We have an ASP.NET Core v1.1 web application that displays protected images stored in the Azure Blob Storage Service. We achieve this by using a Shared Access Signature (SAS) that expires 36 hours in the future.
We store this SAS in memory for up to 18 hours (sliding expiration of 6 hours, absolute expiration 18 hours), to avoid repeated calls to the blob service. This has been in production since October, without issue, but recently over the past week we have run into issues where our customer is reporting broken images. Clearing the cache fixes the issue.
Our short term workaround is to shorten the cache to a maximum of 5 minutes, but I'm not sure why we would need to if the SAS is valid for 36 hours?
So, my questions are:
is it possible for a SAS to expire much earlier than expected?
is it safe to cache the SAS like I described, or should I request a new signature for every single request?
When you use shared access signatures in your applications, you need to be aware of two potential risks:
If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account.
If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application's functionality may be hindered.
This describes the best practice for using SAS Token - Best practices when using SAS
As mentioned in the that Use near-term expiration times on an ad hoc SAS and have clients automatically renew the SAS if necessary. The key consideration is to balance the need for the SAS to be short-lived with the need to ensure that the client is requesting renewal early enough.
Related
I want to use the Direct Mail SDK(Java) directly within client application which is distributed across. The way to authenticate users within the application, I need to provide access keys as below,
IClientProfile profile = DefaultProfile.getProfile("cn-hangzhou", "<your accessKey>", "<your accessSecret>");
How can I prevent user to know the Access Keys and still prevent the need of third-party API? Is it possible?
First, it is bad practice to code an application that requires secrets that runs on the client. You should manage everything on the server and provide an API that the client software interfaces with.
Second, there is no way to hide those credentials once passed to the client. You could encrypt the credentials but at some point the client application will need to decrypt them. Even amateur programmers can figure out how you are processing your credentials.
Ignoring the above advice, Alibaba Cloud supports STS which provides temporary access keys. Using your Alibaba credentials, you would call AssumeRole which creates temporary access keys giving the user permission call DirectMail. You can limit the time that the credentials are valid. The range is 900 to 3600 seconds. After that duration the keys become invalid.
Keep in mind that 900 seconds is a long time. A bad actor getting access to those keys could send thousands of emails using your account. Therefore implement strong user authentication, STS and temporary access keys.
If you think that just keeping your interface secret is enough, don't. There are millions of script kiddies on the Internet poking at every IP address. Launch a new ECS instance and you will see attacks within hours.
As you said since it is a Java Web Application(assuming), currently I think of something using similar to JBOSS Vault to store the access keys securely.
If it is some standalone client application still you can use some encryption methodologies to store the data. But this will only prevent easy access to the data/keys. But it is not impossible. The best bet would be creating another third-party API
let's assume my WEB API hosted on IIS might stop and restarted under any circumstance. And I am using OAuth 2 and generated tokens successfully (with Expired date set).
I am just curious do I really have to save each token generated for the fact that my API could possibly restarted and lose its session?
You could save a hashed version of the key to a database or possibly a user cookie. As you stated if the application pool were to reset you would loose any session saved data.
We have Windows Server 2008 R2 with IIS on in a web farm environment. I initiate a Classic ASP session and every so often, when refreshing the page, it doesn't show but then comes back again.
I go to http://mainurl.com but have two boxes called http://devbox1.com and http://devbox2.com
I put the files onto one of the DEV boxes which replicates to the other one.
After some reading, I guess this is down to a "common" issue with sharing sessions across a web farm instance.
Could someone please help me how to resolve this please?
Update:
As it's not clear in my post. Do not use the Session.SessionID as the identifier for the cookie as this will change across environments (Microsoft recommend never to store the SessionID in a database).
Quote from MSDN Library - Session.SessionID
You should not use the SessionID property to generate primary key values for a database application. This is because if the Web server is restarted, some SessionID values may be the same as those generated before the server was stopped. Instead, you should use an auto-increment column data type, such as IDENTITY with Microsoft® SQL Server™ or COUNTER with Microsoft Access.
Instead use a self generated id value that you then store in your cookie and the database. This way your Session object can be re-created.
There seems to be some discussion about solution using a database. Just to clarify Classic ASP uses Session object stored in memory this means the minute you switch machines load balanced or otherwise you still lose the session.
Interesting article on the IIS.net forums about this topic - iis 7 Load balancing
Quote from Bill Staples (who at the time was Product Unit Manager, IIS)
One thing to consider, however, is what to do with any application / session state. Classic ASP stores session state in memory that only one process can access. As soon as you scale the sites onto more than one machine, you can no longer guarantee that each incoming request for a particular user session is landing on the same machine, which means the client may suddenly 'lose state' between requests. This is why we recommend that you not use the built-in session support in ASP for these kinds of scenario. Instead we recommend you use SQL or another database to store this kind of data.
My recommendation would be to store the Session in a database create a cookie on the client machine then use this cookie to identify the session from the database.
Cookies can be changed so I would still recommend you use secure cookies across an SSL secured website, especially if data is of a sensitive nature.
You should create sticky sessions while working with web farms because most likely you have load balanced system which under standard configuration will point traffic to the lowest loaded node. As result your users will loose session from time to time.
Ask your network admin team to look how to create sticky session for your particular load balancers and network configuration, they should know exactly what this means.Here is one of the examples what this is and how to configure it: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_StickySessions.html. But once again it is depend on what you are using.
**** solution with cookies or database entries not the best way to handle this situation because once again depend on your web farm configuration IIS may simple reject any attempt to overwrite session ID which you have stored in database or if security is tight enough even refuse to connect to page while connecting to other node.
My server needs to log-in to another server (for accessing payment API). Result of successful log-in operation is a session token that is valid for 25 minutes.
Where can I store this session token so that it is available across multiple requests and multiple users? (i.e. user session is not an acceptable solution).
I need some sort of an application state or cache storage.
Just to demonstrate the problem - a file could be used to store this value, but I don't want to deal with concurrency, and security implications this solution comes with. I would prefer an in-memory solution.
You could use either the core JSession or JCache framework objects.
http://docs.joomla.org/JFactory/getSession
http://docs.joomla.org/Using_caching_to_speed_up_your_code
http://docs.joomla.org/Cache
I have a web role with co-located cache. there are two instances of this role.
Even when there is a cache-hit, the turn-around time for our request measures to a few seconds. Upon analysis we found that the time taken by cache to get back with data is 1 second on average. However, IIS logs suggest that the overall servicing of the request takes about 4 seconds. there is no intermediate operation before or after data retrieval from cache.
What could be wrong here? What would be a good way to analyse the problem?
For what it's worth we were having a similar problem with caching in Redis in Azure and a RESTful API.
The problem turned out to be the serialization of data.
Some ways to debug the problem:
Download ANTS profile (it has a free trial) and profile your worker role locally.
Enable profiling for your worker role, deploy it, run it for a bit, then download the profile file in Visual Studio. (You can use Server Explorer to find your instance and download the log).
Download the Azure tool kit (http://blogs.msdn.com/b/kwill/archive/2013/08/26/azuretools-the-diagnostic-utility-used-by-the-windows-azure-developer-support-team.aspx) on your instance. It has things like Process Explorer that can tell you how much memory your role is taking, how much CPU, what it's doing on the network etc.
You can contact Azure support and have them help you profile your application. We did that and got absolutely amazing support. They talked with us on the phone for hours and helped us profile our code.
You really should increase the log level for client and server refer In-Role Cache Troubleshooting and Diagnostics (Windows Azure Cache) and take a look at the performance counters. If read operations (GET) is taking long time then there can be paging in one of the instances or may be there is overload on the server. If you see any performance issue on the cache instances then you should take reassess the capacity using Capacity Planning Considerations for In-Role Cache (Windows Azure Cache) .
If this doesn't help then please open a support ticket.