Security :: Add An Expiration Token To A Existing Querystring?

Jul 02, 2010 02:50 AM

I don't know if the following is possible or not but in brief, here is what I'm trying to achieve:

1. When a user requests to view a document, they click on a link (could be other) which contains an encrypted query string containing data required to retrieve the relevant document. i.e.[URL]

2. I want to ensure that if after x minutes the user goes back to their history and select the link again or re-type the same url as above that it will not request the document and redirect them to a page letting them know that the requested document "link" is no longer valid.

I don't want to rely on cookies or sessions, so thought that maybe there would be a way to add a datetime token at the end of the existing url but this needs to be done at run-time as the url is already predefined when the link is created, so I'm not sure how can I do this?

ideally, I'd like something like this [URL] where the token would contain the date & time when the link was clicked.

Once re-requested, I would decrypt the token and validate it again the server time and if it was over the x minutes defined, it would redirect me to the "link is no longer valid" page.


Security :: Storing A Token In Browser Or In Querystring?

Feb 17, 2010 01:06 PM

We have developed a system to allow users to access another one of our web applications by placing a token in the db and then when they redirect passing this token in the browser to the new apop and using that as an authenication method. However I am thinking that it might be better to simply place this token in the browser cookie as then the user doesnt have to physically click a link they can simply do straight to it because the token wont be in the query string anymore....

Will it add much of an overhead doing it via cookies are there any disadvantages?

View 4 Replies View Related

Security :: How To Security Token Transfer To J2EE Web Application

Mar 06, 2010 01:52 PM

Here is 2 web applications: 1 is, another is J2EE base webapplication.Both them are using same AD ( e.g. DomainTest ) as authentication source.Question here:1. User log in the application ( form based log in DomainTest, not IE prompt authencation dialog ), on the left navigation ( link to J2EE web application), just click this link, SSO to J2EE application.I think should transfer identity token from to J2EE, but don't know how, and for JSP, how to modify it to use token tranferd from ?

View 3 Replies View Related

Security :: How To Set A Trial Expiration

Aug 12, 2010 09:00 PM

I am not sure if I am asking this question correctly. Sometimes when you don't know enough, you may not know what to ask. I want to set up memberships with an ASP.NET website. The memberships will have a 14 day free trial period. After that, the user will need to pay a fee if they wish to continue to access the website. I am not sure how to accomplish this. After adding a membership database to the website, setting up roles ect., what do I do next? Do I need to make adjustments to the tables of the database, or write some code somewhere in the application? I have never done this exercise before, Logically, I know that I need to implement something that keeps track of expiration date. Also, how do I prevent a user from just making up new user names and credentialing?

View 4 Replies View Related

Security :: Use Token Based Authentication?

Mar 02, 2010 04:31 AM

How to create Uniue Token with properties like expiration time,

Any standars method provided by Microsoft,

View 2 Replies View Related

WIF Security Token Service Not Staying Logged In

Aug 27 10 at 15:43

I'm using the Windows Identity Foundation (WIF) Security Token Service (STS) to handle authentication for my application which is working all well and good. However I can't seem to get any long running login with the STS. From my understanding I shouldn't care about the client tokens at the application level since they can expire all they want to and it should redirect me to the STS and as long as they're still logged in on the STS it should refresh their application token. Yet it doesn't seem to want to keep them signed in.

Here's what occurs in my login.aspx on the STS
var cookie = FormsAuthentication.GetAuthCookie(userName, persistTicket);
if (persistTicket) cookie.Expires = DateTime.Now.AddDays(14);
var returnUrl = Request.QueryString["ReturnUrl"];
Response.Redirect(returnUrl ?? "default.aspx");

Which was taken almost directly from existing application using normal Forms Auth.
From my web.config
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" timeout="2880"
name=".STS" path="/" requireSSL="false" slidingExpiration="true"
defaultUrl="default.aspx" cookieless="UseDeviceProfile"
enableCrossAppRedirects="false" />

Looking at the cookie after I sign in I can see the expires time on the cookie is set for 14 days in the future and that the cookie is NOT a session cookie. When I'm required to log back into the STS I can see that my original cookie is still there. Is there some kind of time stamp functionality that the STS embeds into the cookie that is invalidating my cookie even though as far as I know it should still be valid?

View 2 Replies View Related

Security :: Token Login Don't Keep Session With Two Applications?

Jun 15, 2010 09:44 AM

I've two application ASP.NET (once is Mojo Portal). I can navigate from one to other using an URL token id.

To this way, by token, I create a new session and save the relative auth cookie.

But, sometimes, the asp web application don't keep the session and put me down. When this happen I can't login until the session cookies is not deleted.

Both the two application are behind an reverse proxy.

View 3 Replies View Related

Security :: FormAuthentication Ticket Expiration Check?

Jan 26, 2011 03:36 AM

I have a application where i am using FormAuthentication Ticket when user Sign in....on each page I want to check if FormAuthentication Ticket has expired to do this ?..

View 6 Replies View Related

Security :: Force Password Expiration After Number Of Days?

Aug 23, 2010 11:31 PM

Using C# and sqlmembershipprovider forms authentication, is there a way to force user password to expire and need to be reset after x number of days?

So if a user launches the website login.aspx page, when they type their userid, it will check if the password is expired and direct them to a Resetpassword.aspx page?

View 5 Replies View Related

Cookies - Windows Identity Foundation - How To Get New Security Token

Feb 1 10 at 21:46

I'm writing an application that uses Windows Identity Foundation. My application uses claims-based authentication with passive redirection to a security token service. This means that when a user accesses the application, they are automatically redirected to the Security Token Service where they receive a security token which identifies them to the application.

In, security tokens are stored as cookies.

I want to have something the user can click on in my application that will delete the cookie and redirect them to the Security Token Service to get a new token. In short, make it easy to log out and log in as another user. I try to delete the token-containing cookie in code, but it persists somehow.

How do I remove the token so that the user can log in again and get a new token?

View 2 Replies View Related

Security :: Apply Expiration Date To A Membership On A Pay Site?

Mar 02, 2011 03:19 AM

I am developing a new website that is membership based with yearly subscriptions. Using VS2010/asp.net4/c#. I have my site up to the point where all my content is ready to go and i can add members to the database to access all the premium content.

However, I have no idea how to impliment a start date and expiration date for that membership. I have been following along with Wrox Beginning 4.0 from beginning to end and this isn't covered at all. I also have Apress Pro 4 as well and I cant find anything dealing with that in there either.

What I would love to be able to find is some book or tutorial that i can follow along with and learn from so that this doesn't happen again to me.

In short what I need to do is this.

1. Add new user to defined membership role

2. Apply start/end date to that user

3. When the end date has passed I need to reasign them to a new role and then redirect them to another page with a notification

4. I guess lastly some way to add/manage members as an admin on my deployed site. Durring development i was using the built in Web Site Admin Tool but I just found out that only works on my local machine.

I have a feeling this this will be a very simiple fix but because of my total lack of experience it has been driving me crazy for three days tyring to hunt down info.

View 12 Replies View Related

Security :: Forms Authentication - Users Logged Out Before Cookie Expiration?

Jun 16, 2010 01:53 PM

For some reason my users are logged out of the system every 10-15 minutes or so...regardless of the configuration I missing something?


View 1 Replies View Related

Security - Securing Forms Authentication Token On Client Side?

Jul 16 10 at 15:57

In my website, I am not using any authentication or authorization. I've created login page to capture the user credentials and check against database. If the user successfully authenticates, it's storing the user data in session and navigating to other pages. How thinking of implementing Forms Authentication, but my concern is how to secure the authentication token in client browser for security reasons. Does anyone have any ideas how to secure the authentication token?

View 1 Replies View Related

MVC - Html.BeginForm(). Can Post Back To A Different Route And Keep Existing Querystring Values

Sep 16 10 at 14:06

I have a post-only action that has a different route. In my form, I need to post to it, but also keep the querystring values I currently have.

Initial response: /my/first/path/?val1=hello
Needs to post to: /my/other/path/?val1=hello

It seems when I specify a route, it of course only returns the route and doesn't append the querystring values of my original page (for obvious reasons).Is it possible to cleanly append querystring values to my the action attribute of the form tag?

View 3 Replies View Related

Security :: How To Redirect The User Automatically To Login Page After Session Expiration

Mar 10, 2010 10:15 AM

How i redirect the page to Login page automatically if session Expires .

View 7 Replies View Related

Security :: Automatic Expiration Of Forms Authentication When User Closes The Browser Windows Without Signing

Aug 28, 2010 01:32 PM

can u tell me how to automatically sign out a user if he/she closes the browser window without signing out. I'm using Forms Authentication.

View 1 Replies View Related

Security :: Encrypt Request.querystring And Descrpt Request.querystring

Apr 24, 2010 10:12 AM

Encrypt request.querystring and Descrpt request.querystring

View 1 Replies View Related

Security :: How To Add ApplicationName To Existing Website

Mar 25, 2010 01:10 PM

I have a (internet) web site with the below web.config (everything works fine). How would I alter this to include an applicationName attribute. I wish to eventually have multiple web sites using the same ASPNETDB database.

<?xml version="1.0"?>
<configuration xmlns="">
<add name="LocalSQLServer" connectionString="; Database=MyDB; Uid=MyUser; Pwd=MyPassword; Trusted_Connection=False;" providerName="System.Data.SqlClient"/>
<customErrors mode="Off" defaultRedirect="~/Error.aspx"/>
<roleManager enabled="true"/>
<authentication mode="Forms"/>
<compilation debug="false"/>
<pages theme="Standard"/>

View 6 Replies View Related

Security :: Adding Existing Membership To A Project?

Mar 06, 2010 06:30 PM

I have DB (my.mdf ) with already created membership (aspnet_db tables). There are defined roles and users.

I would like to integrate it in my project.

I dropped *.mdf into App_Data folder. When I open configuration (under menu Project) I can't see neither User nor Roles.

What step am I missing?

View 2 Replies View Related

Security :: Send Existing Password By Mail?

Jun 12, 2010 05:13 PM

Is it possible to send the existing password from a user in stead of a new password ?

For example : Membership.GetUser("USERNAME").password

View 6 Replies View Related

Security :: Migrate Existing Users / Trying To Use GetPassword()?

Dec 09, 2010 07:39 PM

I need to migrate existing users, I will be creating the users account and setting a dummy password for the first time login... My problem is that by doing this they will not have their security question and answer filled in... I am trying to create a page that will force the user to set up their question and answer at first long ... The problem that I am having is when i try to get the password i get the following error..

here is the code that I am using:



View 9 Replies View Related

Security :: Login Facility In Existing Website?

Mar 06, 2010 03:29 AM

I have an existing application that has 50+ html pages and 20+ aspx pages. The website is running smoothly.

Now the client came up with a new requirement, he says he wants a single sign on functionality(login based) in the website.

few htmls to be open for anomymus users few htmls need compulsory login few aspx open for anonymus users few aspx need compulsory login

What will be the simplest ways to do this in the above existing website.

View 3 Replies View Related

Security :: How To Create Roles For The Existing Users In Database

Jun 10, 2010 06:56 PM

I am newbie to want to create roles for the existing users in my database. I dont want to use the membership provider database n roles provided with it.(i don't want to use aspnet.mdf at all)

I am create roles for my existing users n assign i wanted to assign the particular roles to a particular assign.

View 2 Replies View Related

Security :: Adding Membership Tables To Existing Database?

Feb 22, 2011 11:07 PM

I am running windows 7 and NET Framework 4.

Problem is I dont know how to locate the asp.reg.sql tool that will do this using windows 7.

how to do this?

View 1 Replies View Related

Security :: Can Use An Existing SSL Certificate Of Virtual Directory To A Sub-domain

Dec 30, 2009 08:09 PM

can i use an existing SSL certificate of my virtual directory to a sub-domain??I am removing the virtual directory and moving it as a sub-domain... so can i use the SSL certificate which I am using to the new sub-domain

View 1 Replies View Related

Security :: How To Retain Querystring Values In ReturnURL

Oct 21, 2010 06:23 PM

I've got a couple pages in my web app that are used by external applications. They will link to the pages, and pass in various querystring values to allow my app to do the searching and return the results in the page. The problem is, if the user is not yet logged into the web app, they are sent to the login page, and the ReturnURL is truncated to include only the first QueryString value. I lose the rest of the values. So far I haven't figured out a solution to this. Here's a quick example:

The external application links the user to:

If the user is not logged in they are sent to the login page, and the current URL looks like this:


View 4 Replies View Related

Security :: Splitting Querystring And Searching Profile?

Oct 19, 2010 12:43 PM

How would i go about searching for data in the profile system?

I am looking to make a page with a search bar - type in a name, and this goes to searchresults.aspx?id=what you just searched.

How then do I select the Profile.FirstName and Profile.LastName within the profiletable?

Because it is the auto generated profile system, these values are stored withing the Profile table but not as seperate columns..

Also, how do i split up the querystring into a first name and last name to match to the seperate profiles?

View 1 Replies View Related

Security :: Unable To Use Existing Database Users And Roles, In New Web Application?

Jul 13, 2010 12:06 AM

I am creating a Web Application in 2.0 and sql server 2005.I want to use an existing database.

I have created a login and a signup page. Then i replace the new SQL database (the one that is created automaticly by the visual studio) with the exiting database I have.If I create a new user, the new user goes to the database and I can login with the new user. I cannot login with the existing users.If I go to the configuration, I only can see the new users I have created, I cannot see the users that were in the database already and I can't see the roles also.

I can I make the new application to recognize the users and roles of the existing database?

View 9 Replies View Related

Security :: How To Authenticate Users With Existing Login Control Mechanism

Feb 05, 2011 12:19 AM

we have a web site (Web Site 1) which is presently working and authenticates the users using ASP.Net login control.

We have a new site (Web Site 2) which will have a web page with user name and password fields and these values will be posted to Web Site 1. I am trying to authenticate those user credentials on Web Site1 using

Membership.ValidateUser(UserName, Password); method. but i am keep getting "User AuthenticatedObject reference not set to an instance of an object. " exception.

View 4 Replies View Related

Security :: Customizing Membership Providers / Modify The Existing Sp's In Sql08

Jan 12, 2010 04:18 PM

This is the first time i would be using .net membership providers and i need to add some extra columns and chage a couple of existing datatypes of the exising columns.

my Q is:

1)can i do this without having to suffer down the road.

2)can i modify the existing sp's in sql08 or would i need to use additional sp's for the new columns that i add.

View 4 Replies View Related

Security :: Convert Existing User Database From Hashed To Encrypted

Aug 12, 2010 02:30 PM

I've taken over a website which has around 3000 users registered using the standard membership provider on a SQL database. When the website was set up there were a lot of gaps in the system and we have a lot of tidying up to do of users with the same email addresses etc and invalid addresses so i'm just starting to look at how i can wrap all of this up and make administering the user accounts easier.

At the moment the account passwords are stored in "Hashed" format set in the web.config and obviously this doesn't allow for password retrieval. I want to know whether there is a way of converting all of these passwords from a hashed format to an encrypted format thus allowing me to create a password recovery page that doesn't then send the user a new password which is quite often something like "a*ns7#<3lx"

Ideally i'd like to convert all of these if that is possible so that I do a much simpler password retrieval system. If this is not possible can you tell me how i go about setting the passwordreset value not to contain all sorts of non-alpha/numberic characters?

View 10 Replies View Related

Security :: Request QueryString - Change In Id Opens Other Page?

Jan 20, 2010 04:26 AM

I have completd my project, in that project i used Request.QueryString["id"], its working fine, in this project if change the "id" securities pages also opening now what can i do?

View 2 Replies View Related

Security :: Automatically Log Users Into Application With Existing Test Username And Password?

Dec 24, 2009 10:05 PM

At this website when any user clicks on the host logon menu item: i want to create script that would automatically fill in the username: Test, password: champion, and log the user into the test application.

I have tried a link that looks like this [URL]

View 4 Replies View Related

Security :: HttpContext.Session A Potentially Dangerous Request.QueryString Value Was Detected?

Sep 29, 2010 06:58 PM

I have an ashx handler that was working fine in VS2008 but when I upgraded to VS2010 (haven't gone back to VS2008 to double check though) and when I try to grab the value from HttpContext.Request.Params["update"] I get the following error:

+ ex {"A potentially dangerous Request.QueryString value was detected from the client (update="<SETIProducts><Produ...")."}
System.Exception {System.Web.HttpRequestValidationException}

View 3 Replies View Related

Web Forms :: Querystring Value / Imagename In Also Want To Send Span Element's Text With Same Querystring?

Aug 30, 2010 01:05 PM

How can i use querystring for this-

Here in below code i have used querystring for sending imagename from this page to another page. Now i just want that with this imagename in also want to send span element's text with same querystring.How can i achieve this?


View 1 Replies View Related

Web Forms :: Retrieve A Value From The Querystring And List It In Querystring

Nov 24, 2009 12:07 AM

I have a hyperlink in my listview and in there the navigateurl will be


If it is not possible to receive a value from the label, can you just show me how I can request the querystring?

View 2 Replies View Related

Static Var Expiration?

Sep 08, 2009 09:59 AM

I have a class like this:

/// <summary>
/// Summary description for MyBaseC
/// </summary>

When does this Guid expire? Could this code be handy to replace a session var?

View 4 Replies View Related

How To Set Expiration To Image

Mar 03, 2010 01:32 PM

I'm creating image (jpg) at run time in my application (ASP.NET/C# 3.0). I need to delete the created image after 30 mins. So is it possible to set expiration to the image after 30 mins when creating the image like setting expiration to cookies.

View 3 Replies View Related

How To Set Email Expiration

Jul 01, 2010 10:24 AM

I'm programatically sending an email and I want to set it to expire after a certain amount of time. I tried using the following but it doesn't seem to work:

message.Headers.Add("Expires", Now.AddMinutes(2))

I can see the value in the header but the email doesn't actually expire.

View 4 Replies View Related

MVC 2.0 TempData Expiration?

Jul 3 10 at 10:09

What happens in Asp.Net MVC 2.0, when next request does not come ever to retrieve value from TempData. Is it stored permanently or expires?

View 1 Replies View Related

Copyrights 2005-14, All rights reserved