Jason Salas' WebLog

On-air and online: making people laugh, making people think, pissing people off

Sponsors

ASP.NET sites that kick ass

Pals with blogs

Podcasts I listen to

Developing a password-protected authentication scheme for accessing XML files over the WWW

A project I'm doing for a client "requires" (as in, that's their preference) an RSS feed to be accessible only by authentication.  The client isn't technical, and only wants some sort of exclusivity built-in to not make the XML data contained within truly public.  It's a giveaway promotion over the radio, so if a few people manage to crack the authentication and access the XML data, no biggie - it's just podcastable MP3 files.  As such, the "password" is justa  randomly-generated string of characters (5 numerics, 5 alphabetics).

Here's the pseudocode I'm working with in ASP.NET 1.x:

  1. Develop a simple login page  - LOGIN.ASPX - requiring a user to enter a password into a TextBox control
  2. Use a regular expression in a RegularExpressionValidator control against the TextBox to ensure the string has 5 numbers and 5 letters (note this isn't validating against a store of genuine passwords, so actually, the more people to crack it, the better).  It's basically nothing more than a faux security mechanism that calls Response.Redirect() if the password is in the right format.
  3. Use a .ASPX page - BONUS.ASPX - with the Response.ContentType property set to "text/xml", so that code can evaluate the previous page by looking at the referring page.  If it's not LOGIN.ASPX, redirect to that page, thus programmatically ruling out direct browsing to the file.
  4. TODO: figure out how to keep the XML data away from search engines and indexes.

Anyone have any better ideas?  This again isn't true bulletproof authentication, so it's deliberately got loopholes.

Posted: Jul 28 2005, 11:51 AM by guam-aspdev | with 12 comment(s)
Filed under:

Comments

Jeff Gonzalez said:

You could just write it all up in an HttpHandler and secure it using Forms Authentication.

You could hardcode the username in your login method and just verify that the password is valid. You can override a particular page like bonus.aspx using the path attribute of the http handler. You can set the http handler to also set the content type.

And since search engines crawlers ignore form POSTS anyway you won't have to worry about that.
# July 27, 2005 9:11 PM

Jason Salas said:

There's a thought...
# July 27, 2005 9:15 PM

bonder said:

Using asp.net forms authentication is the way to go. Easy, part of the framework, and quick.
# July 27, 2005 10:27 PM

Jason Salas said:

Hi Bonder,

Nah...too much work. I've got quite a lot of stuff alerady resident in web.config, so it would be more work to set it up. :(

And this is a temporary thing for only 60 days - the duration of the promotion, so once it's up, I just pull everything.
# July 27, 2005 10:28 PM

Jason Salas said:

Hi Jeff,

Great ideas, but are you sure crawlers and spiders wouldn't index the content?

For example, search this in Google:
"site:kuam.com filetype:xml"

You'll find all my stuff. :(
# July 27, 2005 10:29 PM

alex said:

is .asp a reuired aspect of this project? ;-)
# July 27, 2005 10:33 PM

alex said:

ok, yeah. i meant required. reason i ask is, we're just using 'realm security' to secure an rss feed. <http://www.w3.org/Protocols/HTTP/1.0/draft-ietf-http-spec.html>
# July 27, 2005 10:37 PM

Jason Salas said:

Hi Alex,

That would be my first choice, with ASP.NET being the platform I know best. I can knock it out the quickest. That is a pretty neat idea, though. :
# July 27, 2005 10:39 PM

Jeff Gonzalez said:

Jason,

Is that content secured behind an authentication method that requires a post to login? That is the benefit I see of having forms authentication.

As for the "difficulty" you mention in relationship to using Forms Authentication, it is about 30 minutes worth of work and can't you just remove the stuff from the web.config when you are done? You don't even need a true login method, because you really have some specialized logic. I think adding a couple of lines to the web.config is simpler than the solution you proposed, but that is just my opinion =)
# July 28, 2005 12:01 AM

Chris Frazier said:

Jas,

You could use the oft-forgotten robots.txt file to push spiders in the right direction.

I would probably use an .ashx (httpHandler) if it was me in your shoes, or have the xml extension mapped to the handler that does the authentication. If you want to completely block indexing of the content of your .xml files (if you have control/can influence the configuration of the server) you can map the *.xml file extension to asp.net and in your web.config assign it to a ForbiddenHandler. This way, even if the filename is discovered, whatever is making the request will be met with the forbidden message.
# July 28, 2005 2:33 AM

Jason Salas said:

Hey Chris,

Good idea about the ForbiddenHandler. I didn't even think of that. Thanks!

As for the ROBOTS.TXT file...ugh: http://weblogs.asp.net/jasonsalas/archive/2003/12/23/45296.aspx

;-)
# July 28, 2005 3:15 AM

Aaron said:

Greg Reinacker from NewsGator posted a great little ASP.NET HttpHandler that does Basic Auth and you essentially code out the "auth" method (which can check a database, text file, web.config - whatever) - and it's simple to deploy and use.

See his post: http://www.rassoc.com/gregr/weblog/stories/2002/06/26/webServicesSecurityHttpBasicAuthenticationWithoutActiveDirectory.html
# July 28, 2005 1:10 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)