Security :: Encrypting Section In Web.config?
May 3, 2010
I am wondering how to encrypt the below information in the "web.config" file of the "Account" folder (where we have the secured pages):
[Code]....
My issue here is that even after I compiled my application (using "aspnet_compiler -v /reports c:
eports"), the information inside the web.config file of the Account folder still not encrypted, and I want to publish my site to the customer server. So, since this server is a customer server, then they can access this "web.config" file and change our web-application security behaviour (correct me if I am wrong). Basically, I don't want the customer to even have access to our secured pages when they access our web-application using the web browser. How to solve this issue?
View 2 Replies
Similar Messages:
Nov 12, 2010
I have written a couple methods that encrypt and decrypt the appSettings section of my web.config file using the WebConfigurationManager. I just hooked up the methods to the page_load event to test that it works, which it does. Now I need to deploy to a web farm and need advice. What is the best way to make it so I can encrypt, but more importantly decrypt the web.config when I need to? I thought about putting a hidden page with "encrypt" and "decrypt" buttons, but that seems risky. What is the "accepted" method for rolling out something like this?
View 1 Replies
Sep 23, 2010
Is aspnet_regiis.exe secure? If i encrypt using aspnet_regiis.exe, will it automatically decrypt the string and wont give any error? Need an insight into this stuff.... Is Rsa the best option or wat? Wat's the best way to encrypt/decrypt programmatically?
View 10 Replies
May 27, 2010
My problem is that I'm going to have a SQL Server database and website that accesses that database via a hosting provider, most likely GoDaddy.com, using ASP.Net. I need to make sure the connection string in the web.config file is as secure as possible, because the database will actually be storing trivia questions for a game I'm developing, and the clients will be accessing these questions, saving specific state related details, and other details, to the database, so every player that plays the game will have their details stored in this database. I need to ensure hacking is very difficult to accomplish.
From my research it appears as though the only viable solution for your web.config when you've got a hosting account with something like GoDaddy.com is to use SQL Server security to connect to your SQL Server database and place those details in the web.config file. Is this correct? It seems that this is the most likely scenario for most users, because we don't have access to our hosting providers IIS servers in order to use Windows authentication with SQL Server access and then use DPAPI encryption from there.
View 2 Replies
Jan 1, 2011
In my web.config file, I have an authorization section that is supposed to deny all users EXCEPT for those included in the group specified. However, my login form doesn't allow these users to proceed to the next page - the login form just reappears as if the user has been denied. Code:
[Code]....
I have a user named 'test' that is in the Student Council group. I've tried 'allow users' and 'allow roles' with no success. I've also confirmed that the user is able to log into any workstation in my domain.
View 20 Replies
Apr 15, 2010
I have a few pages that need to use SSL and I am confused bc I read you should set the forms authentication section in the web.config to use SSL. so if this is the case, the user logs in (login page is using ssl) the forms auth cookie is created and now if i redirect to the non ssl enable home page, does this mean the auth cookie will not be transmitted, so i can't display like a welcome module or know the username of the user who logged in?
View 6 Replies
Aug 11, 2010
I have a custom section in a web application that I am having trouble encrypting. I have written an external .NET program that will encrypt both .NET 1.1 & .NET 2.0 web/app configs.Up until this point in time, I have never had to encrypt any custom sections for either type of application. Anyway, the way I set it up for my web application is I wrote a class library that I import into the web application which allows me to set up and read from the custom section in the web.config. That all works fine... I added the custom section, and the web pages are able to read the values fine.
View 1 Replies
Jul 12, 2013
with this code website works perfect
<configuration>
<system.web>
<httpHandlers>
</httpHandlers>
</system.web>
</configuration>
but when I add
<add path="ThumbHandler.ashx" verb="*" type="Delshad.WebControls.ThumbHandler,Delshad.ThumbPic"/>
or
<add verb="GET" path="CaptchaImage.axd"
type="MSCaptcha.CaptchaImageHandler, MSCaptcha" />
in httphandlers section when I go in my site it is only a blank page!
before In other two host there wasent problem but this is a new host and I face with this problem.also in local there isn't any problem.
View 1 Replies
Aug 17, 2010
I used the article Creating a Flexible Configuration Section Handler to create a Flexible Configuration Section Handler in my application.
I also saw this article entitled Encrypting Custom Configuration Sections on the OdeToCode blog, on how to encrypt portions of a web.config file.
From the first article, we have this web.config code.
[code]...
View 2 Replies
Aug 26, 2010
I am getting the error "An error occurred loading a configuration file: Access to the path is denied."
When I am in VS 2010, I can Encrypt as long as I run as administrator. Code as follows:
[Code]....
My problem is I need to run this in IIS. What is stopping me? It's a permission problem, but what permission. I am running IIS 7.5 on Windows 7. This is happening on my production server as well. Same error.
View 1 Replies
Feb 4, 2011
Any section in my web.config file that I want to encrypt I run this command line util:
aspnet_regiis -pe "anySection" -app "/SampleApplication"
It all works just fine until I try encrypt my connectionStrings sections
I define (and I cannot change this) my connectionStrings section like this:
[code]....
Is there a way of doing this using the aspnet_regiis util? Doing it with code is not an option for me.
Also is there a way to run this untility without specifing the application (-app "/SampleApplication") instead giving the path to the web.config file?
View 2 Replies
Jan 13, 2010
I have many ASP.NET applications running on server and i want to encrypt the web.config file for each.Is there a way I can encrypt all config files using single class/app or do i have to write separate code under each solution/project to encrypt config?I have idea how to do one file in a project usinghttp://davidhayden.com/blog/dave/archive/2005/11/17/2572.aspxBut i want to use a centralized or single app to encrypt all
View 2 Replies
Oct 3, 2010
I'm trying to encrypt a custom section in a web.config file. When I get to the line that calls ProtectSection(), I get an exception saying the provider isn't found.
Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.GetSection("MySection");
section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
I tried it with RSA as well and got the same error.
Running aspnet_regiis.exe works, but I need to do this programatically.
View 1 Replies
Sep 23, 2010
If I encrypt something in my config file using aspnet_regiis.exe -pef "appsettings" "path" which i think will use my logged in id's credentials. If i deploy this application on some other machine where some other user id is used to login. Will there be any issues or .......?
View 1 Replies
Jan 5, 2011
share your thoughts if there is any way to encrypt app.config section with out changing code? I know that we can use aspnet_regiis.exe to encrypt the web.config file.
I came across some blogs to rename app.config to web.config and run aspnet_regiis -pef command. I am able to create an encrypted version of app.config file but application failed to read the keys from encrypted app.config. so this approach didnt work for me.
View 1 Replies
Mar 30, 2010
When I try to encrypt the "connectionStrings" section in the web.config file of my asp.net web application on Windows Server 2008, I'm getting the following error:
Administration utility (2.0.50727) to install and uninstall ASP.NET on the local machine. Copyright (c) Microsoft Corporation. All rights reserved. Note: This utility has limited capabilities on the Windows Vista operating system. It is recommended that you use the "Turn on or off Windows features" option of the "Programs" component of Control Panel to install or remove ASP.NET. It is also recommended that you use the IIS Manager component or the Appcmd.exe tool to configure ASP.NET applications.
The above information is followed by the list of valid options to aspnet_regiis.exe.
The command that I've used is:
aspnet_regiis.exe -pef "connectionStrings" "C:Usersuser1DocumentsMywebsite" -prov "DataProtectionConfigurationProvider"
But, the same command is working fine when used on a Windows Server 2003 machine. The problem is occurring only on Windows Server 2008 with IIS7.
View 1 Replies
Mar 31, 2011
I would like to add this section to my machine.config in exactly the same way many articles and microsoft are suggesting:
<configuration>
<system.net>
<connectionManagement>
<add name = [URL]/>
<add name = "*" maxconnection = "2" />
</connectionManagement>
</system.net>
</configuration>
[URL] As soon as I do it though, I get this exception when trying to hit a page hosted on the IIS on the same machine: Parser Error Message: Unrecognized configuration section system.net. Source Error:
Line 9: settings that differ from their defaults.
Line 10: --><configuration>
Line 11: <system.net>
Line 12: <connectionManagement>
Line 13: <add address="*" maxconnection="24" />
Source File: C:WINDOWSMicrosoft.NETFramework64v2.0.50727Configmachine.config Line: 11 Where is the problem and how can I modify the machine.config so that I can finally control the maxconnection value?
View 3 Replies
Jul 10, 2010
how to create and use a custom section in web.config ?
View 3 Replies
Jan 19, 2011
The code I've used to get the HTTP Modules is basically
HttpModulesSection modules = ((SystemWebSectionGroup)config.GetSectionGroup("system.web")).HttpModules;
// Depending on what we need to do...
//modules.Modules.Add(CreateSomeModule());
//modules.Modules.Remove("SomeOtherModule");
This worked fine up until IIS7. The migration command %SystemRoot%system32inetsrvappcmd migrate config "website/" moves the modules into system.webServer, so my code is now updating the wrong section. Is there a built in way to get the proper module section that should be modified? Or do I have to add a check for the Request.ServerVariables["SERVER_SOFTWARE"] and return system.web/system.webServer depending on the string I get back?
View 1 Replies
Nov 18, 2010
I am referencing some classes in my _layout.cshtml file and I have the namespaces in my Views/web.config <pages><namespaces> section and the layout page does not resolve. If I put @using statements in the layout page, it works fine. Shouldn't the layout page respect the web.config section?
View 5 Replies
Dec 14, 2010
I've created a custom config section for my application. For some reason Visual Studio 2010 isn't picking up and of my custom properties. I'm getting warnings similar to this for all the "add" keys: Could not find schema information for the element 'urlFilterSection'
CONFIG FILE:
<configSections>
<section name="urlFilterSection" type="BotFinderApp.Models.UrlFilterSection, BotFinder" />
</configSections>
<urlFilterSection>
<urlFilterCollection>
<add url="urlhere.com.au" numberOfIpsToExtract="10" />
<add url="urlhere.com.au" numberOfIpsToExtract="10" />
<add url="urlhere.com.au" numberOfIpsToExtract="10" />
<add url="urlhere.com.au" numberOfIpsToExtract="10" />
<add url="urlhere.com.au" numberOfIpsToExtract="10" />
<add url="urlhere.com.au" numberOfIpsToExtract="10" />
<add url="urlhere.com.au" numberOfIpsToExtract="10" />
<add url="urlhere.com.au" numberOfIpsToExtract="10" />
<add url="urlhere.com.au" numberOfIpsToExtract="10" />
</urlFilterCollection>
</urlFilterSection>
UrlFilterSection:
namespace BotFinderApp.Models
{
public class UrlFilterSection : ConfigurationSection
{
public UrlFilterSection()
{
}
[ConfigurationProperty("urlFilterCollection", IsDefaultCollection = false)]
[ConfigurationCollection(typeof(UrlFilterCollection), AddItemName = "add", ClearItemsName = "clear", RemoveItemName = "remove")]
public UrlFilterCollection Urls
{
get
{
var urlsCollection = (UrlFilterCollection)base["urlFilterCollection"];
return urlsCollection;
}
}
}
}
UrlFilterCollection
namespace BotFinderApp.Models
{
public class UrlFilterCollection : ConfigurationElementCollection
{
public UrlFilterCollection()
{
}
protected override ConfigurationElement CreateNewElement()
{
return new UrlFilter();
}
protected override object GetElementKey(ConfigurationElement element)
{
return ((UrlFilter)element).Url;
}
}
}
UrlFilter
namespace BotFinderApp.Models
{
public class UrlFilter : ConfigurationElement
{
public UrlFilter()
{
}
[ConfigurationProperty("url", DefaultValue = "", IsRequired = true)]
public string Url
{
get { return (string)this["url"]; }
set { this["url"] = value; }
}
[ConfigurationProperty("numberOfIpsToExtract", DefaultValue = "0", IsRequired = true)]
public int NumberOfIpsToExtract
{
get { return (int)this["numberOfIpsToExtract"]; }
set { this["numberOfIpsToExtract"] = value; }
}
}
}
View 2 Replies
Feb 12, 2010
I'm getting an ConfigurationErrorsException when trying to load a custom section from my web.config.
I'm trying to register a custom section in web.config to load it later using a "Section Class".
Suppose my section is orderService, and I register it in web.config as shown:
<configuration>
<configSections>
<sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
</sectionGroup>
<section name="orderService" type="orderService"/>
</configSections>
<orderService available="true" pollTimeout="00:01:00" location="abc">
</orderService>
<appSettings></appSettings>
<connectionStrings/>
Then I try to load it with:
Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
OrderService custSection = OrderService)config.GetSection("orderService"); <== The exception is thrown here (OrderService is a class that inherits from the class ConfigurationSection, and that defines a property for each orderService property, in this case: available, pollTimeout and location)
The exception says: An error occurred creating the configuration section handler for orderService: Could not load type 'orderService'. (my web.config path line 23) Does anybody know what am I doing wrong here? (I got it from the book APress: Pro ASP.NET 3.5 in C#)
View 2 Replies
Jun 19, 2010
I've been working on implementing a custom section in the web.config file for a little something I'm working for the past few hours, but I can't seem to get it working. The following is what I'd like to use as my XML structure:
[code]....
View 1 Replies
Feb 21, 2010
When executing this line:
Dim roleRedirectSection As LoginRedirectByRoleSection = DirectCast(ConfigurationManager.GetSection("loginRedirectByRole"), LoginRedirectByRoleSection)
...I get the following error:
Message: "An error occurred creating the configuration section handler for loginRedirectByRole: Could not load type 'sitename.LoginRedirectByRoleSection'. (W:Webs2010DEVsitenameASP 4.0web.config line 10)"
<configuration>
<configSections>
<section name="loginRedirectByRole" type="journeyeast.LoginRedirectByRoleSection" allowLocation="true" allowDefinition="Everywhere" />
</configSections>
<loginRedirectByRole>
<roleRedirects>
<add role="Administrator" url="~/Account/Admin/Default.aspx" />
<add role="Employee" url="~/Account/Emp/Default.aspx" />
<add role="Teacher" url="~/Account/Teacher/Default.aspx" />
<add role="Student" url="~/Account/Student/Default.aspx" />
<add role="School" url="~/Account/School/Default.aspx" />
</roleRedirects>
View 1 Replies
Sep 21, 2010
Where do I find the machineKey config section for ASP.NET?
I don't have one in my application Web.config, there isn't one in the root Web.config and there isn't one in my machine.config.
Does this mean there is some other default hardcoded into ASP.NET? If so, what are the defaults? (For .NET 2 and 4)
Having read this: [URL]
i was expecting to find something like this, somewhere:
<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
/>
Edit: the 1.1 docs seem fairly clear wrt default values: [URL] but the 4 docs are rather ambiguous [URL]
View 1 Replies
