All geek questions in one place

How to re-authenticate a user in an ASP.Net MVC 3 _Intranet_ application?

Let me explain: the application already uses the built-in Windows security system, not Forms. What I'm trying to accomplish is the so-called “step-by-step” authentication or “forced re-authentication” for the following scenario:

  • the user browses the site, making general, trivial material.
  • suddenly, the user must perform sensitive actions, such as authorizing the allocation of resources or confirming an auto loan or something like that.
  • the user is prompted to enter credentials before being redirected to a sensitive page, similar to SharePoint "Sign In as another user"
  • if and only if the entered credentials are the same as for the current user registered in the system goes into the sensitive area.

This will prevent the following 2 problems:

  • The user goes to a meeting or coffee and forgets to block the workstation and a colleague uses the session to access sensitive areas
  • The user enters his boss’s credentials (because, let's say, he looked into the boss’s trap) to gain access to a sensitive area.

I know that some will look at it as "paranoid," but some of them will talk about this sane and should be built into the environment somewhere (jQuery or .NET).

I would really appreciate any input. Thanks!

+6
source share
2 answers

Have a form to send credentials along with a request to perform an action, that is, some actions require you to provide a username / password. Use the PrincipalContext ValidateCredentials method to verify that the correct credentials are entered and verify that the specified username matches the current username in the User.Identity object.

 public ActionResult SensitiveAction( SensitiveModel model, string username, string password ) { using (var context = new PrincipalContext(ContextType.Domain)) { if (!string.Equals(this.User.Identity.Name,username,StringComparison.OrdinalIgnoreCase) || !context.ValidateCredentials(username,password)) { return View("PermissionDenied"); } } ... }
+4
source

The user goes to a meeting or coffee and forgets to lock the workstation, while a colleague uses the session to access a sensitive area . This only works for the first time, but now the boss enters a sensitive area, re-enters her credentials, then goes for coffee. Are you going to request every secret request? Users will not put up with this.

The user enters the credentials of his boss (because, say, he looked into the boss’s trap) to gain access to a sensitive area. If someone knows and enters the credentials of their boss, you cannot do anything to discover this.

+2
source

Source: https://habr.com/ru/post/898216/

More articles:


All Articles