+1-888-365-2779
Try Now
More in this section

Forums / Bugs & Issues / Security Problem

Security Problem

9 posts, 0 answered
  1. Matt
    Matt avatar
    9 posts
    Registered:
    11 Feb 2008
    13 May 2008
    Link to this post
    I am having a problem with creating secure pages.

    I create a simple site with the following simple structure:

    index.aspx
    public.aspx
    privatepage.aspx
    veryprivate.aspx
    login.aspx

    All the pages are visible to annonymous apart from privatepage and very private page.

    The logon page was created by simply dragging in the logon control from the available login controls within the admin system.

    i have two users, administrator and bob. bob is not a member of any roles.

    After denying anoymous access to the two private pages i do not initally give the role 'everyone' a view permission. So at this point nobody should view these pages.

    If i now view my site my navigation shows links to three pages

    index.aspx
    public.aspx
    login.aspx

    this seems fine. If i try to access one of the private pages directly I am redirected to the page :

    http://localhost/Mysite/sitefinity/login.aspx?ReturnUrl=%2fMysite%2fprivatePage.aspx

    If i now log on with the account bob I receive the error '

    This type of page is not served.

    '
    This is fine as have not given 'everyone' permission to access this page.

    However if i instead visit 'login.aspx' and use the login usercontrol to login with the same account 'bob', I can not access any of the private pages.

    It seems if i use the /sitefinity/login.aspx page to login evrything works as expected, but if i use a page created in the cms which contains the login control i seem to have the ability to access any page i like, regardless of permissions.

    I also noticed if i return to the admin and give one of the private pages 'everyone' view permission, when  i then log into the site through the /sitefinity/login.aspx page , this page is now added to my navigation. I will now see:

    index.aspx
    public.aspx
    privatepage.aspx
    login.aspx

    however if i login using the login.aspx page with the account bob i still only see the links in the navigation:

    index.aspx
    public.aspx
    login.aspx

    however i can still access both privatepage.aspx and veryprivatepage.aspx
    if i type them in directly.

    Is this a bug with the login usercontrol or am i using it incorrectly somehow?









  2. Matt
    Matt avatar
    9 posts
    Registered:
    11 Feb 2008
    13 May 2008
    Link to this post
    sorry, the paragraph "'However if i instead visit 'login.aspx' and use the login usercontrol to login with the same account 'bob', I can not access any of the private pages. "

    should read..

    However if i instead visit 'login.aspx' and use the login usercontrol to login with the same account 'bob', I can  access any of the private pages.
  3. Nikifor
    Nikifor avatar
    232 posts
    Registered:
    18 May 2013
    15 May 2008
    Link to this post
    Hi Matt,

    When setting permission to different users, it is essential to have in mind the "Everyone" role, because its settings are inherited by any role different from the Administrators one. We followed your instructions but unfortunately did not manage to reproduce the reported behavior. We created two pages with Anonymous Access set to Deny and a user without any specific permissions. Here are the steps which we performed:
    1. When we try accessing the http://localhost/MySite/Private_Page.aspx, we get the same redirection as you:
    http://localhost/kaka/sitefinity/login.aspx?ReturnUrl=%2fMySite%2fPrivate_Page.aspx
    2. If we set view permissions to Private_Page for the user's role, sign out from the administration (this is essential as the browsers would consider us as logged in when browsing any of the pages), open http://localhost/MySite/login.aspx:
    - if we are anonymous we can see only the pages with allowed anonymous access;
    - if we have logged as Bob , Private_Page is added to the list of of pages (exactly as expected).

    A possible explanation for this behavior can be browser cashing, so please, each time you try and URL, start a new browser session.

    Please let us know if we are missing something and this is not the case.

    Greetings,
    Nikifor
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  4. Matt
    Matt avatar
    9 posts
    Registered:
    11 Feb 2008
    15 May 2008
    Link to this post
    Hi have recreated the site again and I still experience the same problem.
    The problem does not seem to effect the navigation controls, they seem to work correctly (hiding pages i don't have access to), however i can access the page direct by typing it into the browser and it only seems to be caused by pages which use the login control rather than the sitefinity/login.aspx page.

    I have two users, admin (member of administrators) and bob (member of no other roles)

    I have to groups, Administrators and evryone.

    If i create a simple structure :

    index.aspx -Allow annoymous yes
    private.aspx -Allow annoymous no, everyone view, admin full control
    veryprivate.aspx - -Allow annoymous no, everyone deny, admin full control
    login.aspx --Allow annoymous yes

    When i visit the homepage (index.aspx) my navigation shows
    index.aspx
    login.aspx 

    if i try to access private.aspx or veryprivate.aspx i am redirected to the sitefinity/logon.aspx page

    if i login as admin my navigation becomes
    index.aspx
    private.aspx
    veryprivate.aspx
    login.aspx 

    (close all browsers)

    if i login as bob my navigation becomes
    index.aspx
    private.aspx
    login.aspx 

    if i try and access veryprivate.aspx by typing it into the browser while loggin as bob i receive the This type of page is not served. error.

    This all works fine, my problem starts if i try the login.aspx page from within my site which just uses the default login control. No things happen a little differently.

    if i login as admin my navigation becomes
    index.aspx
    private.aspx
    veryprivate.aspx
    login.aspx 

    this is all fine same as before

    (close all browsers, clear cach cookies etc)

    if i login as bob my navigation becomes
    index.aspx
    private.aspx
    login.aspx 

    this all seems fine, navigation is correct but now if I try to access veryprivate.aspx by typing it into the browser, instead of the error I received before it displays the page, even though the page has everyone deny, only admin should be able to view it.

    The navigation seems ok, it hides the page from user bob, but if accessed direct through typing the url into the browser, the page is displayed.

    It seems to be a problem only when the login control is used.
  5. Matt
    Matt avatar
    9 posts
    Registered:
    11 Feb 2008
    15 May 2008
    Link to this post
    I have narrowed what seems to be the cause of the problem. The code behind for the /sitefinity/login.aspx page differs from the code behind for the user control.

    the code that seems to prevent the problem is

    HttpCookie cookie = this.Response.Cookies[FormsAuthentication.FormsCookieName];

    UserManager.Default.SetAuthenticationCookie(cookie);

    which is called within :

    void Login1_LoggedIn(object sender, EventArgs e)

    this code exists in the sitefinity/login.aspx page but not the login user control.

    Without this code it seems that an any user who logs in will be able to view any page reguardless of permissions. The page may be hidden in their navigation, but if they type in the url they will be able to view the page. If this code is commented out of the sitefinity/login.aspx page, the same effect can be seen as using the login control, the navigation will work correctly but you will be able to access any page you want directly.

    As this code does not exist in the login control it seems to allow the navigation controls to work but prevents the security system to work correctly.

  6. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    17 May 2008
    Link to this post
    Hello Matt,

    With these two lines of code we fix an issue of the standard ASP.NET  RoleManager module, because it is not saving the information for the role provider used. Later we detect in the HttpModule that user is logged with our login form and we are checking its permissions.

    If this code is missing, we decide that everyone is authenticated and the effective permissions are set for the Everyone role.

    Kind regards,
    Georgi
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  7. Christian Calderon
    Christian Calderon avatar
    8 posts
    Registered:
    27 Feb 2006
    22 May 2008
    Link to this post
    Question:

    How can I make SiteFinity retrieve Roles By user from a custom Role Provider?   I got a custom membership provider working for authentication, now I need SiteFinity to allow me to use a custom role provider to handle page level security/authorization.

    After running a SQL Trace it seems like Telerik uses inline SQL to do this by quering the telerik_UsersInRoles table

    Any advise/suggestions?
  8. Nikifor
    Nikifor avatar
    232 posts
    Registered:
    18 May 2013
    26 May 2008
    Link to this post
    Hi Christian Calderon,

    We apologize for the delayed response. We will provide an example for implementing the desired behavior by the end of this week.

    Thank you for the understanding.

    Kind regards,
    Nikifor
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  9. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    17 Jul 2008
    Link to this post
    Hello Christian Calderon,

    Sorry for the delayed response, if you still experience problems, please refer to this KB article.

    Greetings,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
Register for webinar
9 posts, 0 answered