Geek Answers Handbook

Web Application Security Approach

I am developing a web application in ASP.NET/C#, where each registered user has the ability to add / modify / delete lines based on their user ID.

Take this example:

I am going to change my route on the /route.aspx?routeid=854 page that belongs to me (user-id: 1).

But since I'm a curious guy, I'm trying to access /route.aspx?routeid=855 , which belongs to another user (user-id: 2).

How can I better avoid people accessing other people's data? Should I send every user ID (from the session) with every database call, should I check the user / password on every page load, or what is the best and most secure?

Hope I made it clear enough.

+6
security c # web-applications membership-provider
source share
2 answers

DO NOT CHANGE WHEELS

Edit: Saving UserId - you don't need to. You can get it from MemberhipProvider anytime the user logs in, of course:

 MembershipUser user = Membership.GetUser(); Guid UserID = user.ProviderUserKey;

It seems to me that you need to implement ASP.NET Memberhip Provider. Read this resource: http://odetocode.com/articles/427.aspx

Also a good series by Scott Guthrie: http://weblogs.asp.net/scottgu/archive/2006/02/24/ASP.NET-2.0-Membership_2C00_-Roles_2C00_-Forms-Authentication_2C00_-and-Security-Resources-. aspx

In general, use this approach: use authentication to authenticate the user. This is the protected side of authentication. That is, a user definition is one who, as they say, usually with a username and password.

The second part of security is authorization, which happens when you know who the user is. This is basically a definition of what resources an authenticated user has access to. A mature system will include the following objects:

 User: may contain extended profile information captured on registration Resource: a page or other resource that can be restricted. Group: a group of users who can access resources due to their group membership (groups are granted resource access) Role: a type of user such as Administrator/Developer/Salesperson.

Thus, in order to provide the user with access to routeid 854 (resource), you can provide the resource directly to the user or if there are several users who should have access to this resource, and these users form a natural group, then create this group, provide the resource to the group and Add user to group.

Then you can access User.Resources with the resource identifier or protect the entire page with

 if(!User.IsInRole("RoleName")) { //redirect to access denied page }

There are many good things available using a provider model.

Edit: you need to know something if you decide to store your user profile information. The default implementation of ProfileProvider is not particularly good. Scott Guthrie wrote a good article about a table-based provider, which is better: http://weblogs.asp.net/scottgu/archive/2006/01/10/435038.aspx

+3
source share

Your best approach is to send userId to the database using routeId to find out if the user can access it.

something like:

 select * from route where routeId=@routeId and userId=@userId

If you use something like Linq, you can make a much better security model by applying a user restriction, for example using the reusable function:

 public Route Get(int routeId, int userId) { var query repository.Get<Route>().Where(r => r.Id == routeId); query = applySecurityModel(query, userId); return query.FirstOrDefault(); } private IQueryable<T> applySecurityModel<T>(IQueryable<T> query, int userId) where T : ISecurable { return query.Where(t => t.UserId == userId); } public interface ISecurable { int UserId { get; set; } } public class Route { int Id { get; set; } int UserId { get; set; } }
+3
source share

More articles:


All Articles