0

I have a page that when accessed has some sensitive information. I understand there are better ways to go about this like Active Directory, etc, but I'm aiming for the simplest way possible at the moment.

Is there a way to prompt the user for a string via textbox, whether it be with an alert or any other method, that will pause the DOM to be displayed and accessed via "view page source"? So that if entered incorrectly, the view is not returned?

Could someone please provide a code example?

The page I have currently is being accessed by this actionresult:

public ActionResult ViewRecords() {
    return View();
}

Is there anyway to make is so that the code above relies on the correct string to be passed in like so:

public ActionResult ViewRecords() {

    alert(//some sort of text box//);

    if (string == 'password')
        return View;
    else
        return View("Index.cshtml");
}

I've done some research and found some people doing this through a webconfig definition, but am confused on the exact code I'd need to put in both my web.config, c# controller file, and .cshtml view to make this work.

LatentDenis
  • 2,839
  • 12
  • 48
  • 99
  • 4
    Just don't send the sensitive information to the browser until the user is authenticated. If you want to achieve the effect of not having a full page refresh between logging in and displaying the data, then use AJAX to fetch the sensitive information after the user is authenticated. – mbeckish Aug 02 '16 at 15:03
  • You're thinking of that controller action wrong. When they request that `ActionResult`, it's not going to pause and then return an alert, receive text, and then continue. Once it returns anything to the user it's done. – Don Cheadle Aug 02 '16 at 15:12
  • @mbeckish what would be a way to do this with AngularJS and AJAX? – LatentDenis Aug 02 '16 at 15:14
  • http://stackoverflow.com/q/17646034/21727 – mbeckish Aug 02 '16 at 15:15

1 Answers1

0
[Http.Get]
public ActionResult SafePage() {
    return View("PageThatPromptsForPassword");
}

inside "PageThatPromptsForPassword" view, write some JS to prompt the user for a password. Pass it along (using AJAX or a form) to a 2nd controller action to verify.

[Http.POST]
public ActionResult ConfirmPassword(string passWord) {
    if (passWord == MY_SECRET_PASSWORD) {
        return View("SecretInformationPage");
    } else {
        return View ("PageThatPromptsForPassword");
    }
}

** Note this is, as you asked, very simple and may have potential security issues. But it's a starting point.

Don Cheadle
  • 5,224
  • 5
  • 39
  • 54
  • Wouldn't someone be able to just type in `example.com/Data/SecretInformationPage` rather than having to go through `example.com/Data/PageThatPromptsForPassword` ? – LatentDenis Aug 02 '16 at 15:21
  • Only if you have that as a route to a controller that returns the sensitive view. I suggest you don't issue a redirect/have a URL that goes to the sensitive information. Just create a View with that sensitive information, and return it after you've verified the password. – Don Cheadle Aug 02 '16 at 15:22
  • The problem is that anyone could just visit the second (redirected page) with secret information without having visited the password protected page in the first place. – LatentDenis Aug 02 '16 at 15:22
  • then don't do a redirect. Just return the View. – Don Cheadle Aug 02 '16 at 15:23
  • @mmcrae Can you write an answer that demonstrates this? – EtherDragon Aug 02 '16 at 15:43
  • @EtherDragon - I think this answer effectively gives the overall idea. For more details, one can search for those pieces specifically (such as POST'ing to a Controller action using AJAX) – Don Cheadle Aug 02 '16 at 17:23
  • @VolcovMeter - I'm not sure if we understand each other. Does this not fit your request? It's not the case that someone could put the View name (if they were to find that out) in the URL and go to it. The user will only see the sensitive view after they've POST'd the correct password to the `ConfirmPassword` action, and then that action will return sensitive HTML. – Don Cheadle Aug 02 '16 at 21:30
  • @mmcrae I understand where you're coming from. I was trying to see if your solution was possible only involving one page. Meaning, login/see info all one page. – LatentDenis Aug 03 '16 at 14:48
  • You're looking for only 1 URL route, or only 1 HTML view? I think this does it... They request a page that goes loads HTML of the "SafePage", and then after filling in a form they get the sensitive HTML. I rest my case ;) – Don Cheadle Aug 03 '16 at 16:02