Preventing Cookie Replay Attacks In MVC
Jan 22, 2010
This involves using the Membership provider to add a comment to users server side records when they log in and out, and then confirming that when a cookie is used to authenticate, that the user hasn't logged out. This makes perfect sense to me. Where this starts to fall apart is that we do not currently use a membership provider, and so it seems like I face reimplementing all our authentication code to use a membership provider. We currently check authentication in a controller, and make a call to FormsAuthentication.SetAuthCookie() once we know the user exists. It would be a lot of work to force a membership provider in.
Is all this work really neccesary. Can I roll my own key value store of cookie values to logged in users and just make sure I clear this when a user hits the logout button. If this seems unsafe is there a way of implementing a minimal Membership provider in order to make these checks without handing off all authentication code to it?
I guess my main problem here is that we decided a long time ago that the membership provider model doesnt fit with the model we use for locking and unlocking accounts, and chose not to use it. Now we find that the MS recommendations specifically mention a membership provider, and as this is security I need to be sure that not using it as they recommend isn't going to cause troubles.
View 2 Replies
Similar Messages:
May 5, 2010
Let's say a security tester uses a proxy, say Fiddler, and records an HTTPS request using the administrator's credentials-- on replay of the entire request (including session and auth cookies) the security tester is able to succesfully (re)record transactions. The claim is that this is a sign of a CSRF vulnerability.
What would a malicious user have to do to intercept the HTTPS request and replay it? It this a task for script kiddies, well funded military hacking teams or time-traveling-alien technology? Is it really so easy to record the SSL sessions of users and replay them before the tickets expire?
No code in the application currently does anything interesting on HTTP GET, so AFAIK, tricking the admin into clicking a link or loading a image with a malicious URL isn't an issue.
View 6 Replies
Jan 20, 2011
I have a ASP.NET XML web service (asmx) running on .NET 3.5. I am trying to figure out how best to prevent replay attacks. Is there any inherent security by .NET 3.5 that should mitigate this issue, or do I need some kind of SOAP header token value?
View 1 Replies
Mar 25, 2011
I am using c#.net web application.I will not allow reply attacks in my application.How do i prevent from the same.
View 3 Replies
Jan 21, 2010
When a user presses Button1 on the Webpage, I would like to copy slightly modified string from txt1 (Text) into txt2 (Text).
The problem is sometimes I get an error "a potentially dangerous request.form value was detected from the client validaterequest". I get this error when special symbols llike "<" or ">" are in txt1.Text.I've read about that problem. That error is to prevent from hackers who can input scripts into the txt1.All I did is:
1) Put validateRequest="false" into <%@ Page Language="VB" validateRequest="false" at Default.aspx.
2) Default.aspx.vb contains now:
sHTMLEncodedString = Server.HtmlEncode(txt1.Text))
[code]....
Now it works and allows to take any data from txt1, slightly modify it and put into txt2.So, my question is: Did a level of security was reduced after I wrote validateRequest="false" ? Any code should be added to keep the good level of security? Or, I'd better use another way to copy txt1 to txt2?
View 7 Replies
Jan 29, 2010
I would now like to check if my code is still open to SQL Injections after this work. I believe the code is now working as it should, but any blinding errors that you see i'd love to hear about too. My code is now looking like:
-code removed-
View 5 Replies
Sep 8, 2010
I am busy building a shopping cart with cookies. I have datalist which I populate from the cookies with a delete button next to each cookie
[Code]....
Now the problem is that when I hit the delete / remove button to expire the cookie, what happens when repopulating the datalist is that it shows the original cookie with all it's values as well as a new entry where all the values are blank.
View 3 Replies
Jan 23, 2011
using a linqDataSource control... in the selecting event I have code like the following for a simple search feature:
[Code]....
In general, would dynamically building the 'Where' property of a linqDataSource be vulnerable to sql injection? Or does the control protect against this internally?
View 6 Replies
May 10, 2010
I want to change the value in a cookie:
HttpCookie hc = new HttpCookie("HiddenColumns");
hc.Value = customView.HiddenFields;
hc.Expires = DateTime.Now.AddDays(365);
Response.SetCookie(hc);
Or this way:
Response.Cookies["HiddenColumns"].Value = customView.HiddenFields;;
Response.Cookies["HiddenColumns"].Expires = DateTime.Now.AddDays(365);
But when I retrieve the cookie value, it is still old, unless I do postback. I don't want to use Redirect.
View 2 Replies
Mar 9, 2011
where does following HTTP error message come from:
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
We're using dynamically generated URLs and in this specific case the URL contains the characters '<' or '>'. We do URL encode the generated URL (so '%3C' appeary instead of '<') but it doesn't Our setup is ASP.NET MVC / IIS 7.5 / IE8. It's strange but it looks like the error appears only on some machines. So it could be that the IE internet zone settings are playing a role.
View 1 Replies
Jun 8, 2010
I'm trying to use a webservice that first expects the clients to login, to retrieve a cookie to re-use.
This is done through a login(string user, string pass) method on the webservice.
Doing this through a browser works fine, we get a cookie, and we can see the cookie via Fiddler or whatvever proxysniff thingy.
Time to do the same in ASP.Net, so we use the WSDL and generate a nice proxy class, and it works fine to call the login() method, but Never Ever does a cookie get set !
I already used the "cookiejar" technique - which means i create an instance of a CookieContainer and assign it to the proxyclass like this;
var cookies = new CookieContainer(3);
View 3 Replies
Jun 14, 2010
I am a bit baffled here; using IE7, ASP.NET 2.0 and Cassini (the VS built-in web server; although the same thing seems to be true for "real" applications deployed in IIS) I am looking for the session-id-cookie. My test page shows a session id (by printing out Session.SessionId) and Response.Cookies.Keys contains ASP.NET_SessionId. So far so good.
But I cannot find the cookie in IEs cookie-store! Nor does "remove all cookies" reset the session (as it does in FF)... So where - I am tempted to write that four letter word - does IE store that bloody cookie? Or am I missing something? By the way there is no hidden field with a session id either, as far as I can see. If I check in FF there is a cookie called ASP.NET_SessionId as I would expect. And as mentioned above deleting that cookie does start a new session; as I would expect.
View 1 Replies
Aug 17, 2010
I am using microsoft visual web developer 2010 to build and publish my website, I am facing a security problem. My website has authentication service for my clients, each one he has his own user name and password. After I introduced a new member, my database collapsed, may be this last member is a hacker. Is their a way to improve security vulnerabilities to prevent future attacks. May be through web.config, could be encrypted.
View 11 Replies
Nov 24, 2010
I'm using the "cache tecnique" to prevent multiple logins. Reading in this forum I have read the following code:
Global.asax
[Code]....
Login.aspx
[Code]...This code works fine, If the user is already logged the second login is not permitted. But....
But if I make the logout (destroing all my session variables) and I try to login a second time... it's not possible, I read that the user is already logged!!I have also tried to clear the cache after the logout but nothing changs, even if it is illogic because the code must work even if I don't do the log off...
View 23 Replies
Jun 28, 2010
i have used ajax , but i am not very clear of its concepts
i just knw that it prevents full post back
1) frm where can i get a very clear concept for the use and purpose of ajax and how its to be used
2) i have a textbox with autocomplete extender and a button (button1)
button1 is in the updatepanel as i wanted tp prevent post back when i click button the datafrom the textbox is inserted in grid as the click event gave full post back i used updatepanel , now its wrking fine but the prblm is when i enter new datain textbox and fetech the deatils frm database full postback occurs i tried to put the autocomplete etext box in a update panel but its giving error.i need toprevent this post back
3) on the same button click at the end of the click process(ie after adding to grid)i need the autocomplete extetender text box shld be blank
i used textbox1.text="" but its nt working
View 1 Replies
Dec 30, 2010
there any way where i can make a page only accessible through a RedirectToAction? It's a bit dumb of a question given a redirect writes a URL.. I know it might sound a bit silly, but i really don't like the fact i have to be 'forced' to create a partial view to be able to make the page i want to redirect to. What i want to do is quite simply, after deleting a user account, redirecting to a page where it says, account deleted (with a bunch of other stuff), so its quite a simple task. I have no problem making a partial view here and there, but if i want to make many pages unaccessible, i think i would have to make most of the website in partial views haha. Maybe i'm getting it wrong though, i've read a couple of posts about it, including Phil Haack's ->http://haacked.com/archive/2009/11/18/aspnetmvc2-render-action.aspx But i'm still very confused about this subject,
View 5 Replies
Mar 16, 2010
How to prevent the new line character at the beginning of the text entering in a multiline text box? Now, I already trimmed the white space at the beginning of the text. but i can't prevent the new line character that has to be occurred by entering the enter key on the most beginning of the text box.
View 1 Replies
Jan 28, 2011
I am relatively new to ASP.NET and have searched the Internet to find guidance in preventing caching of web pages (in the latest versions of IE, Firefox, Chrome and Safari). Based on my search, I found a lot of conflicting/confusing info. As best as I can tell, it appears that I need to add the following 3 lines to the <head> section of my .aspx files:
[Code]....
if the aforementioned lines are correct and if all 3 lines are necessary? I have tried using different combinations of the 3 lines, but I get conflicting results (i.e., sometimes the page is cached and sometimes it's not).
View 2 Replies
Feb 22, 2011
I am developing a registration process which consists of 4 steps. Each step has its own action method. As such a user could type the url for each step as follows: bogusURL/Step1 //returns the View Step1 bogusURL/Step2 //returns the View Step2 etc... I would like to prevent users from gaining access to a step unless they have completed the previous steps. i.e. If they typed in bogusURL/Step2 without having completed Step 1 they should be redirected to the first step.
What is the best way to implement this?
View 2 Replies
Dec 16, 2010
I'm using a file manager-type WebControl that does lots of postbacks. It's placed inside a Page that is relatively complex. I would like to prevent the WebControl from causing the whole Page to go through the lifecycle.
Is there any way to isolate the WebControl from the rest of the Page? The only way I can think of is sticking the WebControl in a separate Page and creating an iframe in the original Page. Unfortunately that also means my WebControl properties/settings are no longer in the original Page. If I want two instances of the WebControl with different settings, then I have to create a Page for each setting and reference the correct one in my iframes. Not quite as "drag & drop" as I would like.
View 2 Replies
Aug 5, 2010
I want to show a confirmation dialog when a specific value is selected in an asp:DropDownList. If the confirmation dialog returns false (cancel) then I want to prevent the AutoPostBack.
<asp:DropDownList id="theDropDownID" onchange="foo()"></asp:DropDownList>
However, it ignores the returned value from foo() and actually does the postback. The generated code of the onchange event is:
foo();
setTimeout("__doPostBack('theDropDownID','')", 0);
so basically controlling the setTimeout that the .net adds, will do the job.
View 2 Replies
Mar 21, 2010
How can i prevent a user from entering the same data twice, i guess i need some validation in somewhere?For example:I add a name of a city, added successfully to the table.Try adding it again, click add and the program crashes.What type of coding do i need for this, some type of compare tool or something for the table?
View 1 Replies
Jun 4, 2010
I've got an ASP.NET web application, and I'm attempting to reduce HTTP calls to the server, so I'd like to not load things like MicrosoftAjaxWebForms.debug.js and MicrosoftAjax.debug.js.
Script manager is used to form all of my external javascript files into one, and I'm concerned that this is causing other non-related libraries to be loaded.
View 2 Replies
May 13, 2010
I have a master template that all the pages on my site use. In the template there is an empty panel. In the code-behind for the page an imagebutton is created in the panel dynamically in my Page_Load section (makes a call to the DB to determine which button should appear via my controller). On some pages that use this template and have forms on them, pressing the Enter key fires the click event on this imagebutton rather than the submit button in the form. Is there a simple way to prevent the imagebutton click event from firing unless it's clicked by the mouse? I'm thinking a javascript method is a hack, especially since the button doesn't even exist in the master template until the button is dynamically created on Page_Load (this is ugly since I can't simply do <% =btnName.ClientId %> to refer to the button's name in my aspx page).I tried setting a super-high tabindex for the image button and that did nothing. Also set the button to be the DefaultButton in its panel on the master template but that did not work either. Moreover, I don't want to add a property to all of my pages that use this template (there are hundreds). It would be optimal to find a solution that works globally from my master template.I'll try to show our example here:We have a button on the top of each page in our system that lets you star the page as one of your favorites, sort of a server-side bookmark system. When the page loads it looks to see if the page is one of your favorites or not and then shows a gold star if it is, and a gray star if it is not. Clicking the imagebutton of a star toggles the page favorite status.In my master template (FullMenu.master) I have this panel
<asp:Panel runat="server" ID="pnlFavorite" style="display:inline;"></asp:Panel>
Next there is a class which creates the button and adds it to the panel on the master template:
public void InsertStarButton()
{
CreateStarButton();
[code]....
View 2 Replies
Oct 4, 2012
I have this simple code:
<asp:Label ID="litInfo" runat="server" meta:resourceKey="litInfo" />
<br />
<asp:TextBox ID="txtEmail" runat="server" /><br />
[Code].....
I am expecting the RequiredFieldValidator control to prevent a postback when the textbox is filled in with an incorrect data and the button pressed. What happens is that the validator displays an error message but a postback is fired.
View 1 Replies
