Passing Session variables(Network UserIDs)

Environment: ASP.Net, SQL Server

How do I pass ASP.NET session variables ie; like userid and password from
one web site to another. I know websphere has a way to do this, but is there
something in IIS?

Actually this is what I really want to do:
Can authentication and authorization using say Active Directory allow you to
log into one site and also be authorized for another site without logging in
again using network userids?

--
Chris Davoli

Re: Passing Session variables(Network UserIDs)

On Sep 4, 12:26 pm, Chris Davoli
wrote:
> Environment: ASP.Net, SQL Server
>
> How do I pass ASP.NET session variables ie; like userid and password from
> one web site to another. I know websphere has a way to do this, but is there
> something in IIS?
>
> Actually this is what I really want to do:
> Can authentication and authorization using say Active Directory allow you to
> log into one site and also be authorized for another site without logging in
> again using network userids?
>
> --
> Chris Davoli


This is user delegation. You can either do it correctly with Active
Directory, or the insecure hack that you are proposing (and what
Websphere does).


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: Passing Session variables(Network UserIDs)

Can you elabborate on "This can be done through (non Active Directory) a
cookie that is shared over a domain, say ".yoursite.com"? I'm not sure what
you mean.

--
Chris Davoli



"Egbert Nierop (MVP for IIS)" wrote:

>
> "Chris Davoli" schreef in bericht
> news:8ED5A139-02FC-479B-88AD-8DEA4D40F689@microsoft.com...
> > Environment: ASP.Net, SQL Server
> >
> > How do I pass ASP.NET session variables ie; like userid and password
> from
> > one web site to another. I know websphere has a way to do this, but is
> there
> > something in IIS?
> >
> > Actually this is what I really want to do:
> > Can authentication and authorization using say Active Directory allow
> you to
> > log into one site and also be authorized for another site without
> logging in
> > again using network userids?
>
> This can be done through (non Active Directory) a cookie that is shared
> over a domain, say ".yoursite.com"
>
> If you use Clear-Text login + SSL (and Active Directory), you can
> implement a single logon technique, but this is limited (again) to the
> same domain+url, not to other hosts (otherwise IIS + IE would allow a huge
> security leak!)
>
> --
> Classic + .NET ISP Session for sharing the Session among several
> sites/servers
> http://www.nieropwebconsult.nl/asp_session_manager.htm
>

Re: Passing Session variables(Network UserIDs)

David, can you elaborate a little? How does delegation work?

Also, why do you say that websphere is a hack? Do you know how it works?
--
Chris Davoli



"David Wang" wrote:

> On Sep 4, 12:26 pm, Chris Davoli
> wrote:
> > Environment: ASP.Net, SQL Server
> >
> > How do I pass ASP.NET session variables ie; like userid and password from
> > one web site to another. I know websphere has a way to do this, but is there
> > something in IIS?
> >
> > Actually this is what I really want to do:
> > Can authentication and authorization using say Active Directory allow you to
> > log into one site and also be authorized for another site without logging in
> > again using network userids?
> >
> > --
> > Chris Davoli
>
>
> This is user delegation. You can either do it correctly with Active
> Directory, or the insecure hack that you are proposing (and what
> Websphere does).
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>

Re: Passing Session variables(Network UserIDs)

The questions you ask *sound* simple, but they are really loaded and
can easily take pages to "elaborate", and any abridgement simply does
not do the seriousness of this security subject any justice. I am not
trying to be arrogant, but security subjects like authentication and
authorization are hard, and most people hardly understand them well
enough to implement secure solutions. And most existing cookie-cutter
solutions are just that.

In short, delegation is the principle which allows a server which logs
on a user to act ON BEHALF OF that user to access another resource,
usually on another server, without requiring additional login.

Needless to say, this is a highly privileged operation requiring
tremendous trust between the user and the two servers. The user trusts
the server to not take his user credential and do something else BAD
on behalf of that user -- the same mechanism that allows the server to
act ON BEHALF OF the user to another server, it also allows the server
to access, say, that users's bank account and transfer all his money
to the server's administrator. To any authorization protocol, the two
actions are exactly the same, but one is clearly desirable while the
other is not.

You can read more explanation here:
http://blogs.msdn.com/david.wang/archive/2005/07/06/SSO-ISAP I-Considerations-2.aspx

Do you believe that WebSphere actually works like a true cohesive and
delegatable security system? As it marshalls traffic between
potentially incompatible operating systems using different
authentication and authorization protocols... is it even going to
delegate correctly and securely? Or do you think that WebSphere makes
itself a huge big-brother "trust me" Trusted-Computing-Base that is
the common element across all the systems and just flows user
credentials across its own internal trust boundary?

But, there is no delegation in that design, and security is achieved
through a whole bunch of implicit trust of the system. I rather take
my chances with a well-defined public system like Kerberos which keeps
all the right powers in-check-and-balance... and Active Directory is
one possible implementation.

All I can say is that if you think flowing username/password is the
right approach to do single-sign-on, you have missed the point.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//






On Sep 5, 11:34 am, Chris Davoli
wrote:
> David, can you elaborate a little? How does delegation work?
>
> Also, why do you say that websphere is a hack? Do you know how it works?
> --
> Chris Davoli
>
>
>
> "David Wang" wrote:
> > On Sep 4, 12:26 pm, Chris Davoli
> > wrote:
> > > Environment: ASP.Net, SQL Server
>
> > > How do I pass ASP.NET session variables ie; like userid and password from
> > > one web site to another. I know websphere has a way to do this, but is there
> > > something in IIS?
>
> > > Actually this is what I really want to do:
> > > Can authentication and authorization using say Active Directory allow you to
> > > log into one site and also be authorized for another site without logging in
> > > again using network userids?
>
> > > --
> > > Chris Davoli
>
> > This is user delegation. You can either do it correctly with Active
> > Directory, or the insecure hack that you are proposing (and what
> > Websphere does).
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> - Show quoted text -

Re: Passing Session variables(Network UserIDs)

Thanks for your honesty. We are trying to decide if we want to use Websphere
or go the microsoft route. You are very knowledgeable.

So you think that cookie that websphere attaches (the LTPA token) to the
browser, could be hacked easily even though it is incrypted?

Another question, is delegation like impersonation?

--
Chris Davoli



"David Wang" wrote:

> The questions you ask *sound* simple, but they are really loaded and
> can easily take pages to "elaborate", and any abridgement simply does
> not do the seriousness of this security subject any justice. I am not
> trying to be arrogant, but security subjects like authentication and
> authorization are hard, and most people hardly understand them well
> enough to implement secure solutions. And most existing cookie-cutter
> solutions are just that.
>
> In short, delegation is the principle which allows a server which logs
> on a user to act ON BEHALF OF that user to access another resource,
> usually on another server, without requiring additional login.
>
> Needless to say, this is a highly privileged operation requiring
> tremendous trust between the user and the two servers. The user trusts
> the server to not take his user credential and do something else BAD
> on behalf of that user -- the same mechanism that allows the server to
> act ON BEHALF OF the user to another server, it also allows the server
> to access, say, that users's bank account and transfer all his money
> to the server's administrator. To any authorization protocol, the two
> actions are exactly the same, but one is clearly desirable while the
> other is not.
>
> You can read more explanation here:
> http://blogs.msdn.com/david.wang/archive/2005/07/06/SSO-ISAP I-Considerations-2.aspx
>
> Do you believe that WebSphere actually works like a true cohesive and
> delegatable security system? As it marshalls traffic between
> potentially incompatible operating systems using different
> authentication and authorization protocols... is it even going to
> delegate correctly and securely? Or do you think that WebSphere makes
> itself a huge big-brother "trust me" Trusted-Computing-Base that is
> the common element across all the systems and just flows user
> credentials across its own internal trust boundary?
>
> But, there is no delegation in that design, and security is achieved
> through a whole bunch of implicit trust of the system. I rather take
> my chances with a well-defined public system like Kerberos which keeps
> all the right powers in-check-and-balance... and Active Directory is
> one possible implementation.
>
> All I can say is that if you think flowing username/password is the
> right approach to do single-sign-on, you have missed the point.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
>
>
> On Sep 5, 11:34 am, Chris Davoli
> wrote:
> > David, can you elaborate a little? How does delegation work?
> >
> > Also, why do you say that websphere is a hack? Do you know how it works?
> > --
> > Chris Davoli
> >
> >
> >
> > "David Wang" wrote:
> > > On Sep 4, 12:26 pm, Chris Davoli
> > > wrote:
> > > > Environment: ASP.Net, SQL Server
> >
> > > > How do I pass ASP.NET session variables ie; like userid and password from
> > > > one web site to another. I know websphere has a way to do this, but is there
> > > > something in IIS?
> >
> > > > Actually this is what I really want to do:
> > > > Can authentication and authorization using say Active Directory allow you to
> > > > log into one site and also be authorized for another site without logging in
> > > > again using network userids?
> >
> > > > --
> > > > Chris Davoli
> >
> > > This is user delegation. You can either do it correctly with Active
> > > Directory, or the insecure hack that you are proposing (and what
> > > Websphere does).
> >
> > > //David
> > >http://w3-4u.blogspot.com
> > >http://blogs.msdn.com/David.Wang
> > > //- Hide quoted text -
> >
> > - Show quoted text -
>
>
>

Re: Passing Session variables(Network UserIDs)

Delegation and impersonation can be viewed as flip sides of the same
authorization coin-flip.

If I delegate that the server has the right to act on my behalf, one
of its allowed actions can be to impersonate my user token to "act on
my behalf".

The allow/deny of the action can be viewed as a property of the
authentication protocol.

For example, Basic authentication allows impersonation without
requiring any explicit delegation rights because the user already
passed over the username/password to the server. The server can simply
"login" with those credentials to anything else that also takes
credentials in that form. While this form is super convenient for the
server/application, it is horrible security for the end-user. They
place so much trust in the server/system to not do the wrong thing.
And in the current Internet landscape of fiefdoms of authentication
protocols, where everyone rolls their own, this trust is easy to
accept because your server can't talk to the user's bank because the
authentication protocols are likely to be incompatible.

But it is not hard to imagine the CONNECTED future that everyone is
striving towards, and one day the fiefdoms will have to acknowledge
and work with each other. You can draw an analogy to how each country
has their own citizen identification system, none compatible with each
other (every company has its own authentication system. none
compatible with the other), and for citizens to move about other
countries they have to have internationally recognized Visas or
Passports.


Regarding the cookie/security -- while encryption is a useful part of
security, it hardly makes anything hack-proof. For example, SSL
encrypts data between two network end points, so if you transmit
everything over SSL, it's safe, right?

Not exactly. Encryption is simply a never-ending arms race. It is
simply "security because you can't decrypt it fast enough with current
technology". And even if current technology cannot decrypt it fast
enough, who says that hackers take the brute force approach? Attacking
the endpoints of the encryption, where data gets decrypted to be used/
manipulated, can be much easier.

While direct manipulation of the encrypted content is highly desirable
for hackers, damage can be done without attacking the encryption
itself. For example, with a portable token, one can conduct replay
attacks against the token -- take the entire encrypted token and
present it to another service that takes a token. Since the entire
security system is based on presence of the token to permit authorized
access, a hacker can take a copy of the token to replay someone else's
actions. Depending on the identity of that someone and their action,
the attack can be damaging.

Furthermore, with a portable token, one now has to control the
lifetime (i.e. freshness) of the token. The same feature of "if you
single-sign in you do not need to sign-in for another 24 hours" also
means "if you single-sign in and you are hacked, the hacker has your
identity for the next 24 hours". Convenience is a double edged sword.

As you can see, encryption is hardly synonymous with "being secure",
and every single desirable convenience of an authentication/
authorization system has its security drawbacks. The trick is to:
1. balance your security requirements with
2. the security offered by the compromises between
3. absolute security and
4. combination of convenience options offered by a security system

This is not easy to balance, and security systems have no incentive to
inform you about the realities so that you can weigh the above four
things for yourself. It is far easier to keep this information
unexplained and market to people's fears to sell whatever you want...
because security IS hard to understand and implement -- at some point,
people just "trust" the salesman, and that's when you're snared...


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//





On Sep 6, 8:02 am, Chris Davoli
wrote:
> Thanks for your honesty. We are trying to decide if we want to use Websphere
> or go the microsoft route. You are very knowledgeable.
>
> So you think that cookie that websphere attaches (the LTPA token) to the
> browser, could be hacked easily even though it is incrypted?
>
> Another question, is delegation like impersonation?
>
> --
> Chris Davoli
>
>
>
> "David Wang" wrote:
> > The questions you ask *sound* simple, but they are really loaded and
> > can easily take pages to "elaborate", and any abridgement simply does
> > not do the seriousness of this security subject any justice. I am not
> > trying to be arrogant, but security subjects like authentication and
> > authorization are hard, and most people hardly understand them well
> > enough to implement secure solutions. And most existing cookie-cutter
> > solutions are just that.
>
> > In short, delegation is the principle which allows a server which logs
> > on a user to act ON BEHALF OF that user to access another resource,
> > usually on another server, without requiring additional login.
>
> > Needless to say, this is a highly privileged operation requiring
> > tremendous trust between the user and the two servers. The user trusts
> > the server to not take his user credential and do something else BAD
> > on behalf of that user -- the same mechanism that allows the server to
> > act ON BEHALF OF the user to another server, it also allows the server
> > to access, say, that users's bank account and transfer all his money
> > to the server's administrator. To any authorization protocol, the two
> > actions are exactly the same, but one is clearly desirable while the
> > other is not.
>
> > You can read more explanation here:
> >http://blogs.msdn.com/david.wang/archive/2005/07/06/SSO-ISA PI-Conside...
>
> > Do you believe that WebSphere actually works like a true cohesive and
> > delegatable security system? As it marshalls traffic between
> > potentially incompatible operating systems using different
> > authentication and authorization protocols... is it even going to
> > delegate correctly and securely? Or do you think that WebSphere makes
> > itself a huge big-brother "trust me" Trusted-Computing-Base that is
> > the common element across all the systems and just flows user
> > credentials across its own internal trust boundary?
>
> > But, there is no delegation in that design, and security is achieved
> > through a whole bunch of implicit trust of the system. I rather take
> > my chances with a well-defined public system like Kerberos which keeps
> > all the right powers in-check-and-balance... and Active Directory is
> > one possible implementation.
>
> > All I can say is that if you think flowing username/password is the
> > right approach to do single-sign-on, you have missed the point.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //
>
> > On Sep 5, 11:34 am, Chris Davoli
> > wrote:
> > > David, can you elaborate a little? How does delegation work?
>
> > > Also, why do you say that websphere is a hack? Do you know how it works?
> > > --
> > > Chris Davoli
>
> > > "David Wang" wrote:
> > > > On Sep 4, 12:26 pm, Chris Davoli
> > > > wrote:
> > > > > Environment: ASP.Net, SQL Server
>
> > > > > How do I pass ASP.NET session variables ie; like userid and password from
> > > > > one web site to another. I know websphere has a way to do this, but is there
> > > > > something in IIS?
>
> > > > > Actually this is what I really want to do:
> > > > > Can authentication and authorization using say Active Directory allow you to
> > > > > log into one site and also be authorized for another site without logging in
> > > > > again using network userids?
>
> > > > > --
> > > > > Chris Davoli
>
> > > > This is user delegation. You can either do it correctly with Active
> > > > Directory, or the insecure hack that you are proposing (and what
> > > > Websphere does).
>
> > > > //David
> > > >http://w3-4u.blogspot.com
> > > >http://blogs.msdn.com/David.Wang
> > > > //- Hide quoted text -
>
> > > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -