Question

My question is rather similar to this Return “correct” error code, or protect privacy?, but I d like to hear some different answers.

We have WEB site most pages of which may be visited by not logged in user. But when not logged in user tries to access resource (Page) that requires authorization (user must have FooRole role), we automatically redirect him to Login page and after providing correct credentials return back to restricted resources. What WEB site should do if user has provided correct credentials, but his access rights has happen to be not enough (he has BarRole but not FooRole)?

In current implementation we return HTTP 403 response (forbidden). But some developers argue that 404 code must be returned because it provides better security - user should not distinguish not existing and not accessible resources. From the point of security it maybe better to return 404, but in described situation user was redirected to Login page and that behavior "hints" that such page exists so it is not very logically return 404 (it is my thoughts). If user has been already authorized and tries to access restricted resources (directly modifying URL) then, well, it may be logically return 404 error.

Maybe such "auto redirect to Login" feature is not good? Can you suggest me what behavior is more "standard/good/user-friendly/hacks-free" in such situation?

Thanks!

Answer 1

I believe it is more suitable to return an accurate 403 error-code for login-failures.

As for your issue of obscuring what files actually exist in general "security through obscurity" (buzzwords) is considered a very poor security model and there really should be no benefit to a user to know those URL s if they don t have access to them anyway (And if they break the access control I presume there s a fairly simple way to find the URL s to the files).

If it is important to obfuscate the file names however I would recommend returning 403 for any file in the folder (Existing or not) for unauthenticated users (Essentially you re denying them access to see what s in the folder, so the error code seems legitimate to me). I d probably recommend doing this via a CustomErrors handler which distinguishes whether you re logged in or not before deciding how much to tell you (That way you still maintain accurate 404 errors for people who are authenticated) or a HttpModule catching the exception a 404 throws and rendering a different result for authenticated vs unauthenticated users.

友情链接