securing an mvc application using subdomains

Question

I have an mvc application that I allow businesses to log in using https://storea.mydomain.com https://storeb.mydomain.com etc etc

Each of the businesses has users created and I have a table that matches business ID to EmployeeId. I am trying to lock the application down so an authenticated user of businessA cant access information from BusinessB.

Where is the best place for me to be checking the user is allowed to access the subdomain? Do I override the OnActionExecuted action checking what the subdomain is then look at a session value to see if they match, if different log them out.

Or this there a more elegant way to do this?

Suggestions and advise on best practices would be great! thank you

Answer 1

A custom Authorize attribute seems a good place to perform this. You could override the AuthorizeCore method where you will have access to the HttpContext and you will be able to perform the custom authorization logic based on the subdomain.

Answer 2

As I understand it, your MVC application uses a single database to store the information for all the businesses you have. This is why you'd be worried about Bussines A accesing Bussines B information.

So for me, your database is the place to check which information can access each user depending on the business they belong to.

I think you don't even need to use subdomains for this.

Answer 3

In cases like these I use the repository pattern and in every query/data access you ensure you pass in a where clause that contains the business id. ex:

select * from orders where orderid=@orderId and companyID=@companyId

It is very important to do this on the query as you want data rules in place to prevent improper querying. Doing this on an Authorize attribute for example doesn't guarantee someone hasn't tampered with data to load another company's information.

In addition I have the http://mvcsecurity.codeplex.com/ extensions to help secure ids stored on pages to help prevent tampering.