Publishing Websites: DLL Vs Code Behind - Which Is More Secure
Nov 16, 2010
I recently came aware of some knowledge I was not aware of before. One of my friends said that publishing a website with the code behind is a security risk. Instead, he insisted I only publish with the DLL's to prevent hackers from altering your code. Is this true? What are the advantages and disadvantages for doing this?
I have two websites one in ASP.Net and other in PHP.I want that if a person logged in on one website then he gets a link for second website. When he/she click on that link his userID is passed to second site. If i am using query string then it is security lack. Can I use web Services for that. How I make web service secure. Is there are other way of doing this.
I got one remote website and two local websites. All the .asp files are the same in 3 websites. In the remote website, there is a file aaa.asp, its url is
http://www.xxx.com/aaa.asp
In the first local website, the url of the same file is http://127.0.0.1/local1/aaa.asp
In the second local website, the url of the same file is http://127.0.0.1/local2/aaa.asp
My question is: In any .asp files (may be in different folders) of any above website, how can I get the url of aaa.asp by use the same code?
I published my website on my local IIS and after a while felt like making some changes in it.
When i opened my website in visual studio i noticed there were no Page Code files (aspx.cs files) and not even my App_Code folder where i wrote custom code files.
I was wondering about the best MVC practices for handling multiple websites from one MVC codebase. The functitonallity will pretty much be the same on all five sites, with most differences coming from styling/branding. Is it possible to dynamically set a Masterpage in MVC ? Should this even be attempted? Can everything get handled cleverly with routing?
I've developing an ASP.NET application that interfaces with Google Maps and retrieves marker information from a database. The marker information is split into tables in the database, where the name of the table reflects a company (e.g. CompanyA_MarkerData, CompanyB_MarkerData etc). In order to periodically update the map with new marker data, I use setTimeout in JavaScript to regularly call my 'UpdateMarkers' JavaScript function. 'UpdateMarkers' makes a call to a web service which performs the database query and returns a list of markers back to the JavaScript, which in turn updates the map.
The main issue I have with this method is that my web service requires that I pass it the name of the company so that it knows which table in the database to access. As you can imagine , this poses a security risk as anyone can pass a different company name to the web service and be able to retrieve the data from other companies, as well as their own.
In order to avoid this problem, I am restructuring my program as follows: When the system administrator creates users for my application, they can also assign a company ID to this user. The company ID is stored using the Profile object in ASP.NET. I am moving the web service code into a class with shared functions so that they can be called only within my pages (but not by anyone, like with web services). The functions will still require a company name passed to be passed to them. However, rather than the JavaScript making direct calls to these shared functions, the JavaScript will call a set of page methods (which as I understand it, are not public like web services). These page methods will then use the Profile object to retrieve the company name attached to the user currently logged in and then make a call to my shared database functions and return the info back to the JavaScript.
I think that this second method is more secure than the first, because I don't allow the client to pass different options to my code and retrieve unauthorized data. The server side code works out the parameters that need to be sent. However, I am wondering if there is a better way of doing this that I am missing out?
I have mulitple websites using the same code but different web.config files. Is there a way where I can achieve not having multiple copies of the same code? so its easy to mantain?
If I deploy my ASP.NET project to a shared server web hosting, then is there a way to secure my source files so that the provider will not be able to access the source?. For example, the provider of my web hosting may download my files and then he will be able to get access to all my source.
'm looking for an ASP .net discussion forum widget:I have read somehwere that the ASP .net forum implementation is avialable, but haven't been able to find it :-(.I have found yet another forum, but is GPL licensed, that means... not usable for a commercial product without publishing the source code.JitBits looks good, di you have any experience with this product?On the other hand my client is VB .net based, all the forums implementations I have found are C# based, will that mean that I have to create a subsite?
Code in DLL can only be obfuscated. IN my DLL how can I import a third party DLL into my DLL? Can I obfuscated the code but not the functions and sub header names?
the account we use to copy/publish websites to our web server is not allowing us access to push websites. I've added this account to the permissions in the links listed in the below link, but i don't have success when trying to push remotely. When the account is in the local admins account, everything works flawlessly, but we are not allowed to have it in there. http://social.msdn.microsoft.com/Forums/en-US/vssetup/thread/31be047e-4716-4974-b8a1-be0111b50199 I've googled and searched a lot for this particular error, but am not finding an answer that helps. We get this error, 'Unable to create the Web 'http://edea01/test/planning'. You are not authorized to perform the current operation', and the above link is the scenario that matches mine the most. I don't do develompment work, but am asked to figure out this connection problem.
I will have my asp.net site on a shared hoster. Whats the best way to prevent others hacking and viewing my code? The code I most want to secure is in usercontrols and some more code is in class modules. vb.net/MSVS2005/Ajax) Or do I secure the whole site? I also here some encypting code tools cant handle sophisticted code. Also does encryption slow down code and make the site harder to manage...
I am developing 2 Applications. One WebForms and the other is MVC. How can i secure the code such that when i deploy them to the clients production environment, they cannot be simply picked up, copied and repackaged by someone else?. I simply need a way to protect my intellectual property. Can this be done in Visual Studio 2010?
My web application will be launched through existing thick client applications. When launched, an HTTP POST request will be generated including information like the userID and additional context information (basically stuff like the target user's name, birthday, etc.).
My plan for authentication is for there to be a look-up table in the database. If the username is already there, automatically login the user, but if there is no entry in the database, redirect the user to an initial login page which will be used to create that database entry.
My question is how to secure this against MITM and other security holes. How can the request generated through the thick client be on an SSL connection? Doesn't an SSL connection have to be authenticated with the username (and password) first? And if so, will the additional context information be publicly exposed until the user is logged in?
I have a browser compatibilty problem with https? I have SSL installed and is in usage. Until today morning, my https part is working well. From then, Https is shown as https(with slashed in red color) saying the page has some insecure content. I have not changed any code and suddenly i see this problem in chrome. In IE 8, i see the same problem but on every page, it shows me a popup if i should allow to opne secure and non secure or just secure. Firefox has no issues . It shows correct https without any problem. I am fed up with it searching all over. Why is this happenening for me in Chrome and IE 8.
I have a custom mini login user control that I have embedded in the top of my website which shows on every page. These pages are non-secure HTTP://. I would like to avoid having to redirect the user to a HTTPS page to perform the login but I definitely don't want to send login credentials to the server in plain text.
I am trying find a method to send the user's login credentials encrypted via https from a non-secure (http) page.
I tried to set the postbackurl for the login button to itself but in https, but the user's input is not retained and the buttonLogin_click is not fired when I set the button postbackurl property. My ASP.net web application is VB.Net framework 4.0
I am assuming this can be done because I see lots of websites where login fields are on available on every page and they are running http and I can believe they are not encrypting the login credentials.
I have a GUI when i log in i create a cookie and it encrypt it. I am usin SSL.
I check in the Login.aspx page if the cookie is secure, which it is. but then before going to the default page it goes to the Global.ascx page.
Here in the Application_AuthenticateRequest it gets the cookie and decrypts it for the default page..
Now i know that it is getting the same cookie as all the other attributes match the one that was created in the Login.aspx page excet that the secure value is "False".
this is the case for all other pages after default. the value of the cookie.secure is false.
why is this happening as i want all the pages to be secure by SSL.
After logging to the mvc site using a secure connection (https), calling actions using https connection show up with the user logged in but calling actions using http it bahaves as if user didn't log on. Since I need to use a virtual directory for https connections(and can't use that directory for http connection) Https links start with: [URL]
I'm working on a legacy web application - frames and a mixture of html, asp and aspx. The entire site is https. For some strange reason when I hit a specific page I get the magic message that says the Page contains both secure and nonsecure items. (IE obviously doesn't want to tell me what those resources are) I have checked the page that's being loaded and there are absolutely no http://... links - everything is relative links.
I have fired up fiddler and checked what's being requested - everything looks fine. I am completely at wit's end here. I have absolutely no idea why I'm getting this message, but it's completely screwing with the site.
I am developing a web application in which the clients wants to send a pdf copy of aa Authenticated Page to users and as well as to the administrator..
As I google about this problem but didnt find any solution.
Because in all cases I have to pass the url of the secure page to the function...and in runtime when function make a webrequest to the page it will always generate the PDFof the login page.
So is there any way to generate the PDF of a secure page in C# ASP.Net
During development my action link looks like [URL] When published to a sub directory it looks like [URL] Every resolves fine, but id rather not show the structure. What am i not doing, doing wrong ? Can anyone point me in the right direction