I want to apply some better security measures to an existing web application. Currently, my connection string contains the user name and password in plain text. I'm also using a custom membership provider, which stores user names and passwords in the web.config file as plain text [URL] I would like to secure this information using an algorithm such as SHA1.
View 1 RepliesI have heard that saving connection strings and stored procedure names in web.config file of our application is not safe. It is a good practice to store the connection string in a config file rather than as a hard coded string in our code and if we need to change it,then it makes our job easier. how to protect our code in web.config?
View 4 RepliesI'm trying to encrypt the connection strings in my web.config. I'm following:
http://msdn.microsoft.com/en-us/library/2w117ede.aspx
however when I get to the part with the command:
aspnet_regiis -pe "connectionStrings" -app "/MyApplication" -prov "MyProvider"
it keeps complaining:
"The configuration for the virtual path '/MyApplication' and site 'Default Web Site' cannot be opened
Failed to map the path '/myapplication'
Failed!
I'm fairly sure I've followed the instructions correctly. I created the project named 'MyApplication' directly in the 'C:' root.
Perhaps I should be following a different set of instructions?
How Can We Have two Connection Strings In Web.Config And Switch Betweeen Them In Code Behind? when i add two connention strings in web.config so an error appears that tells us u cann't add two connection strings in web.config. i want the upper job because i have 2 databases and i want transfer data from another to the other one.
View 4 RepliesI have an ASP.NET project which is pretty n-tier, by namespace, but I need to separate into three projects: Data Layer, Middle Tier and Front End.
I am doing this because...
A) It seems the right thing to do, and
B) I am having all sorts of problems running unit tests for ASP.NET hosted assemblies.
Anyway, my question is, where do you keep your config info?
Right now, for example, my middle tier classes (which uses Linq to SQL) automatically pull their connection string information from the web.config when instantiating a new data context.
If my data layer is in another project can/should it be using the web.config for configuration info?
If so, how will a unit test, (typically in a separate assembly) provide soch configuration info?
I have two connection strings (both in Web.Config: CS_Local and CS_Production) for my DBML (Linq to SQL). In my Global.Asax/Application_Start I run some production preparation methods if the request is non-local (!HttpContext.Current.Request.IsLocal). Within that part, I'd also like to change the current connection string used by my DBML from the standard CS_Local to CS_Production.
View 1 RepliesIs that possible to add two connectionstrings in web.config and Can I call those two web.config in my aspx.cs file?
View 3 RepliesI have seen the examples on how to switch between connections strings for development and production enviroments. My web.config also calls out a connection string for <roleManager and membership><providers>. Can this be setup to switch between the two connection strings?
View 1 RepliesI would like to use both of the connection strings in the same web.config file how can I do this I tried this yesterday it worked I called it a night, then this morning I got this. The error being on line: 10 Parser Error Message: The entry 'ApplicationServices' has already been added.
Line 8: <add name="ApplicationServices"
Line 9: connectionString="Data Source=Mysource;Initial Catalog=travelatlantic;User ID=MyID; Password=MyPassword;" />
Line 10: <add name="ApplicationServices"
Line 11: connectionString="Data Source=MySource;Initial Catalog=travelatlantic2;User ID=Myid; Password=MyPassword;" />
Line 12: </connectionStrings>
I am helping a club create a site that has a password protected "members only area". I have never done anything password protected. I used VWD and created the user names and passwords. Apparently using the AspNetSqlProvider. The site and password protected area work great when tested locally. The problem is when the site is uploaded to the hosting company, the login area will not work. I found that I had to create an SQL database in the appropriate area of the hosting company. The login still won't work. I am thinking that I have to create a connection string in the web config file. The problem is - when I tried that the site wouldn't work when I tested it locally. I really need lots of help with this part.
View 5 RepliesI'm working on an ASP.NET project for the first time in about three years; in the meantime I've been working with Python/Django, PHP and Obj-C. Anyways, picked it right back up... except something that is totally killing me right now, and I have a feeling it must be staring me in the face:
I'm trying to bind to an LDAP server, for the purpose of authenticating users. The way it works here is, you bind on your own credentials, use that to find the Distinguished Name of the user you're authenticating, then you bind again on their DN and their password. If the bind is successful, the password was correct and the user can be authenticated.
Here's the problem - the first bind (on the fixed credentials, the ones with the ability to search for users and their subtrees) works fine. The search works fine. The second bind fails, no matter what, with the LDAP error INVALID_CREDENTIALS. This happens even when completely valid credentials are supplied.
Here's the code, with the usernames and passwords redacted, of course...
[Code]....
In my application there are 4 connection strings...from that i want one connectionstring should be default connection string.How to do ?
View 1 RepliesMembershipUser newUser = Membership.CreateUser(UsernameTextbox.Text, PasswordTextbox.Text);In web.config i have connection string but i would like to use MemBershipUser on different connection string.
View 1 RepliesMy boss does like storing the connection string and credentials in the web.config - even when its encrypted.
He also doesnt want the IIS box and SQL box to both be in the same domain, or have trusted domains.
Is there a more secure method of connecting to SQL? Is there some kind of token login?
I have been searching internet in order to secure my connection string in the web.config file and setting the Login controls connection strings in runtime
TEverything about encrypting connection strings works fine on local machine. I can do it programmatically and on aspnet_regiis.exe
My questions are How can I set the connection string to any login control in runtime? How can I encrypt my connection string on my shared hosting ?How can I use aspnet.regiis.exe to encrypt my config file on shared hosting ? How to define the commands ?If I can find a solution to my 1st question, 2nd doesnt matter anymore.
Is aspnet_regiis.exe secure? If i encrypt using aspnet_regiis.exe, will it automatically decrypt the string and wont give any error? Need an insight into this stuff.... Is Rsa the best option or wat? Wat's the best way to encrypt/decrypt programmatically?
View 10 RepliesI have looked for ideas on this and read several posts but none of them seems to be because the problem is that web.com (my host) doesnt allow us to update web.config on their server programmatically. I can use example codes and encrypt them on my local pc but heres the error i get when I run them on the live site:
An error occurred loading a configuration file: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. (machine.config)
My problem is that I'm going to have a SQL Server database and website that accesses that database via a hosting provider, most likely GoDaddy.com, using ASP.Net. I need to make sure the connection string in the web.config file is as secure as possible, because the database will actually be storing trivia questions for a game I'm developing, and the clients will be accessing these questions, saving specific state related details, and other details, to the database, so every player that plays the game will have their details stored in this database. I need to ensure hacking is very difficult to accomplish.
From my research it appears as though the only viable solution for your web.config when you've got a hosting account with something like GoDaddy.com is to use SQL Server security to connect to your SQL Server database and place those details in the web.config file. Is this correct? It seems that this is the most likely scenario for most users, because we don't have access to our hosting providers IIS servers in order to use Windows authentication with SQL Server access and then use DPAPI encryption from there.
I'm just wondering if the built in Hashing in the ASP.Net membership good password security, or if there is more that I should do to protect my passwords? If so, what should I look into for a higher level of security?
View 2 RepliesI am planning to write a custom 'password reset control' that allows an Administrator to reset the user's password, while using the ASP.NET built-in 'login' and 'create new user' controls. For this reason, I will need the hashing algorithm (hopefully I can call some .NET class and method) to perform this.
View 1 RepliesI am using ASP.NET 3.5 and SQL Server 2005.currently while creating users, the password will be stored in the database using SHA256 algorithm. And in the Log In time entered password will be hashed with a salt and this salted password only transmitted through network (javascript). This is for incresing security without using SSL connection.I am planning to use ASP.NET 3.5 login controls How can I use client side hashing (SHA256 salted hashing) along with ASP.NET Login Controls. And also each login attempt should be logged, in a separate database table with IP address, user agent and so on.
View 3 RepliesBefore I continue I'm going to let everybody know that I am not trying to follow a traditional .Net Membership Provider. I'm attemping to write my own Membership Provider which does not extend the default .Net Membership Provider b/c I feel that in areas it can become extremely cumbersome. Please keep this in mind before responding. Also keep in mind that I am trying to learn from this experience, not find an easy solution for some client's application.I am writing a custom membership provider that has password formatting functionality similar to .Net's default membership provider. I'm looking for soe good/easy examples of ways to encrypt/decrypt or hash password values. I previously tried going the RSA route, but got stuck when I had to Import an RSAParameter and was unsure of how to generate a RSAParameter.
I would like to have both Hashing and Encryption available, but only need Encryption. I'm also looking for a very strong encryption. I'm storing the password format in an external .xml file (similar to how the web.config stores the password format for .Net's Membership Provider) which will become manageable from the administrative side of my webapplication.If anybody knows of any existing Encryption libraries that may provide assistance, please feel free to post links. I only ask that they be open source solutions so I can see how they went about doing this.
What is the best practice for encrypting the connectionStrings section in the web.config file when using LINQ TO SQL?
View 2 Repliesi want define connectionSreing in the web.config and then use it for DataContext ConnectionString. i do that : 1. i creat a class in App_Code :(MisaghDB is my database)
partial class MisaghDataContext
{
partial void OnCreated()
{
this.Connection.ConnectionString =
ConfigurationManager.ConnectionStrings["MisaghDBConnectionString"].ConnectionString;
}
// or
public partial class MisaghDataContext
{
public MisaghDataContext() : base (ConfigurationManager.ConnectionStrings["MisaghDBConnectionString"].ConnectionString)
{
OnCreated();
}
}
}
2. Add the connection string to my web.config file:
<configuration>
<connectionStrings>
<add name="MisaghDBConnectionString" connectionString="Data Source=NAZLIN-HP;Initial Catalog=MisaghDB;Integrated Security=True"
providerName="System.Data.SqlClient" />
</connectionStrings>
</configuration>
3. Right click on the DBML file design surface and chose properties. Select "none" for the Connection property.now should i change DBML file designer.cs (Misagh.designer.cs) ? The code should I delete in this file(DBMLfile designer.cs)? this is a part of my DBMLfile designer.cs :
[global::System.Data.Linq.Mapping.DatabaseAttribute(Name="MisaghDB")]
public partial class MisaghDataContext : System.Data.Linq.DataContext
{
private static System.Data.Linq.Mapping.MappingSource mappingSource = new AttributeMappingSource();
public NorthwindDataContext() :
base(global::WindowsFormsApplication2.Properties.Settings.Default.NorthwindConnectionString, mappingSource)
{
OnCreated();
}
public NorthwindDataContext(string connection) :
base(connection, mappingSource)
{
OnCreated();
}
public NorthwindDataContext(System.Data.IDbConnection connection) :
base(connection, mappingSource)
{
OnCreated();
}
public NorthwindDataContext(string connection, System.Data.Linq.Mapping.MappingSource mappingSource) :
base(connection, mappingSource)
{
OnCreated();
}
public NorthwindDataContext(System.Data.IDbConnection connection, System.Data.Linq.Mapping.MappingSource mappingSource) :
base(connection, mappingSource)
{
OnCreated();
}
............}
I have a C# web service where I need to access a MS SQL DB. I see a way of creating a connection string in IIS and using it in the web application when connecting to the DB. In IIS in Connection strings you specify the name of the connection, server, user n pwd How can I use the name of connection string created in IIS in my c# app.? I am currently using
CustomerInfo
customerinfo = new
CustomerInfo();
// to return
using
(SqlConnection
connection = new
SqlConnection("server=servername;
initial Catalog=eostartest; Integrated Security=SSPI"))
{...
But I would like to use the name of the connection string created in IIS Connection Strings manager. Do I have to add something in the web.config as well?