Security :: To Validate When ValidateRequest="true"?
Jan 26, 2010 Do i have to validate cokkies, userinput, qurystring,database out for xxs , when my page is set to
ValidateRequest="true" ??
Do i have to validate cokkies, userinput, qurystring,database out for xxs , when my page is set to
ValidateRequest="true" ??
In the notes for Step 1 in the "How To: Prevent Cross-Site Scripting in ASP.NET" it is stated that you should "not rely on ASP.NET request validation. Treat it as an extra precautionary measure in addition to your own input validation."
View 2 RepliesDo sites like Stackoverflow or asp.net use validateRequest= "false" at their page directive? If "Yes" then how they are checking the user input and if "NO" then how they are able to postback the data ?
View 1 Replieshow can validate the checkbox is true or false...
View 6 RepliesHere's the situation. I have an aspx page that is designed to receive a POST request with some XML values, parse the XML, grab the relevant items, and write them to the page. The problem arises when I try to launch the page using the POST request. When I launch using Fiddler, building the request manually and just pasting the XML in the body of the request everything works fine and dandy. When I launch the page from a basic HTML form, however, things don't go so great. The HTML form that I'm using looks like this:
[Code]....
When the page loads I get the error:
A potentially dangerous Request.Form value was detected from the client Everything I've read so far has told me that the solution is to add ValidateRequest="false" to the page directive in the top of the .aspx file, or in the pages element of the web.config file. But neither of these work. Afterwards, I still get the same error. Any idea what I need to do to make this work?
I've noticed that setting ValidateRequest="true" on the page blocks input of the form • but not • - which are the same characters. Does anyone know why the first type is not allowed but the second type is?I really could not find a place where it defines what is meant by dangerous script and what is actually blocked when the ValidateRequest is set to true.
View 3 RepliesHow can I validate RadComboBox on the server side with LoadonDemand true and AllowCustomText is true? I have the following code but it doesn't validate correctly.
protected void RadComboBox1ServerValidate(object sender, ServerValidateEventArgs arg)
{
arg.IsValid = RadComboBox1.SelectedValue.Length > 0;
}
why the ValidateRequest dose not work when html tags had sent by __doPostBack method in javascript.
<script>
[Code]....
</script>
I understand I can use validateRequest="false" to by pass ASP.NET security. I'd like to know what security issues setting this flag may cause. Can I be 100% sure there won't be any issue as long as I encode the input using a XSS library?
View 3 RepliesI have a page in my MVC application that shows all the users registered on the site. I retrieve informations about an User with this call:
[Code]....
I am really new to webservices and ASP, so excuse my noobiness in advance ;I am making a webservice which displays stock availability from a table in a db when given the ProductID number.The problem is that I am required to do a SOAP authentication as well.
[Code]....
From the above, you can see that I am using Auth.username and Auth.password which is a authentication class I created with two string arrays that contain login details. If one username matches it's correponding password then logon is allowed else declined.Now that I reached here, I need the web service to validate if logon details are correct through a table called tblStaff which contain attributes "username" and "password". Doing it with an array containing predefined details through code is easy, however by checking each "username" and "password" from tblStaff... /confused
How to set Request.IsAuthenticated to true when not using FormsAuthentication.RedirectFromLoginPage?
View 3 Repliesauthentication cookie persistance to true on a aspx website,this works great.now I have made an affiliate website (HTML + iframe (same aspx)) and it does not keep my user logged in after closing browser.
View 1 RepliesIt took me a little while to figure this out, but the AllowPaging="true" on the FormView seems to be the culprit. I don't have much experience paging from a FormView, but for this requirement the customers wants this kind of UI.I have a FormView with DefaultMode="Edit", which is bound to an EntityDataSource. One of the entity's properties, "ExternalID", determines whether some of the other properties in the entity are read-only. For example, if IsExternal==null, the FirstName, LastName, and Email fields should be rendered as TextBoxes. If IsExternal!=null, the 3 properties should be rendered in Label controls.
View 2 Repliesi am using password recovery control. but i have one difficulty that when user click on the "Forgot Password" link he will redirect to enter "UserName" view of password recovery template. and when user enter "User Name" and click submit button he will redirect to the "Question" view of the Password recovery control and then user click on the "Cancel" button. but when user again click on the "Forgot Password" link the "Question" view is displayed instead of the "UserName" view. i m not able to reset Password control to "UserName" view.
View 4 RepliesI have a page where, when the user has successfully logged in, I store some values in the session.
I then use these values to load an application list page. This page is automatically refreshed after 20.1 minutes, with the sessionstate timeout and forms timeout in web.config set to 20 minutes (with sliding expiration). This means, if the user does not use any page for more than 20 minutes, he is timed out.
My problem is that the User.Identity.IsAuthenticated sometimes returns true, when the session has expired.
Why is this happening, and how can I fix it?
I have a "UserDetail" table in my "JobPost.mdf". When I click the "delete" linkbutton, it can delete the all User info from my "UserDetail" table, it also delete the corresponding "aspnet_Users" & "aspnet_Membership",but the "UserInRole" still contain that UserName. Even though I specified the Code:Membership.DeleteUser(UserName, true);
I thought true is for bool deleteallrelated data, but it doesn't really delete the userInRole. So next time the user registers with the same name, it automatically get the "admin" role right. This "deleteUser" page I keep it inside a protected "admin"folder. How to solve it? Why Membership.DeleteUser(UserName, true) doesn't delete UserInRole?
protected void GridView2_RowCommand(object sender, GridViewCommandEventArgs e)
{
if (e.CommandName == "Delete")
{
string UserName = e.CommandArgument.ToString();
Membership.DeleteUser(UserName, true);
JobPostDataContext db = new JobPostDataContext();
var query = from u in db.UserDetails
where u.UserName == UserName
select u;
foreach (var item in query)
{
db.UserDetails.DeleteOnSubmit(item);
}
db.SubmitChanges();
FormsAuthentication.SignOut();
}
}
My web.config inside the protected Admin folder:
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
when i click on any control on page following error occur.SOURCE: System.Web MESSAGE: Unable to validate data....
View 1 RepliesI have created a user account local to my machine. I want to validate this user and his password using C#. I cannot use AD search as this user is local to my machine. I dont want to check his group.
In my environment, we use Active Directory as our password repository. I'm writing an app that uses the users windows session (windows auth) to authenticate the user. This is working well, but I need to provide a way for users to log in as a different user. I setup a web form to accept a username and password. My question is this, I need a secure way to validate the user's credentials against AD. I cant have the credentials passed as clear text. Ive come across the impersonate user functions, but i'm leary because you have to pass a clear text password into the password field. I know I could also use LDAP, but without a certificate, I know plain LDAP is relatively insecure. Can someone point me in the right direction of a more secure solution to query AD with the credentials?
View 3 RepliesPrincipalContext.validatecredentials(username, password);
Takes more time and high cpu usage to validate.
Is there any alternative way to validate credentials or any way to reduce the load and time?
On my website, I only want to allow users that are registerd real estate agents to be able to create an account.Is there a way to have the user registration process something like:1. User puts their "License"on my website Registration page and have them click a "next" button2. There would be a way to have the license validated on the following site: http://www2.dre.ca.gov/publicasp/pplinfo.asp3. If it is a valid license, the user is presented with the next step in the CreateUserWizard form.
View 2 RepliesI've done a registration form with username availability check.. (refer screenshot attached)..
the problem is when i click register it validates all d fields and doesn't check the username whether its available or not..
it simply inserts the value..
how can i make the username availability check a mandatory?
Writing a custom membership / role provider and have to validate user with extra parameter to Membership.Validate. So, instead of Membership.Validate(username, password) I need Membership.Validate(username, password, client).
Is this possible with the existing MembershipProvider? I would have liked to pass a new MembershipUser to the Validate method but didn't see anything that would work for that.
have a form based authentication login that access MySql to validate the credentials entered.I was wondering how you would encrypt the password??
View 3 Replies