I have created a custom Iidentity object to store specific user settings for logged in users. I was wondering is it safe to store sensitive data like userid's or other id's in the object? Is there any security risk to doing so? Also, how much is too much to store in the object?
View 1 RepliesI just created a custom membership provider I would like to know if I can make calls to my data access layer and not put my data access code inside the membership methods will that prevent my custom membership provider from being thread safe, for example:
public override [Code]....
CreateUser(string username, string password, string email, out MembershipCreateStatus status){ // DB calls to my data layer}v.s.public override [Code]....
CreateUser(string username, string password, string email, out MembershipCreateStatus status){ // data access }
give me an example (or point me in the right direction) on how to store custom data in an ASP.NET Membership cookie? I need to add some custom properties like UserID and URLSlug to the cookie and be able to retrieve the information in the same way one would retrieve the Username.
Edit:
I used Code Poet's example and came up with the following.
When I set a breakpoint at Dim SerializedUser As String = SerializeUser(userData) the value of userData is right. It has all the properties I expect it to have.
The problem I'm now running into is that when I get to Dim userdata As String = authTicket.UserData (breakpoint), the value is "". I'd love to figure out what I'm doing wrong.
Here's the code.
Imports System
Imports System.Web
Imports System.Web.Security
Namespace Utilities.Authentication
Public NotInheritable Class CustomAuthentication
Private Sub New()
End Sub
Public Shared Function CreateAuthCookie(ByVal userName As String, ByVal userData As Domain.Models.UserSessionModel, ByVal persistent As Boolean) As HttpCookie
Dim issued As DateTime = DateTime.Now
''# formsAuth does not expose timeout!? have to hack around the
''# spoiled parts and keep moving..
Dim fooCookie As HttpCookie = FormsAuthentication.GetAuthCookie("foo", True)
Dim formsTimeout As Integer = Convert.ToInt32((fooCookie.Expires - DateTime.Now).TotalMinutes)
Dim expiration As DateTime = DateTime.Now.AddMinutes(formsTimeout)
Dim cookiePath As String = FormsAuthentication.FormsCookiePath
Dim SerializedUser As String = SerializeUser(userData)
Dim ticket = New FormsAuthenticationTicket(0, userName, issued, expiration, True, SerializedUser, cookiePath)
Return CreateAuthCookie(ticket, expiration, persistent)
End Function
Public Shared Function CreateAuthCookie(ByVal ticket As FormsAuthenticationTicket, ByVal expiration As DateTime, ByVal persistent As Boolean) As HttpCookie
Dim creamyFilling As String = FormsAuthentication.Encrypt(ticket)
Dim cookie = New HttpCookie(FormsAuthentication.FormsCookieName, creamyFilling) With { _
.Domain = FormsAuthentication.CookieDomain, _
.Path = FormsAuthentication.FormsCookiePath _
}
If persistent Then
cookie.Expires = expiration
End If
Return cookie
End Function
Public Shared Function RetrieveAuthUser() As Domain.Models.UserSessionModel
Dim cookieName As String = FormsAuthentication.FormsCookieName
Dim authCookie As HttpCookie = HttpContext.Current.Request.Cookies(cookieName)
Dim authTicket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value)
Dim userdata As String = authTicket.UserData
Dim usersessionmodel As New Domain.Models.UserSessionModel
usersessionmodel = DeserializeUser(userdata)
Return usersessionmodel
End Function
Private Shared Function SerializeUser(ByVal usersessionmodel As Domain.Models.UserSessionModel) As String
Dim bf As New Runtime.Serialization.Formatters.Binary.BinaryFormatter()
Dim mem As New IO.MemoryStream
bf.Serialize(mem, usersessionmodel)
Return Convert.ToBase64String(mem.ToArray())
End Function
Private Shared Function DeserializeUser(ByVal serializedusersessionmodel As String) As Domain.Models.UserSessionModel
Dim bf As New Runtime.Serialization.Formatters.Binary.BinaryFormatter()
Dim mem As New IO.MemoryStream(Convert.FromBase64String(serializedusersessionmodel))
Return DirectCast(bf.Deserialize(mem), Domain.Models.UserSessionModel)
End Function
End Class
End Namespace
Here's where I create all the magic. This method is in a "BaseController" class that inherits System.Web.Mvc.Controller
Protected Overrides Function CreateActionInvoker() As System.Web.Mvc.IActionInvoker
If User.Identity.IsAuthenticated Then ''# this if statement will eventually also check to make sure that the cookie actually exists.
Dim sessionuser As Domain.Models.UserSessionModel = New Domain.Models.UserSessionModel(OpenIdService.GetOpenId(HttpContext.User.Identity.Name).User)
HttpContext.Response.Cookies.Add(UrbanNow.Core.Utilities.Authentication.CustomAuthentication.CreateAuthCookie(HttpContext.User.Identity.Name, sessionuser, True))
End If
End Function
And here's how I try and retrieve the info.
Dim user As Domain.Models.UserSessionModel = CustomAuthentication.RetrieveAuthUser
i have implemented custom MembershipProvider and now i would like to use CreateUserWizard to create new users.. the problem is that i want to store in the db more information that normally (e.g. first and last name). There is function:
public override MembershipUser CreateUser(string username, string password, string email,
string passwordQuestion, string passwordAnswer, bool isApproved, object providerUserKey,
out MembershipCreateStatus status)
{
throw new NotImplementedException();
}
which i can implement but it won't store first name etc. i found here: [URL] solution that i can overload this function and call it manually but the default CreateUser function will still be called in this case...
I'd like to learn how to create custom providers ( say custom membership provider or custom profiles ) that use XML as their data store. Is ( using C# ) best way to accomplish this using XPath/XSLT or DOM?
View 1 Repliesi'm developing a "small" warehouse-management WebApplication for few users(5-10 parralel) but with a complex authorization system(checking if pages,menus,TabPanels, UserControls and even single controls are visible or enabled) and permanent and frequent access. Because i've only limited experiences with the ASP.Net MembershipProvider, i'm unsure what's the best approach for following goal:
I want to hold all users, roles and frequently used masterdata in the Cache(in a Dataset). Hence every readonly access should be faster and causes less traffic than always using the database. On updates,deletes and inserts i would update the cached dataset and also the database.Can i use or extend the SqlMembershipProvider to achieve this goal and if possible how?Should i use the stored-procedures from asp.net or simply use the standard CreateUser, GetUser, DeleteUser-functionality? Does this approach makes sense at all?
I have created a shopping cart where i currently store items in a session but i want to get away from this.
so i am going to store it in a list.
how can i create a custom class for this and store the values everytime items are added.
I am creating a web service that returns the list of states. How do I create an object in C# in the web service that will return multiple values (of properties of an object). Currently, the way I am doing it, it only returns the last value pulled from the database. Do I need store an array of properties?
[code]....
I've a requirement where i need to pass some objects across the pages. So i created a custom class with all the properties required and created a instance of it and assigned all the properties appropriately. I then put that object in the session and took it the other page. The problem is that even when i set the properties values to the class it is coming as null. I set a breakpoint in the getter-setter and saw that the value itself is coming as null.
public class GetDataSetForReports
{
private Table m_aspTable;
private int m_reportID;
private string m_accountKey;
private string m_siteKey;
private string m_imUserName;
/// <summary>
/// Asp Table containing the filters
/// </summary>
public Table aspTable
{
get
{
return m_aspTable;
}
set
{
m_aspTable = aspTable;
}
}
/// <summary>
/// Report ID
/// </summary>
public int reportID
{
get
{
return m_reportID;
}
set
{
m_reportID = reportID;
}
}
/// <summary>
/// All the accounts selected
/// </summary>
public string accountKey
{
get
{
return m_accountKey;
}
set
{
m_accountKey = accountKey;
}
}
/// <summary>
/// All the sites selected
/// </summary>
public string siteKey
{
get
{
return m_siteKey;
}
set
{
m_siteKey = siteKey;
}
}
/// <summary>
/// Current User Name
/// </summary>
public string imUserName
{
get
{
return m_imUserName;
}
set
{
m_imUserName = imUserName;
}
}
}
This is how i'm creating an instance in the page1 and trying to get it in the page2. Page1 Code
//Add the objects to the GetDataSetForReports Class
GetDataSetForReports oGetDSForReports = new GetDataSetForReports();
oGetDSForReports.aspTable = aspTable;
oGetDSForReports.reportID = iReportID;
oGetDSForReports.accountKey = AccountKey;
oGetDSForReports.siteKey = Sitekey;
oGetDSForReports.imUserName = this.imUserName.ToString();
But the values are not getting set at all. The values are not passing to the class (to the setter) at all. Am i making any OOP blunder?
There is not a clear category on the site where to post this, so giving it a shot here.
Has anyone used VS 2008? I current user Turtoise for some projects, and Source Gear Valut for others.
The company where I work is thinking about moving to VSS because of the MSDN subscription.
My experience with VSS prior to VSS 2005 was that it conied the name "Visual Source Unsafe" and I know first hand that it trashed my work more that once and I stopped using it. Source Gear Valut on the other hand is rock solid.
So is VSS 2008 Really "safe" was VSS 2005 "safe" ?
I have an ASP.NET application that needs to remember some info about a user (and what company they are from) across pages, within a session. I imagine this is a requirement of just about any ASP.NET application of a certain size. I've used a few different approaches over the years. In the past, I've passed around an id in querystring parameters like so: [URL] and then instantiated the object on each page (from the database). Another common way of doing it is storing my objects in session variables:
Session["User"] = currentUser; // store at login
User currentUser = (User)Session["User"]; // retrieve on some other page
which saves a trip to the DB, but I worry about memory used if the User object is complex and the site has many concurrent users. I have recently inherited an application that uses public properties on the master page, like this:
Master.theUser = currentUser; // store at login
User currentUser = Master.theUser; // retrieve on some other page
This saves the cast, and looks more readable to me I think, but I don't know if it's better or worse performance-wise. It also has some logic in the getter where if the private value is null, it tries to get it from the Session variable, though I'm not sure if that's never used (or used every get!?) or what. My latest idea is to use my page class. I have a custom page class derived from the standard System.Web.UI.Page base class. It includes objects like CurrentUser as public properties. This seems to work OK. I like it even better. But I really don't know what's going on under the covers. Can anyone give an opinion on which approach is better and why?
Update: I've done some checking use trace.axd and Trace.Write and it looks like neither the masterpage version nor the custom page class version "remember" the values between pages. The "get" methods have a line of code that checks if the User property is null, and if so, reads it from the session variable. This happens when a page accesses the property (Master.User or the derived class's this.User) for the first time on a given page, then subsequent requests can get the value (without going to the session variable). So thus far the best solution looks something like this:
public class MyPage : System.Web.UI.Page
{
private User user;
public User User
{
get
{
if (user == null)
{
user = (User)HttpContext.Current.Session["CurrentUser"]; //check if session[CurrentUser] is null here and log them out if so?
}
return user;
}
set
{
user = value;
HttpContext.Current.Session["CurrentUser"] = value;
}
}
}
Then on any webpage.aspx.cs, you can do something like this: UsernameTextBox.Text = User.FullName;
I have a custom membership user class and custom MembershipProvider working against database. Due to security reasons the user passwords are stored in the database as hashed values. So my procedure
public override bool ValidateUser(string username, string password) is
{
//select hashed password from db
return (EncodePassword(password) == dbpassword)
}
[code]....
I wonder if its safe to use the CTP5 in production yet. My main use would be for 2 small projects. I Know they pre released it but any thoughts on this if it would hold up for production are welcome.
View 1 RepliesI've a blog-driven ASP.NET website. Under the post, there is a Comment block to let readers post comments.I've used some TextBoxes and TextArea for that.To Prevent XSS:I've filtered the input by using: Server.HtmlEncode() Method (I don't care about text formatting).To Prevent SQL-Injection:I'm using Linq To SQL (that should be like parametrized queries I think!).
ArticlesDataClasses dc = new ArticlesDataClasses();
ArticleComment newComm = new ArticleComment()
{
ArticleID = int.Parse(Request.QueryString["ArticleID"]),
CommentAuthor = Server.HtmlEncode(txtName.Text),
CommentText = Server.HtmlEncode(txtComment.InnerHtml).Replace("
", "<br />"),
CommentAuthorEmail = Server.HtmlEncode(txtMail.Text),
CommentTime = DateTime.Now,
Enabled = false
};
For example, this is the code that I am using:
String commandString = "UPDATE Members SET UserName = @newName , AdminLevel = @userLevel WHERE UserID = @userid";
using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlconnectionstring"].ConnectionString))
{
SqlCommand cmd = new SqlCommand(commandString, conn);
cmd.Parameters.Add("@newName", newName);
cmd.Parameters.Add("@userLevel", userLevel);
cmd.Parameters.Add("@userid", userid);
conn.Open();
cmd.ExecuteReader();
Reader.Close();
}
When storing a value in a cookie using C#, what is the best way to encode (or escape) the value so that it can be retrieved and decoded/unescaped reliably?
I'm not talking about encryption.
I want to store certain html tags in my database to the layout of content, for example <h3> and <p> tags. The problem is with ValidateInput set to True, you get "Potential Danger error" when you try sending content with html tags.
With it set to False, you open yourself to all sorts of potential dangers. So Here is what I'm wanting to achieve:
I hope you like the image ! lol I spent 10 minutes in Photoshop to create it.
So eventhing that goes in, I want as encoded, but when I get content back, I want to decode only the <h3> and <p> tags. ! What do you think of my solution ? Bad, Good ?
I'm trying to make an existing ASP.NET web forms app more unit testable by using some of the ASP.NET MVC objects, specifically HttpContextWrapper. I've seen examples of its usage and they always create a new object. I disassembled the source with Reflector and see all it does is store the passed HttpContext. But I was curious as to whether or not it's safe to always create a new instance of HttpContextWrapper or follow the singleton pattern somehow? Below is the class I'm using in my app
public static class AppHttpContext {
public static HttpContextBase Current { get { return Getter(); } }
public static void SetContext(Func<HttpContextBase> getter) {
Getter = getter;
}
private static Func<HttpContextBase> Getter = () => new HttpContextWrapper(HttpContext.Current);
}
And I use it similar to HttpContext.Current
AppHttpContext.Current.Session["blah"] = "something";
I'm considering making use of an HttpModule for localization purposes (based on the example in this article) - but I'm curious, is this safe?
Here's the code, for reference:
public class CookieLocalizationModule : IHttpModule
{
public void Dispose()
{
}
[code]....
I was under the impression that multiple threads could potentially service a web request. Is it safe to set the Current/Current UI Cultures in an HttpModule like this and have it respected for the life of the web request regardless of how many threads are involved in servicing it?
Is there any way to make asp.net objectdatasources to be type safe. Meaning I get a compile time error if parameters or datatypes change during refactoring?Does anyone know any other method? Or can recommend any other way to do it? I find manual binding tedious. What is other people doing?
View 1 RepliesI have been in the process of updating my code with security methods, and I've been learning this from [URL](or "Security Guidelines: ASP.NET 2.0"). In the middle of the page under "When Constructing SQL Queries, Use Type Safe SQL Parameters" it says "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input".
Now, what was to use code like:
"DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);........"
But, I was already using code like:
"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("someVal", val);"
So now, to use type safe parameters, I decided to include it like:
"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("@someVal", DbType.Int16, val);
dataSource.UpdateParameters["@someVal"].Size = 1;"
So, that would be how I would modify my current code base to use type safe parameters in sql updating/inserting.
Getting to my actual question, as it was said "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input". First off, that this should apply to unfiltered input. Also, in their example they only did this for an ID.
So, what I'd like to know, when it comes to "unfiltered input", does this mean as long as the input is unfiltered I must use type safe parameters, or even filtered input shall have this (just to be sure), like, input that has been ran through a regularexpression check? Shall I do this for all values I insert/update into the database, or just IDs and important things?
The way I see it right now is that it would be a good precaution to just do type safe checks on everything (literally) that updates/inserts into the database just to be extra safe. But, I really am unsure if this is really the best idea, because if I did, would this possibly cause overprocessing of information? Can this cause too much strain on server resources?
I am toying with the idea of enabling CLR on my SQL server, using EXEC sp_configure 'clr enabled', 1
However, I am sharing my database server with several other developers and their projects. I've heard vaguely that their might be security issues with enabling this.
Does anyone know what these issues might be? Is CLR safe to use on SQL Server?
I been reading a bit about SQL injection and I want to be sure my code is lets say "safe" from it, I was planning on using RegExp validators to check the user input but another post in here suggested only using parametrized querys, well Im using them but I want to be sure my code is safe, is it?
[code]....
Probably these are two questions in one, I am using one EF context per request, but I want to use one per thread, because I am going to make some complex task in another thread during the request. So, is it safe? If the answer is yes, how to do it? how to store objects in thread and get them back?
View 2 Repliesif i write this for example,
if session("authenticated") = ""
response.redirect("default.aspx")
end if
is it safe enough or should i encrypt it?