document load:

@model RedirectModel

<html>
  <body onload="document.redirect.submit()">
     <form method="POST" action="@Model.Url" novalidate autocomplete="off" name="redirect">
        <input type="hidden" name="token" value="@Model.Token">
     </form>
  </body>
</html>

Of course the login action of your secondary MVC site has to decrypt a token and extract user credentials from it.

Thank's for the answer.. No my main site is webform site and i alredy use encryption/decryption strategy for values in query string... Now is right to attach in query string the token too ? But if user copy this link from browser will be able to access into my site — Gianpolo, Mar 20 '15 at 10:21
In my answer I am using form post action so the token passed as a form parameter and not in query string.I personally believe that this kind of information should not be exposed through query string. You can find a nice discussion about this here: http://stackoverflow.com/questions/2629222/are-querystring-parameters-secure-in-https-http-ssl — Alex Art., Mar 20 '15 at 10:26
The link points to your main site so user won't have a direct access to your secondary site. You can also require a user authorization/authentication on your main site so even if he copies the link and he was't authorized earlier you can redirect him to login page of your main site — Alex Art., Mar 20 '15 at 10:29
I'm redirecting with Response.Redirect(url) in server side ... i can't post data to Mvc Site with this method... — Gianpolo, Mar 20 '15 at 10:30
If you are not willing to change you code. What is the point of asking for an alternative solution than? — Alex Art., Mar 20 '15 at 10:34

MVC Site Authentication application only

1 Answers1