I have a scenario where page navigation is done from one domain to another.
For example, navigation is done from
http://www.foo.com to
http://www.bar.com on button click in javascript
While redirecting, I need to send username and password securely from the first domain to the second domain.
How do I send these parameters?
I do not want to use GET and send it across the URL as it is not secure to send password in that manner.
Broswer's localStorage and SessionStorage did not work as the domains are different.
Window.open does opens the second domain in the same page ('_self') but the parameters are lost. On top of that window.open has the drawback of popup blockers blocking it
Cookie did not work.
I want to redirect from Site A to Site B and pass the username and password the user entered on Site A to Site B
You are not clear what your security implications are here:
While redirecting, I need to send username and password securely from the first domain to the second domain.
I do not want to use GET and send it across the URL as it is not secure to send password in that manner.
Is it site B should not know the password or is it you are concerned about someone listening on the request and replaying it?
At any rate, the only secure way is
Site A hands you a token (could be a JSON Web Token)
you send this token with the request to site B.
Site B takes this token and asks site A to validate it.
After positive validation, Site B creates a session for you.
Everything else (using POST instead of GET) is insecure as well, it is trivial to listen in to a POST request.
There are few ways:
1) Use a POST: Create a <form/> in your webpage and place some hidden variables on the fly using javascript and then post it to another website.
2) Use Headers: Can you see if you can set header?
3) Use Token: You can try using Token, which you can use instead of user+pwd combination. So what happens is you redirect from website A to B using a token embedded in the URL and website B validates the token to an API available on website A before it authenticates the user. You can make these token self-expiring after X seconds.
Related
I have a case where I'm performing a redirect on a page but I'm also passing through some information in the GET that preferably should not be seen since it could identify a user or disclose information about them in the URL therefore could be history or picked up in an insecure network etc... The user is already logged in and validated at this point.
https://example.com/page?message=Some+user+informaton&subuser=24
To prevent this I had two ideas:
Access reference map - temporarily store the information I want to display in the users session with a cryptographically unique key that is used in the redirect then destroyed when the request has been completed. Still uses redirect logic e.g.
https://example.com/page?redirectdata=xAe4Fdh4
JavaScript + JSON - Submit the form to the server, server returns a JSON response of the url to redirect to and any extra parameres such as messages. Then use the JS to do a POST the server to not expose anything.
Which of these is the best way to implement a secure redirect?
Many thanks
I'm currently using a NodeJS server. I verify a condition with a if statement. If the credentials are not valid, for example, how to send the user to a specific page?
if (credentials) {
// go to the main page
}
else {
// go the login page
}
You've said you're using ExpressJS. In ExpressJS, you do a redirect via res.redirect:
res.redirect([status,] path)
Redirects to the URL derived from the specified path, with specified status, a positive integer that corresponds to an HTTP status code . If not specified, status defaults to “302 “Found”.
First, you need to establish what kind of authentication you are using. There are a million ways to do this, but if you are less familiar with auth systems, I would recommend using a third-party auth system like Facebook or Google login. Those would generally give you some kind of auth token on login, and essentially you could just check to see if the stored token is there, whether that be in cache, cookies, local storage, etc., and if it has not expired. If all is good, keep going, if not, then redirect to the login page.
If you want to make this more secure, don't write any of credential validation on the client side. Have the client's browser check for the auth token and its recency, then send it to the server. The server would then respond by routing you to the proper page.
Another method that should probably be used in tandem with this would be to check for a valid login on every single page where the user would need to be logged in, as opposed to only having the one page that redirects to either a login screen or where you want to go.
I was attempting to use Tableau online embeddable charts with OneLogin using the session_via_api_token method.
I am able to retrieve token from backend and pass it to frontend. As mentioned here, the only way to call session_via_api_token is to POST a form.
The issue I'm facing is, after the form's POST, I'm redirected to /apps page of OneLogin. Is there any way I can specify a return url, or make the default behavior to redirect to one particular page(of my domain) after login.
What I want to achieve is hit session_via_api_token request of onelogin and redirect it back to my custom reports page where I've embedded a couple of tableau reports.
Sorry about the lack on detailed docs on this (it's coming!)
This endpoint relies on the HTTP_REFERER header being set and should redirect back to that URL.
Not sure what browser you're using, but that should be set automatically during the POST operation to our endpoint. It's worth noting that this does have to be done on the user's browser in order for us to establish an SSO session.
e.g. User's browser does a POST to our site with the token - We establish a session and set the cookies for our domain then we redirect back you your login 'facade'
To simplify things, we will be adding CORS support for this endpoint, and that work should be completing soon.
The question
I have a service that pushes content to users. To provide this content to their users, customers will include a script on their site. Their script sends a token to my server to identify which customer it is, but here's the problem: if anyone copies the script from the user's site, they can receive this live content, and the customer is billed for users that are not on their site. So, is there a way to ensure that the script is only included on their website? How does google analytics achieve this?
I have an idea, but I don't know if this would be completely secure.
The customer tells me any domains (including subdomains) that they would like to include my script on.
I give the user a very small text file that they store on their servers.
Once my script is loaded, it checks for window.location.host, and tries to fetch the text file from the root of the hosting domain.
If the file is found, and the contents match the content I generated when I gave the customer the file, I activate the service.
would this work?
Why I can not use window.location
Let's say that my script reads window.location, and sends that to the url mydomain.com?token=ABC&locationhost=goodcustomer.com
Now, the owner of baduser.com wants to abuse the account of gooduser.com, so he includes gooduser.com's script. The script now sends an ajax request to mydomain.com?token=ABC&locationhost=badcustomer.com
This would not start the service, because badservice.com is not the domain that the owner of goodcustomer.com entered when he signed up. This is easy to circumvent, because badcustomer.com's owner can take a look at my script, notice that it is sending a request to validate the url, and just send his own request. So he would send a request to mydomain.com?token=ABC&locationhost=goodcustomer.com. My server sees this request, compares the locationhost to the domain associated with the token, and starts giving the content meant for goodcustomer.com's users, to badcustomer.com's users. My server has no way of knowing wether the request was sent by my own script, or by a user trying to impersonate the actual customer.
You cannot make a secure solution to this only with scripts that runs in the end users browser. Someone that want to mimic your customers web site will always be able to do that by creating a copy of every script or file that you send to the browser. You will need to do something on your customers server. That is, your customer must have some kind of secret that is not sent to the browser.
One way to do this would be to give the customer a server side script that generates a one-time token. Let your script call this server-side script to get the token and include this token in the request to your server. Your server must check that the token is correct before it generates the data.
A one time token can be made by sending each customer a 20 character long password. Let the server-side script read the password, add the date and time and hash this value using i.e. SHA-256. It would be quite hard to create a false token if you don't know the password. It would be even better if you add a counter in the server side script. Let the counter increment with one for each request. However, a counter will introduce some syncronization problems if the counter on your site comes out of sync with the counter on the customers site.
You could build a database of what domains a user would be hosting the script on, then when the user loads the script, it sends window.location to your server, then your server sends content if the window location matches that in the database.
I want to present some images in my GWT application. These images are stored in a password protected url, external to my site in the general case. I can use the Image(java.lang.String url) constructor, with the user name and the password inside the url. So I can call:
Image img = new Image("http://user:pass#mydomain.com/image.png")
But then the user name and the password will be visible to anyone that views the source code of the page. I want to establish an authenticated connection with that url, and then use the plain url in the constructor:
Image img = new Image("http://mydomain.com/image.png")
I don't want to ask the user for a username and password through a popup, because in the general case he will be different than the one to whom the images belong so he won't have the credentials. The owner of the images gives to me their url, username and password when he registers.
Is this at all possible?
If your user does not have the credentials to view the images, then you will not be able to load them from your user's client. There is no good way to provide the password for them without also letting them see the password.
You could refactor this by sending the image request to your own server. Your own server could then send the request to the external server, password supplied, and pass the response back to your user. This is an extra hop, but you can keep the password completely secret.
If you're asking your users for their passwords to another site, you need to be extremely careful with them. In general, this sounds like a risky endeavor - you're exposing a lot of different ways to gain access to someone else's files. The fewer of those you can create, the better. If the external site supports some indirect authorization method like oauth, you should definitely prefer that over requesting the user's password.
You need to popup a window to that domain, and have the user fill in their username and password. For all subsequent requests to the same domain, you should not get a new popup. One way to do this, would be to create a hidden iframe to mydomain.com. That should trigger the auth popup.