.net - DB Password Would Be "exposed" To The Hosted SVN Provider?
Feb 10, 2011
I'm considering a hosted SVN solution, preferably with Trac, but I have a major concern in doing so: Connectionstrings.I mainly work on websites, so all of them have connectionstring in web.config, which means my DB password would be "exposed" to the hosted SVN provider.
What have you guys done/thought about this "security hole" when you choose to use a hosted SVN provider ?I'm looking for either a way to avoid the connectionstring from being read by the provider, or just some clever insight into why I shouldn't worry :-D
EDIT: To clarify the sites are indeed ASP.Net based.
EDIT #2: Would it perhaps be safer to simply buy a hosted server, and install SVN, Trac and so forth on it myself ? (Like http://www.slicehost.com/)
Does anyone has a solution (sample code) for the following features:
Create a randomGuid/Cryptographically strong random number Send a unique URL containing the random number to the user's email address When confirmed, the user is asked to change password
My provider is currently parametrized this way:
[code]....
The security issues with this type of procedure have been discussed here before.
I had been trying to solve this but there is a hidden key i wish someone point me to.
I had a simple membership database with users in first the Membership Provider configured for clear password to retrieve the original password .
Now a new requirement say that the password must be hashed and reset .
I configure the Membership password to hash , and Implemented the Reset Password Module.
My problem is as follow.
If the user is new registered user with the new configuration the password and the security answer is hashed.
also when I go and reset the password it continue to be hashed.
Now I thought that with new configuration if any previous user with clear text configuration , If he use the password Reset module , because my configuration now is hashed , I expected that the new password and security answer will be hashed . what happen is old user continue in clear text even if the configuration is hashed. so If I had new users everything is fine.
old users Membership Provider somehow know they had been stored in clear text and it keep change password and security answer in clear text . If I delete this user and create it , Membership Provider understand that everything will be hashed. I need to know how it know this , I need to migrate users not to delete and recreate users .
Also if there are no solution for that , I wish Microsoft Consider it in future cause it is a real user scenario, that can happen imagine a business system that related to membership user Id , deleting users and recreate them is not a solution .
Can I use the membership provider api on a hosted service? I can create mssql databases but have no control over iis. Will I be able to use the membership admin webpage on the hosted service?
Am I correct in stating that the api uses ASPNETDB.MDF in the app_data folder as it's database?
We have developed a website in asp.net using windows authentication and deployed it on the intranet (IIS v6.0). Most of the times, when users try to access this website they are taken straight to the website, but occasionally some users get a prompt to enter their windows username and password. I understand that this could be caused because of several reasons like:
Cached active directory password. Recently active directory password changed. Active directory account locked out. I want to fix this issue for good because it is annoying the users.
Do I need to make a Custom Membership Provider or is there another way?
I have a project using ASP.NET Forms Authentication and the Microsoft SQL Membership Provider. The website is DONE. I use this provider everywhere. (Register, Login, Forgot Password, etc...) Until now, my website users have not needed complex passwords. The users' passwords were really just pins. The user could select anything for a password in the past. I had almost no restrictions for this website because none of the data is private or personal. However I have received new requirements.
Here are the new password requirements:
Passwords must be at least 8 characters in length. Passwords must be created using 3 of the following 4 character types:
Uppercase Lowercase Numeric Punctuation
Do not use your name or User ID in the password. Do not use old passwords again later. Passwords must be changed at least every 60 days. Passwords may not contain your User ID or any part of your full name. Password history retention will prohibit use of the last 24 passwords. Passwords may be changed by users only once in any 6-day period.
I realize I am going to have to modify all of the following pages: Register, Login, Forgot Password, etc... fortunately I stopped using the default controls a long time ago.
My first thought was that I need to write a Custom Membership Provider. I don't know how to make the standard provider to do most of this. I could write code to do.
Do I modify the aspnet_membership table? Should I add my own table aspnet_something? Can the user profile table be used for this problem? Do I need my own MembershipUser class?
I'm looking for guidence on writing a custom password reset UI, but it must fit the Provider 'Pattern', or degrade silently to built-in defaults. E.g. my Reset Control must collect extra information, and perform differently to the standard Password Recovery Control. It must close as possible use the standard MembershipProvider interface for standard functions, and only use an extended interface for the non-standard stuff.I'd like some reading on issues such as, what must I ask the Membership Provider for, and what must I do myself. What must I tell the provider (service?) about what I do?
I am using Membership provider.. I integrated the aspnet member tables into my database.
I need the user to enter password on a data entry form and validate it against the membership tables.
How can I do this. This is the set up. I have few fields and user enters those fields and also enters the password, and submits the form. It is kind of like signature... i am looking for something like..
I am using a custom membership provider with a custom ValidateUser method. The ValidateUser sends and additional parameter to authenticate my users (Username, Password, and Dealer). I created a custom stored procedure for ValidateUser to call. I copied over all my users from another table and encrypted all the passwords in the aspnet_membership table using the code below. My question is, how do I take the password the user enters in the login form and validate that against what is in my aspnet_membership Here is the code I used to encrypt the passwords (not even sure this was the right way to encrypt. Please tell me if I did this wrong):
public static string EncodePasswordNow(string originalPassword) { Byte[] originalBytes;
I'm using a website as a frontend and all users are authenticated with the standard ASP.NET Membership-Provider. Passwords are saved "hashed" within a SQL-Database.Now I want to write a desktop-client with administrative functions. Among other things there should be a method to reset a users password. I can access the database with the saved membership-data, but how can I manually create the password-salt and -hash? Using the System.Web.Membership Namespace seems to be inappropriate so I need to know how to create the salt and hash of the new password manually.
I use access membership prvider and it works. but I am unable to recover passwork. It says that "" membership provider doesn't support to get and zero password." It gives me the error in turkish and I translated it. Something like that. I am using the below code;
I have an ASP.Net site using Forms authentication. One of the aspx pages loads a WinForms user control hosted in IE. That control must connect with a WCF service located in the same ASP.Net web site.How can I make the WCF service secure? Currently I have set the WCF service to use AspNetCompatibilityRequirements mode but the user control hosted in IE can't connect to the WCF service as it isn't logged in.
I have a membership provider in my web.config with the passwordStrengthRegularExpression attribute set. I dropped an asp:CreateUserWizard in a page and tried to create a user with a weak password (ie didn't match the regex in the web.config). The validation fails and displays the message
The message corresponds to the default password strength requirement. I know it's using the value I have set in the web.config to validate against but how do I change/set/override the error message that gets displayed when the validation fails?
I have to maintain an ASP.net application in VB.Net. There is a page with a FormView bound to a ObjectDataSource. I have to add some business logic on the ItemUpdating event of this FormView. Unfortunately, some the data that I need to add this business logic is not exposed on the FormView user-interface itself, so I can not use FindControl to get the values (I could add the controls, bind them to the fields I need and set their visible property to true, but that's ugly).
So, what I would need to do is to get access to the Data Row corresponding to the currently selected item in the FormView from the code behind as it has the data I need to add my business logic code. Unfortunately, I don't manage to get access to the row.
I am trying to use some page methods on an aspx page. I've done this several times before in other asp.net applications and never had issues until now. I believe that maybe the issue has something to do with the methods be exposed to POST but I'm not entirely sure. Everything on the page loads correctly then once it attempts to make an ajax call rather than hitting the "test" function, the page tries to reload and the page_load method is called again. I chacked the URL string on both cases when page_load is called and both are correct. I am suspicous that there is some need to do with the web.config but I'm not sure what. The application is close to 10 years old and has been grandfathered up all the way to ASP.net 3.5. On another note, I can hit asmx functions perfectly fine its only page methods that seem not to work.
Imports System.Web.Script.Services Imports System.Web.Services Partial Public Class CustomDataFilter[code].....
I found a write-up somewhere about the multi-handle slider control and in the post there were the following javascript lines:
slider.add_value(value); slider.add_drag(value);
Slider, in this case, is my slider control... but how did the person know these two methods exists? Is there an API guide somewhere for the Ajax Control Toolkit?
I couldn't think of a decent title, so let me first apologize for that. I have a WebService (call it A) written for my app so I can take advantage of ASP.NET 3.5 AJAX features. I use the generated JavaScript proxy to make AJAX calls.As a side effect, WebService A is exposed for anyone to add as a reference to another project, which is great, except I don't want certain WebMethods to be available to external applications (in the same domain, BTW).So I've got two questions:Is there a way to control the exposure of WebMethods in WebService A?
If there isn't, I'm thinking I'll just add a separate WebService (B) that exposes the WebMethods I need from WebService A. But then,How can I prevent other applications from referencing WebService A while still allowing the application it originates in to access it?If that's not possible, I'm not really worried about it. The apps are all intranet-only, I just don't want the WebServices to be abused.Also, there is a similar question here already without any good anwers. The asker describes almost the same situation I'm in: [URL]
I have created a webservice which is publicly exposed. This publicly created webservice can be consumed in the application But my requirement is I have to create a webservice to expose the schema and cannot be consumed directly.How to consume the web service which is not exposed directly.
I have watched the how to video on Creating a Custom Membership provider. So far it works great. My login control interacts well with it etc. Now i've created a Custom Role Provider. I've created a class that inherits the RoleProvider base class and i've added code to each Sub. My question is, what is the best way to implement the role provider, considering I get the Roles etc from the database?
