So if i encrypt connectionstrings and sections, how will i get their values inside my code?I don't want to decrypt the web.config, i just want to read the encrypted values.There must be a class.Maybe something from ConfigurationManager?I don't suppose it's automatically decrypted?
View 4 RepliesHow to run asp.net application with encrypted web.config ,is it possible note that ASP.NET application have a database with encrypted connectionstring and a "cannot read connection string " message is generated
View 2 Replies<sessionState timeout="1440"></sessionState>
how can i read value of timeout from web.config to c# code
My aim is to make the web.config not readable by external users, but my application should be able to access it. Is there any way to do this?
I have tried the following way, but how to set the application to use string instead of web.config?
I want to encrypt my web.config file so that others do not open the file using any editor like notepad. But my application should be able to use the same web.config file. I could encrypt the web.config file and decrypt it inside the application and I saved the entire web.config to a string file. Now I want to use this string variable instead of web.config(now in encrypted form, which cannot be accessed by the application).
How can i read multiple textbox values inside gridview? as well as getting the specified row id?
View 3 Repliesi don't know how to use a Encrypted ConnectionString with RoleManager in ASP.NET This is code in Web.config.
<connectionStrings>
<add name="strConnectionString" connectionString="eF8w9r2UJOsk0Ps3pxmV7/Fy/xPR2hN2S7BrC1iOYNnAUaI8AqkSm5bw7r+ta4sePWSV9t/3Spnpz6wsFpvMmcppNpqM5Zk7iiDqWVgIV4k="/>
</connectionStrings>
<roleManager enabled="true" defaultProvider="CustomizedRoleProvider">
[Code] ....
And in project I create a library to read web config
private const string ConnectionStringKey = "strConnectionString";
private readonly string SQLConnectionString =
Security.DecryptString(ConfigurationManager.ConnectionStrings[ConnectionStringKey].ConnectionString);
if I change my ConnectionString like this, it's working:
<add name="strConnectionString" connectionString="server=My-PCMSSQL2008; database=MyDB; uid=sa; pwd=passw0rd;"/>
But I want my ConnectionString Encrypted so i use
<add name="strConnectionString" connectionString="eF8w9r2UJOsk0Ps3pxmV7/Fy/xPR2hN2S7BrC1iOYNnAUaI8AqkSm5bw7r+ta4sePWSV9t/3Spnpz6wsFpvMmcppNpqM5Zk7iiDqWVgIV4k="/>
So when i running website it throw error:
System.ArgumentException:Keyword not supported: 'eF8w9r2UJOsk0Ps3pxmV7/Fy/xPR2hN2S7BrC1iOYNnAUaI8AqkSm5bw7r+ta4sePWSV9t/3Spnpz6wsFpvMmcppNpqM5Zk7iiDqWVgIV4k='.
Line 46: string[] roleNames;
Line 47: roleNames = Roles.GetAllRoles();
I have a encrpted web.config file. How to decrypt this file. Because I need to update connection string information in that file. So i need to decrypt the existing encrypted config and update the connection string then again I have to encrypt.Did not work below command. getting error(Decrypting configuration section...Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error mess
age from the provider: Bad Data.)
aspnet_regiis -pdf "connectionStrings" <physical path of the we b.config file in server>
How to programmatically write an encrypted connectionString to a Web.Config file?
View 5 RepliesI encrypted my web.config file and I copied this file to the production server. But I get an error. But without encrypting - it's ok. I used:
C:WindowsMicrosoft.NETFramework64v4.0.30319aspnet_regiis -pef "appSettings" "C:inetpubwwwrootSite1" -prov RsaProtectedConfigurationProvider
I don't have access to IIS. Is it possible to encrypt config file and everything works?
I encrypted my connectionstring and store at web.config file. Then I bind Gridview with sqldatasource control, cannot bind because of sqldatasource don't know the(encrypted) connectionstring.
View 5 RepliesI created a custom membership provider in my ASP.NET 4.0 web site, stored in App_Code, and referenced in my web.config.
However, it doesn't appear to be pulling values out of web.config during initialization.
The code was taken from [URL] , and the only modifications were changing "connectionStringName" here to the name of my connection string:
[Code]....
The connection string always comes back as nothing in this line:
[Code]....
No matter what I change the password format to in web.config, the default value here is always used:
[Code]....
So to me it's pretty clear it's not pulling out values for some reason. Here is the reference to the membership provider in web.config.
[Code]....
I am having two reports Report1 and Report2. From Report1 i have to call report2 while clicking link.
I have acheived this by using Jump to report and also i have passed some parameters to report2.
Using report viewer i am viewing this report1. In link field right click properties i am getting report2 url. In new browser if paste the report 2 url with paramters values URL report is coming and also it allows to change report parametes in address bar.
Is it possible to excrypt parameters values while calling report2
eg URL
http://myserver/reports/Pages/ReportViewer.aspx?/FEPSReports/RPT_ViewTransaction&AccessEmployeeID=MUTHU&FilterEmployeeID=*&ShowABC=False&ConvertToUSD=False&FromDate=01/01/2009&ThruDate=12/30/2009&Level=4&HDL=1&TopLevel=2&FilterCompanyCode=*&FilterDivision=*&FilterSBUID=*&FilterSBUName=*&FilterLocation=*&FilterTeam=*&ShowAllEmployee=yes&DecimalPlaces=2&rs:ParameterLanguage=&rc:Parameters=Collapsed
I have some pages that need user to sign in. If not, I need to redirect user to signin page. I know this can be done by using some code like"<system.web><authorization><deny users="?"/></authorization></system.web>" in web.config.
But can I just write some code to do the same function?
like in page load method, I can check whether user is sign in, if user is not signed in yet, how can I redirect user to the login page by using code? and how can I stop sending the content of the page to user?
We are experiencing some strange behaviour on one of our ASP.NET web servers (Windows 2003 64-bit). After some activity, two third-party controls are unable to run correctly. One is log4net (it does not write error messages out) and the other is a menu control (it displays eval message instead of picking up its license). The one common thread is that both controls pick up their config from external config files (linked to from web.config).
Just wondering if anyone has any thoughts on this or experienced this in any way. Is it related to file/folder rights? The server has been running fine for a while and just started exhibiting this behaviour. Perhaps it occurs around the time the worker processes are recycled.
I have many Connection strings in my web.config file. I also have a "dataConfiguration" setting in the same file which specifies what database my app connects to.
How do I read the "defaultDatabase" setting / section from the, see below xml file.
<configuration>
<configSections> [code]....
I am developing web applicaiton. I want to read web.config in App.config file. I have appSettings and connectionStrings in web.config. How to read that?
View 10 RepliesI am using a standard implementation of the membership provider. I however, need to compare a supplied password (from a textbox) with a saved encrypted password. This is for a new security policy at work.
[Code]....
Even with https enabled, you can write a password to the event log in code-behind. Any way to keep that password encrypted in code while you're checking it against a data store?
(using Login control)
(couldn't add comment to Andrew's answer, so I'm putting it here)
NTLM uses the username/password of the machine the user is logged into right? For this, I was thinking using ActiveDirectory on the server as the data store. It would have a diferrent un/pw than what the user is currently signed in to their machine as.
i'm having a problem with symmetric key and certificate. the issue is, this database i'm using now is restored from a different source and ever since, i've been having problem regarding the symmetric key or certificate the error message i'd get from the aspx web pages would be "Please create a master key in the database or open the master key in the session before performing this operation" yes i did open the master key
[Code]....
For testing I used this:[URL]Encrypts only the password is not encrypted and username.Why not?For security reasons, I would like also to encrypts username.
View 10 Repliesfor maintain security, i encrypted my password and store in database like following
Dim PWD As
String = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text.Trim(),
"SHA1").Trim()
but problem is suppose user forget his password and need to know then how can i decrypted the password and send to the user?is there any other suitable way to handle password?
reading on the web ive found the code below; i wonder if an encrypted string using this block generates an unique result or if different encrypted sources can result in the same crypted array:
private static TripleDES CreateDES(string password)
{
MD5 md5 = new MD5CryptoServiceProvider();
TripleDES des = new TripleDESCryptoServiceProvider();
des.Key = md5.ComputeHash(Encoding.Unicode.GetBytes(password));
des.IV = new byte[des.BlockSize / 8];
return des;
}
I've taken over a website which has around 3000 users registered using the standard asp.net membership provider on a SQL database. When the website was set up there were a lot of gaps in the system and we have a lot of tidying up to do of users with the same email addresses etc and invalid addresses so i'm just starting to look at how i can wrap all of this up and make administering the user accounts easier.
At the moment the account passwords are stored in "Hashed" format set in the web.config and obviously this doesn't allow for password retrieval. I want to know whether there is a way of converting all of these passwords from a hashed format to an encrypted format thus allowing me to create a password recovery page that doesn't then send the user a new password which is quite often something like "a*ns7#<3lx"
Ideally i'd like to convert all of these if that is possible so that I do a much simpler password retrieval system. If this is not possible can you tell me how i go about setting the passwordreset value not to contain all sorts of non-alpha/numberic characters?
This code works fine if i use this inside ssercontrol > panel and i have a checkboxes in table when no checkbox is checked its works fine .... but if i disabled and checked any of the textbox then this doesn't work .... in usercontrol why ? i didnt understand ..
<script type="text/javascript" language="javascript">
function checkboxChecked(){
var allInputs = document.getElementsByTagName("input");
for(var i=0; i<allInputs.length; i++) {
var chk = allInputs[i];
if(chk.type == "checkbox" && !chk.disabled && chk.checked) {
return true;
}
}
alert("OOps! You haven't selected all available checkboxes");
return false;
}
</script>
For our website, we have decided we would like to maintain our user passwords as encrypted binary data in our database. We are using ASP.NET 3.5 to host our site and SQL Server Express 2008 for the database, both running on the same server. When a user logs in and submits a username and password, there will need to be some sort of encryption or decryption in order to verify the credentials. To me, it would appear that there are 3 ways to do this:
1)[C# Encyrption] On User creation, perform encryption in the Web App and submit the encrypted password to the database. To verify credentials at Login, perform the same encryption on the submitted password and ensure that it matches the value stored in the database.
2)[SQL Encryption] On User creation, submit the plain-text password to the database and have it perform one of the SQL encryption variants during INSERT. To verify credentials at Login, have the database perform decryption on the password during the SELECT statement, and compare the plain-text submitted password to the one in the database.
3)[Mix] On User creation, submit the plain-text password to the database, and have it perform one of the SQL encryption variants during INSERT. To verify credentials at Login, perform the same encryption algorithm used by SQL on the submitted password ( is this possible? ), and ensure that it matches the value stored in the database.
Does anybody have an opinion as to which of these options is best? Number 1) is the most familiar to me, and would be the easiest to use with LINQ to SQL ( which is our current data model ), so I am leaning towards that. But if there are better options I would love to know about them.