Cookie based authentication does not work with Excel

| No Comments | No TrackBacks

So I had a fun out-of-IE security 'experience' last week.

Background: On the current project I am working on, we have an .Net web-site that uses form-based authentication to set a authorization cookie value (simple username and password request, that sets-up a session variable storing the users authentication ticket - the session variable is carried between requests using cookies). The web-site will allow you to stay logged in for a long time - so you do not have to always enter your username and password.

The web-site is based on Microsoft's MVC implementation, so navigation to 'objects' on the web-site is quite easy to figure out for users, and they go off creating their own URLs to access data (which is a good thing).

Now we got a call from a customer trying to create simple links in Microsoft Excel spread sheets, to navigate to details about the current spread sheet row. Simple enough you think, I think not.

Problem: Some security expert (I assume) at one of the largest IT companies in the world, figured out that sending cookies on web-requests from Excel is a bad thing. E.g. when you select a URL link in Excel, the resulting request in IE will *never* send any cookies. The request will open up in Internet Explorer fine, but it sucks that the users have to log onto our system for each row they access.

If you based authentication on sessions or cookies, you are basically stuck.

I Bing'ed (that didn't work, sorry... I 'searched') around on the net, trying to locate information that could help resolve the simple 'web link in Excel spreadsheet does not work' etc. With little luck.

Reworking the authentication scheme on the web-application was not going to happen, so needed to come up with something to solve what one would think to be a simple problem.

Solution: I noticed that after accessing the first link from Excel, entering my form-based user name and password, everything worked fine. It was only the first request that caused a problem. Ok, what if we create a proxy page that does not require any authentication, but forwards the user to the page they actually wanted.

So I build a proxy page with the following simple HTML and Javascript code (note this is clean HTML/Javascipt, so this will work with .Net, Java, Tomcat, Perl, Python, etc. web-page that needs cookies to work). For those of you that like spoons, place the HTML code below in a file called redirect.htm and place it anywhere available on the net. Make sure you change the URL in the code to point to the correct web-site as well)

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>Redirect Page</title>
</head>
<body>
Please wait, redirecting...
<script type="text/javascript">
<!--
function getQuerystring(key)
{
  key = key.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
  var regex = new RegExp("[\\?&]"+key+"=([^&#]*)");
  var qs = regex.exec(window.location.href);
  return qs[1];
}
window.location = "http://www.vc2go.com/" + getQuerystring('page');
//-->
</script>
</body>
</html>

So now by accessing http://www.vc2go.com/redirect.htm?page=authentication.aspx will fire up the redirect code above and basically redirect the user to http://www.vc2go.com/authentication.aspx - the clue being that the redirected request will in fact have all the user cookies setup and authentication will no longer be a problem.

Ending: This was a happy ending. I never really figured out why the cookies did not get passed over, but assumed it to be a security expert that thinks good security is turing off your PC. It will keep you secure, but it makes it harder to use the tools on your PC.

No TrackBacks

TrackBack URL: http://www.vc2go.com/cgi-sys/cgiwrap/webprog/managed-mt/mt-tb.cgi/2

Leave a comment

About this Entry

This page contains a single entry by Thies Schrader published on November 1, 2009 9:02 PM.

Database mirroring - specifically for TANDBERG TMS was the previous entry in this blog.

WPF Commands and Command Target is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Pages

Powered by Movable Type 4.21-en