I have a website and my users log in to my site. For each user, I store their credentials to another third-party site. I would like to be able to log the user in to the third-party site from within my site (preferable) or in a new tab (less preferable).
The problem is that the third-party site uses the X-FRAME-OPTIONS: SAMEORIGIN header. Is there any way I can achieve this if I have my users' credentials for the third-party site?
As already mentioned in the comments what you are looking for is Single Sign On (SSO)
Single Sign On (SSO) occurs when a user logs in to one application and is then signed in to other applications automatically, regardless of the platform, technology, or domain the user is using.
Source: https://auth0.com/docs/sso/current
Security Note
For security reasons you should not try to roll your own solution. See all the data breaches that happen every day and the heavy GDPR fines for who fails to protect user data. Plus Broken Authentication is in the OWASP top 10-2017
Related
I am trying to solve the classical approach to how user login pass token is stored in web browsers. By default, anyone who can access the developer's consoles of the browser can obtain the content in password fields by looking at the HTML content of the input element or using javascript.
Because of this, if by mistake someone comes across your login password, he/she can use it on any browser to access your data from the server.
To solve this problem, I am researching a way which on an attempt to login the server will generate a unique pair ID from the client's Unique ID and let the client store this server generated ID as the user's login pass for this client only, such that if the server generated ID is used in attempt to log in from another browser, the server will compare the associated browser ID to the accessing unique ID before permitting access.
Consequently, A server generated login can only be valid on the client who generated the ID, the real password is never stored on the client, but only used on the first attempt to login on a client who does not have valid server ID. The user will have the opportunity to invalidate all the server-generated pass.
For this to work, I need a unique token from the browser such that if 10 instances of the same browser are installed on the computer within a time-space less than 1 second, the ID of this browsers will never be the same.
My question is, can such Unique ID be obtained from the browser? any suggestion on how to go about this is also appreciated.
In general, you can't uniquely identify a browser installation in the way you describe. This is, in part, to protect users' privacy from tracking across the web.
Your ultimate goal (preventing an attacker from authenticating if they discover the user's password), however, can be satisfied with a one-time-password system, like TOTP.
In a system like this, when an account is set up for one-time passwords, the user and service share a secret. Later, when the user logs in, they are prompted for a one-time password, which they generate using special software, which is isolated from the client, and ideally on another device. For example, the user might use the Google Authenticator app on a smartphone to generate a code that they enter on their desktop browser.
Even if the attacker captures the user's conventional password with a key logger, they can't authenticate themselves because they don't have access to the shared secret necessary to compute the one-time-password.
Universal 2nd Factor authentication is another approach to thwart key loggers based on some parallel concepts. (That is, it also uses a one-time code, generated with a secret that is securely stored rather than being exposed on the client.)
I need to store the IP address, the User-Agent of the client who is requesting a particular web page, the name of the webpage being requested and the request time. I am planning to store the information in a table in the database(MySQL). But, the problem I can for-see is that every time the page is requested there will be a database entry, and in time it would take up a huge amount of space.
Does analytics tools like Google Analytics already store these information (IP-Address, User-Agent, Requested-Webpage-Name, Time) that I can access anytime in future (Say, i need to check the client's IP and User-Agent who viewed a particular page within a particular timeframe)? If not, is my approach the right way to do it? If not, what is the right way?
I found that nginx does this out of the box with it's access logs, which are stored in /var/logs/nginx/access.log. So, i just need to pare the access log data, using various tools available online.
People need to log in to start using my app. They can register themselves on my website and their passwords are stored using Bcrypt. When they login in the app I transfer the password as plain text in a GET request (https://website.com/file.php?pass=password) to a php file which is using Bcrypt again to compare the password to the one stored in my database. My website uses a SSL certificate and with that a HTTPS connection at all times. So my NSURL starts with a HTTPS request. My question is, is it safe enough this way or is it completely unsafe? If so what would you suggest to validate the login of the user?
I think that using HTTPS is a great start. As zaph points out, you might want to check to make sure that your server is using TLS 1.2.
I agree with SLaks, though, and advise against GET request. Section 9.4 of RFC 7231 warns "Authors of services ought to avoid GET-based forms for the submission of sensitive data because that data will be placed in the request-target. Many existing servers, proxies, and user agents log or display the request-target in places where it might be visible to third parties. Such services ought to use POST-based form submission instead."
As you're thinking about NSURLSession security, I'd suggest that you make sure that you do not do any caching during user authentication, perhaps even using an ephemeral session, so that this data that you've gone to such lengths to encrypt isn't unintentionally stored elsewhere unencrypted.
I might also suggest watching WWDC 2015 videos Security and Your Apps, Privacy and Your App, and Networking with NSURLSession. These don't tackle your question directly, but they do touch on some some broader security/privacy issues.
HTTPS is safe if the server is using TLS 1.2 and perfect forward secrecy. Also if the server is using 2-factor authentication and the second factor is well controlled.
But you also need to pin the certificate in your app to prevent MITM attacks.
Recently I had problems with my email account (gmx.net). I have about 30 failed login attempts a day. But that is not the topic of the question (I already changed my password).
It got me thinking. Is this in automatic attack? And if so, how is it done? I took a look at the HTML code of the page and found out, that it is pretty easy to just copy the source code of the form element and do a login attempt through a local html file (copy and paste, new HTML file, open in browser, enter your credentials, submit). That means it is an easy task to automate such things (write a little script, that does a post with various values --> Brute Force attack). I was about to write an email to the mail hosted, when I found out, that the exact same process can be done on facebook.com....
I had the impression, that since we have all these new fancy web frameworks like Rails, Django and so on, we have an automatic protection against such attacks (for example the protect from forgery which Rails includes http://ruby.about.com/od/security/a/forgeryprotect.htm)
My question here is:
Is there any sane reason to allow a login attempt from another server?
Don't give me "API", the most APIs for web application require a manual login process before authorization.
I know there are many more ways to brute force attack any website login (use a framework that controls a browser etc...) and there are many ways to protect (IP-banning etc). But shouldn't disabling a remote login be one of the first security mechanisms you would take?
The problem I am trying to tackle is simple. I have two pages - the first is a registration page, I take in a few fields from the user, once they submit it takes them to another page that processes the data, stores it to a database, and if successful, gives a confirmation message. Here is my issue - the data from the user is sensitive - as in, I'm using an https connection to ensure no eavesdropping. After that is sent to the database, I'd like on the confirmation page to do some nifty things like Google Maps navigation (this is for a time reservation application). The problem is by using the Google Maps api, I'd be linking to items through a unsecure source, which in turn prompts the user with a nasty warning message. I've browsed around, Google has an alternative to enterprise clients, but it costs $10,000 a year. What I am hoping is to find a workaround - use a secure connection to take in the data, and after it is processed, bring them to a page that isn't secure and allows me to utilize the Google Maps API. If any of you have a Netflix account you can see exactly what I would like to do when you sign-in, it is a secure page, which then takes you to your account / queue, on an unsecure page. Any suggestions? Thanks!
I generally advise never to skip security features, because they are there for a reason, but i found this for you to check out.
Perhaps it is time to consider retiring support for IE6?