C# – How to generate nonce for Ajax web requests

ajaxasp.netcjavascriptSecurity

As many of you know WordPress uses "secret key" like thing for every AJAX request. Making each request unique and also 'somewhat' secure (just a step ahead than nothing). How would I implement the same using PageMethods (webservice methods inside aspx page) in asp.net application. Some things I have already taken care of are authentication and authorization to access the page.

I would like to know How to generate the same nonce/secret key whatever in C# for asp.net application?

Also doesn't this affect the performance of the application like 100 thousand users use it and each time the method has to go through encryption, random number generation etc..?

Is there any way I can check if posted data is what was actually posted. Checking the integrity of posted data?

Do you need to follow design patterns to secure application logic? Does one exist to make your application at the least somewhat secure?

Best Answer

I would like to know How to generate the same nonce/secret key whatever in C# for asp.net application?

Read up on HTTP Digest Authentication. It's described pretty well there.

http://en.wikipedia.org/wiki/Digest_access_authentication

Also doesn't this affect the performance of the application like 100 thousand users use it and each time the method has to go through encryption, random number generation etc..?

Hardly. Remember: the connection to the user's desktop is the bottleneck. Checking a nonce is generally trivial, since it's a simple hex digest of data already available.

Is there any way I can check if posted data is what was actually posted. Checking the integrity of posted data?

Read up on Cross Site Request Forgery (CSRF).

http://en.wikipedia.org/wiki/Cross-site_request_forgery

Do you need to follow design patterns to secure application logic?

Yes.

Does one exist to make your application at the least somewhat secure?

Not "One".

Lots and lots.

There is no "somewhat" secure. There's secure and there's broken.

Start with the OWASP top-ten list and read up on the vulnerabilities.

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Then, find a framework that does this for you and use the framework.

Don't build your own. It's already been done for you. Just pick a framework that does it.

Why security is binary. "perfect security" is an oxymoron -- it only exists where there is no information exchanged.

"Security" doesn't mean "perfect". It means "as good as present technology permits under the circumstances that we've agreed to share information, and I have to assume you're not lying."

If you want "somewhat secure", then you are implementing "somewhat insecure".

If you're going to implement somewhat insecure, you must actually choose the specific kind of insecurity you are going to implement. Generally, you will must either give private information away, allow information to be adulterated or allow a denial of service attack. Pick some combination of things you are going to implement in a "somewhat secure" application.

Try to avoid choosing the "give away the root password" insecurity if you can. Usually, that is isomorphic to "as secure as possible".

Related Solutions

Sharing authentication methods across API and web app

I don't quite understand what it is you actually want to share.

I'd assume you won't find a framework cause what you want to do is not that hard to solve.

1) A third party application is -only- going to touch your general purpose API. It uses API authentication only (through forms authentication, api key usage, take your picking).

2) Your own application through user actions will redirect to login page and such and have it's own picking of authentication (form authentication probably). This is about stuff the user can potentially enter through the address bar of the webbrowser. If your application happens to use your general purposed API under the hood you are not going to redirect the user to your login page on ajax calls. Your application should handle/prevent this for the user. A user is not going to make API calls through his/her browser's address bar.

So for your application to be able to use your general purpose API, the general purpose API would only need to support the same authentication scheme (form authentication). Or your application would have to fetch the user's api key or something to use after the user logged in.

You can easily create an Authorize attribute in MVC that will checks multiple options, first for an api-key, then for a forms authentication based cookie token. If it finds nothing your general purpose API should or needs to throw 401s only.

Your application would pick them up from ajax call failures and could decide to move the user over to the login page.

ASP.NET Authentication – How Does Authentication Work with ASP.NET Using Live ID or Windows Authentication

I would use sessions. You can store the information you need after they've logged in, be it a token given by the login service or even just an isLoggedIn boolean value.

Then, you can check in pages that need it (Inheriting from a base page class is great for this) that the information is there. If not, kick them back out.

So, in your code that processes the response from the claims-based auth (I do a lot of work with CAS and Shibboleth, two claims-based systems in heavy use in academia), you'd do something like :

if(isSuccessfulLogin)
{
    Session.Add("isLoggedIn",true);
    Session.Add("userId", userIDfromService);
}

Then, in your Page_Load method, you'd just do something like:

if(Session["isLoggedIn"])
{
    // do whatever
}
else
{
    // redirect somewhere
}

These are very simplified, and leave out the details.

Best Answer

Related Solutions

Sharing authentication methods across API and web app

ASP.NET Authentication – How Does Authentication Work with ASP.NET Using Live ID or Windows Authentication

Related Topic