December | 2008 | Programmer Payback

Archive for December, 2008

RIA security 102: Using ASP.NET session state to authenticate web service calls

Posted in Application Security, Silverlight tips and tricks, tagged Application Security, ASP.NET, cookies, Forms Authentication, Login Credentials, Password, RIA Security, Sessions, silverlight, Silverlight tips and tricks, Username on December 29, 2008| 16 Comments »

In part 1 (RIA security 101: Logins, web services, usernames and passwords), I discuss the importance of security in RIAs (Rich Internet Applications) and set the ground rules for allowing web services to authenticate calls from the client. In this article, I will show you how using the built in ASP.NET session object.

When the user logs into your service, validate their login and save something that uniquely identifies them (their username or user ID typically) in the session object.

<OperationContract()> _
Public Function Login(ByVal Username As String, ByVal Password As String) As Boolean
    If DatabaseWrapper.IsLoginValid(Username, Password) Then
        HttpContext.Current.Session(“Username”) = Username
        Return True
    Else
        HttpContext.Current.Session.Abandon()
        Return False
    End If
End Function

The next time the user calls a method on your service that requires authentication, check for the existance of a user ID or username in the session object and if it’s there, you’ll know they are a valid user since only successfully logged in users will have their information added to the session object.

 <OperationContract()> _
Public Function IsLoggedin() As Boolean
     Return HttpContext.Current.Session(“LoggedIn”) IsNot Nothing
 End Function
 
 <OperationContract()> _
 Public Sub UpdateSomething(ByVal Something As String)
     If IsLoggedin() Then
         DatabaseWrapper.SetDataForUser(DirectCast(HttpContext.Current.Session(“Username”), String), Something)
     Else
         Throw New Exception(“Session has expired”)
     End If
 End Sub

ASP.NET handles all the heavly lifting for you by:

Associating your session data with a unique session ID (aka token)
Passing that session ID down to the client in the form of a cookie
Storing your session data between calls to the server (in memory, state server, or a database depending on how you have it configured)
Retrieving that session data when you need it by looking up the session ID stored in their cookie.
Making sure that session expires eventually so it’s not vulnerable to hackers.

Check out the source code to see a fully functioning Silverlight client and WCF web service working together to securely manage login data between service calls. Login through an HTML based login (Homepage.htm) or the Silverlight client itself (hosted within Default.aspx).

Read Full Post »

RIA security 101: Logins, web services, usernames and passwords

Posted in Application Security, Silverlight tips and tricks, tagged Application Security, ASP.NET, cookies, Forms Authentication, Login Credentials, Password, RIA Security, silverlight, Silverlight tips and tricks, Username on December 29, 2008| 20 Comments »

As RIAs (Rich Internet Applications) gain in popularity, it becomes easier for programmers to accidentally create security holes in their application. If you’re used writing server-side code, it can be easy to forget that any code running on the client (compiled or not) can ultimately be seen by prying eyes. And if you come from the desktop world, you might not be familiar with all the ins and outs of securely talking to services in the cloud. Unfortunately, there are no good tools (that I’m aware of) to help audit your apps to make sure you’re doing things right. Until then, here’s a quick crash course in RIA security for any app that needs to restrict calls to web services. Maybe you only want paying customers to use your app. Maybe you need to store personal information about each user in a database. Either way, you’ll need users to login and you’ll need to authenticate calls from the client to your web services.

The scenario:

The user logs into the client (the RIA) and the client passes that username and password up to the server via a call to a web service.
The server then validates that login and sends back a reply of success to the client.
The client then permits the user to start froliking around in the application.
Eventually, the client needs to talk to the server again to save or request some data (maybe this happens immediately after login to retrieve the data they saved during their last session).

The problem:

How do we make sure that the client calling the web service actually successfully logged in earlier? From the server’s point of view, you CANNOT assume that just because the client can only call this service if the login was successful, that this is actually what’s happening. Hackers can easily spoof your client and therefore fool the server.

All the hacker needs is the URL of the service which they can then easily type it into a browser to find the service’s entire API. To get this URL they can either decompile your code using tools like SilverlightSpy or Reflector (if you’re writing in .NET), or they can just use Fiddler to monitor the calls to your server.

Obfuscating your code won’t help. Obfuscation might encrypt the service urls in your code but they will be decrypted by the time they show up in a tool like Fiddler.
HTTPS/SSL won’t solve this either. HTTPS won’t do anything but encrypt the calls going over the internet. From the client and therefore from a tool like Fiddler, the URLs themselves will all be visibile.
Passing up a hardcoded password with each request won’t solve this either. If you pass up a password, that means you need to store that password in your code somewhere. Even with obfuscation, hackers can still find it by decompiling your app and altering it in a very minor way to so it shows your hardcoded password in a message box at runtime.

The solution:

You must keep track of the user’s login (of some form of it) and pass that up with each sensative request to the server. The server then needs to validate that login each time before performing the requested operation.

The simple way:
Keep track of the username and password in a local variable and pass them up to the server with each request. This is relatively straight-forward, but has drawbacks:

Using this approach makes it impossible to safely login from a webpage outside your RIA or support a “remember me” feature because it will invarably result in the user’s password being stored somewhere on the hard drive. Even if encryped this is still vulnerable to hackers. For more info, see my other article on Posting login credentials to your Silverlight app where I go over the concerns.
Hackers can catch a packet being sent over the internet and resend that packet up to the server to get back a valid response. How would the server know the difference?

The bad way:
You could pass up a non-guessable user ID with each request (a GUID for example or a random ID that is unique to each user). Unfortunately, this has the same drawbacks as passing up a username and password. Additionally, user IDs are not necessarily private; your application may need to include that ID in a URL that could accidentally be pasted into an eamil by an unknowing user. Or, you application might need to expose a user’s ID to other users. Imagine that your application had a feature where users could see a list of other users that they could collaborate with. The client would get a list of these users and their IDs, the user would choose one or more, and the IDs would be sent back up to the server to notify it of the selection. As programmers, we need to assume that any data passed down to the client is ultimately hackable and therefore viewable by that client… therefore completely exposing each of those other users’ credentials. The bottom line: user IDs are not good surrogates for login credentials.

The best way:
Use session IDs (aka tokens) as an alternate to using real data like the username and password or a user ID. Once the user logs in, create a random string or GUID (this is your token), associate that token with the username and password (or better yet, associate it with their user ID if they have one) by storing these associations somewhere only your web service can access (most likely in memory or in a database). Your service can then pass that token back to the client upon a successful login. From that point forward, the client can use that token instead of a username and password everytime it wants to talk to the server. The server just needs to look up that token each time to find out the identity of the user, and the mere fact that the token was found indicates that the user making the request had logged in successful. Note: you should also make sure that the token expires eventually, otherwise, the token becomes just as useful to a hacker as the username and password.

Finally, how to accomplish this:

Method #1, the DIY (do it yourself) approach. As explained above, create a database or in-memory dictionary to hold the tokens for all the currently logged in users and add an extra parameter for the token to each web service method. Check out my previous article: Posting login credentials to your Silverlight app, where I demonstrate how to do this in a Silverlight client and an WCF web service. You can also download the source code from here.

Method #2, the session approach. In Part 2 of this article (RIA security 102: Using ASP.NET session state to authenticate web service calls) I demonstrate how to use built in ASP.NET session state objects to manage tokens for us. Note: There are other 3rd party options out there to do this for you too if you don’t use ASP.NET.

Method #3: If you though it couldn’t get any easier for us ASP.NET developers, there’s a third approach to use the Forms Authentication application service built into ASP.NET. Special thanks to John Papa for coming across this and Tim Huer for creating the only Silverlight example I’ve seen to date on using this library. This approach uses the System.Web.ApplicationServices.AuthenticationService namespace to manage and preserve a user’s login status between calls by passing back and forth an encrypted cookie. The encrypted cookie (or ticket as it is called) contains your username and login expiration. Each time the user makes a request to a method in your service that needs to be protected, you can use HttpContext.Current.User.Identity to determine if the user has been validated and what their username is. This approach works great once you get it configured and shifts some of the details to ASP.NET. Check out the source code here to see this technique in action from both the client and server’s perspective.

If you check out the source code for all 3 approaches, you’ll notice that they are identical from the end user’s perspective. Yet each uses the different approach mentioned above. Have fun comparing to see which works better for you.

Read Full Post »

Posting login credentials to your Silverlight app

Posted in Application Security, Silverlight tips and tricks, tagged Application Security, InitParams, Login Credentials, Password, RIA Security, silverlight, Silverlight tips and tricks, Username on December 21, 2008| 14 Comments »

Many web apps today require the user to login first. On the surface, this is relatively straight-forward for Silverlight. Just ask the user in the opening usercontrol for their login and proceed by calling a webservice to validate their login. But often you need to provide more than one way to log into your Silverlight application. For example, imagine you want a nice little login box in a corner of your site’s home page so users can easily jump right into the app.

Unless you’re going to embed your SL app in a little corner of your home page, you will presumably be offering the user the ability to input their username and password from a DHTML-based login box. Go to the GMail homepage to see an example of putting a small login in the corner of a homepage — I know, gmail doesn’t use SL to power the gmail client, but you can close your eyes and pretend 😉

GMail login screen

The question then is: how do we get these credentials safely to your Silverlight app?

Step 1: Post the login info to the webpage hosting your your Silverlight app.

Use something like the following html on the page you want to login from:

<form action=”./App/default.aspx” method=”post”>
<table>
<tr>
<td>Username:</td>
<td><input type=”text” name=”username” /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type=”password” name=”password” /></td>
</tr>
</table>
<div><input type=”submit” value=”Login” /></div>
</form>

WARNING: Always use HTTPS. Otherwise, the username and password will be totally unprotected when being sent over the internet.

Step 2: Pass a protected version of the login information to your Silverlight xap.

In the server-side script that handles the post (and hosts your Silverlight app), you can easily pass information down to the client thru a number of ways.

1) Putting the information in the querystring.

2) Putting the information in a cookie.

3) Embedding the information in the initParams parameter of the Object tag that contains your Silverlight app (this can be done indirectly by setting the InitParameters property of the ASP.NET Silverlight control).

Check out Tim Heuer’s video for more info on options 1 and 3.

Here’s where it gets tricky… Regardless of which approach we choose, we must take care when the information we’re passing along is the user’s password! In all 3 methods above, the information passed along is ultimately saved somewhere unencrypted on the user’s hard drive. Not good! In the first option (the querystring), the information can be seen in the browser history because it is part of the url and the browser remembers this info by storing it in a file somewhere on the user’s hard drive. Cookies are also stored as unencrypted data on the user’s harddrive, as is any html page source when it is cached. That’s right: Setting initParams puts that data right in your HTML only to be cached on the user’s harddrive.

Therefore, we need to find a good way to keep the user’s data protected. Here are three options (with one clear winner).

1) Encrypt the password. While this helps make sure that only an encrypted password ends up on the user’s drivedrive, consider this: Either you would need to unencrypt the password on the client before sending it up to the server (which means you have to put your encryption key in your code – NOT GOOD) or you’d have to create a webservice that can accept an encrypted password as a way to login… which means that your encrypted password would be just as useful for logging on as the real thing! Either way, you leave a hole that could be exploited.

2) Hash the password (presumably exactly the way you would hash the password before storing it in the database). However, this creates the same problem as mentioned above with encryption, for this to be useful as a login credential, you would have to have a webservice that could use the hashed password as a valid login credential which would make the hashed password just as valuable as the real deal.

3) The clear winner: Create and send down a token or session ID that can be used to look up their login information one time only. First off, this is better because no variation of the password is actually stored on the user’s harddrive, just a random ID (a bonus because given enough resources, any encrypted data can technically still be cracked). Secondly, this token or session Id would be destroyed almost immediately after it was issued so even if someone did get ahold of it, it would almost certainly be useless by that point.

Step 3: Retrieve the username and password from Silverlight.

We can see the finish line! The only thing left to do is retrieve the token or session ID from within your Silverlight app and pass that up to the server instead of the username and password. If you passed your token thru the query string you can access it from within Silverlight via the QueryString dictionary object:

Dim LoginToken As String = System.Windows.Browser.HtmlPage.Document.QueryString("LoginToken")

If you passed it via the Silverlight object’s initParams parameter you can access it in the StartupEventArgs.InitParams dictionary that is passed into the Application Startup event:

Private Sub Application_Startup(ByVal o As Object, ByVal e As StartupEventArgs) Handles Me.Startup

    Dim LoginToken As String = Nothing

    If e.InitParams.ContainsKey("LoginToken") Then

        LoginToken = e.InitParams("LoginToken")

    End If

End Sub

And if you set a cookie, you can access it via:

Dim Cookies As New Dictionary(Of String, String)

Dim CookieEntries() As String = _

    Split(Browser.HtmlPage.Document.Cookies, ";"c)

For Each Entry In CookieEntries

    Dim KeyValue() As String = Split(Entry, "="c)

    Cookies.Add(KeyValue(0), KeyValue(1))

Next

Dim LoginToken As String = Cookies("LoginToken")

And there we have it! Once you have your LoginToken, create a webservice that can accept it as valid login information. On the service end, use it to look up your login information (stored in a session variable or database). And purge that data immediately on use. This way no one can ever reuse that LoginToken again.

And in the end you have a secure technique used to safely allow your users to login to your Silverlight applicaton from other places. Ultimately making your application more prominant and accessible to users.

Check out the source code here for a practical demonstration of the concepts discussed above. Both client and server projects are included.

Read Full Post »

Silverlight named color viewer

Posted in Programming Tools, tagged Programming Tools, silverlight, tool, utility on December 5, 2008| 10 Comments »

I always try to use named colors whenever I can because it makes your Xaml much easier to read! Who knows what color #1A37C5 is? Okay, so maybe some of you can “see into the matrix” but I’d much rather see something like “DarkBlue”. It’s also easier to write because you VS gives you IntelliType when entering a color for a property of type Brush or Color.

Here’s a super easy way to see all the named colors out there that Silverlight supports. This tool also supports copying the name by selecting it and using Ctrl+C. Plus, you can sort the list alphabetically, by red, blue, green, hue, saturation, or luminosity for those of us that get dizzy scanning the palette for a good “blue” to choose.

namedcolorsviewer
Click to Run

Note: Microsoft has a pretty good table of their own with all the same colors in my tool (there are 141 of them by the way, not 240 as stated on the MS site). But the colors blocks are smaller, it’s all just a big image so you can’t copy names, and it of course lacks my patented sort feature 😉

Read Full Post »

Programmer Payback

Giving a little back to my fellow programmers

Archive for December, 2008

Silverlight named color viewer

Archives

Categories

Pages