C# - Microsoft .net Security Warning : Never Enter Personal Information Or Passwords - How To Fix It
Oct 28, 2010
So I have an ASP.net application, with an ActiveX Control which brings up a pop up
When I point to the application directly through IP there is no problem with the pop up eg. xxx.xxx.xxx.xxx/MyApp (under Default Website in the IIS -- IIS 7) Problem arises when I set up the IIS to point it to a domain [URL] which points to the above IP (under another "Site" i.e. not the "Default Site in IIS 7)
I then get this weird
Microsoft .net Security Warning Never enter personal information or passwords into a window unless you can verify and trust the source of the request.
Source: [URL]
The site is in the trusted list -- just like when I was using the IP only . Is there any setting in the IIS I need to tweak for IE to trust me fully.
My issue today is that i have a MySQL Database and am using the security framework provided by the ASP.NET Membership and Role Providers...I override the default methods with my own MySQL.
Now the issue comes in when i someone would like to have their password reset. My application is running entirely on an Intranet so i cannot have their passwords emailed to them. Is there a way i can have this information displayed in any way so that the user can use it to Log Reset, Create Accounts or Recover their lost passwords on an intranet without the administrators intervention?
Recently i had an approach as follows. In my web.config<system.net><mailSettings><smtp deliveryMethod="pickupDirectoryLocation" and my location was a folder on C drive as c:/SavedPasswords. Now i understand this was such a big security threat and thats why i am looking for a better option.
I would have that folder created using my System.IO and then the Mail is dropped into that folder. Then after the process is successful, i tell the user to check into that location and Read its content.
Then there is a global variable that is set to true...meaning that the folder at c:/ has been created. then there is a Method in a certain class that once it sees this variable True, it reads the readers c:/ and deletes that folder "save" if it exists;
I have a small database, with a very small number of users. The passwords were stored as clear as the database was so small and held no sensitive data. The database is now to be expanded and passwords are required to be encrypted. I can change the Password Format in the web.config, but is there a way to change the existing passwords from clear to encrypted?
I have an application whereby a user browses to an Ajax enabled page, sets up some filters, and then clicks on download report. When the user clicks on this button, they are redirected to a Download.aspx page, which builds up the report and appends it to the response as binary (the file may either be zip/pdf or excel). The issue I am having is that everytime the user goes to the page and hits the download button the warning message from IE pops up "To help protect your security internet explorer has blocked this site from download files to your computer". This is not a huge issue, but the problem is that when the user clicks this warning to accept the file, it reloads the page, and all my filters are lost, so the user has to set up all the filters to filter out the data they dont want and then re-download the file.
The interesting thing is that I thought I could track the filters using session variables, so that when the page reloads after accepting the warning message it could be restored, but IE for some reason is not loading the page in the way it should, and so the Page_Load method is never fired when IE reloads it after the user accepting the warning, so I cannot restore the filter settings on the page because I have no event to do it from!
I have searched and searched for a solution.. I have tried changing the mime headers - I am using content-disposition tag set to "attachment; filename=report.zip", I have tried changing the mime type descriptions to different things to see if I can avoid the warning but to no avail. I have tried using an iframe but couldnt quite get it to do what I want it to do, the page was still being refreshed..
Having spent considerable amount of time in ASP.NET security community I would like to share this.
There are three ways of resetting and changing passwords explained at
Microsoft ASP.NET site[URL]
Step 1: Helping Users Recover Lost Passwords Step 2: Changing Passwords Step 3: Allowing Administrators to Change Users' Passwords
In step 1 and step 2 end user passwords are sent by an email.
In Step 3: functionality is explained where administror changing the password and sending through email msg. refer "I encourage those readers interested in this functionality to become more familiar with the code and try extending the functionality to include sending an email to the user whose password was changed. Query
Is Sending passwords by emial secure enough or best security password at all? I have implemented functionality where Admin sending passwords to end users by changing once in 3 months. End users expressed their views that sending passwords by email is not secure. When there is security threat in sending passwords by email, Microsoft security experts should not emailing passwords in above mentioned article, which is still up to date.
I am using SharePoint Server 2007 Enterprise with Windows Server 2008 Enterprise. And I am developing using VSTS 2008 + C# + .Net 3.5 + ASP.Net + javascript (jQuery).
I met with the following security warning in browser (at the top of the page in IE) when browse a page -- "An add-on for this web site failed to run. Check the security settings in Internet Options for potential conflicts." The function I developed works fine besides the security warnings. I am using IE 8. why there is security warnings and how to resolve?
Here is the code I added to BlueBand.master to refer the js/css files in head section. I am developing a webpart which such script files will impact (i.e. my webpart will generate a div called "tabs" which such below scripts will impact).
I am completely stuck here. Basically, I am serving a file to the user by sending it using Respnse.BinaryWrite. I am also sending this on a redirected page so as not to destroy the Response stream of the webpage which fired the filedownload. This works perfect on my development machine, it also works perfect on Firefox.However, if I publish to my test server, on IE 8 (and 7 I presume) a security warning bar appears (does not appear in dev mode on my pc), asking the user to accept or decline the file. Now the not-so-funny thing: If the user accepts, the file is NOT served, I just get back to my main webpage. If the user tries a second time to get the file the security question will NOT pop up again and the file is served.How can I make sure the file is served in the first instance if the user accepts the security warning and wants to download?
I'm running into an issue where in IE the security dialog is popping up and if I click download File the file is never downloaded..it just goes back to the main page.
can i get information about the computer that enter my page , like the currently logged user on that computer and the ip address . and if i can get the currently logged user name , isn't that considered as security risk .
I'd like to mimic the behavior of the "profile provider" that is available in .Net. The profile provider acquires profile properties from the web.config and those properties are immediately available as an enum for use in the code behind.I'm unsure how to do this, and wondered whether someone may be able to help.Essentially I'd like to allow developers to enter Role information into the web.config, and then have this role information available for use within an enum in the codebehind.
I have a half dozen sites on my server and I would like to get some info from IIS7 to display in the footer of each page (as long as you are an admin of course). I am going through the ServerObject and found Sites but am not finding anything obvious for "this site". What should I do to get at the information for the exact site in IIS7 that the page is running on?
For a quick 'hack' style approach I wrote this on my default.aspx page code behind:
I have been trying to change a users password, I have been using this code
[Code]....
I do not get an error during the try routine, but my problem comes that when the user goes it insert their new password (using login Control) it says that the password is wrong.. and they then can't login using either their new or old password.
All Password critria is met, web.config if set so passswordQuestion = false
I have an asp.net page where I have used FormsAuthentication.HashPasswordForStoringInConfigFile. Encrypted password is saved in database. I have created a forgotPassword page. Where I need to send user his password. How can I decrypt it and send it to user. if SHA1 can not be decryoted what other option should I use to encrypt the passwords?
I want the login password to not be sent in plaintext (due to the risk of hijacking). I know that this can be achieved in principle using MD5 or the like, but is there a common implementation for use with Asp.Net? Of course, it's crucial that the resulting hash (?) isn't easy to decrypt. When I read various posts on this matter, some people say it's just to do a reverse on the encrypted string, so that in effect, this is totally useless.
I need to store passwords provided by the user. Yes, passwords. I could not use Hashes because I need to supply the password to another external service for authentication, and therefore I need to have the password.
What is the best and most secure way to store the passwords? As the external data provides private data it is of course very important that the password in my MS SQL DB is stored as safe as possible.
I'm looking to create my application as secure as possible. Now I have following line of code:
[Code]....
As you can see, my password is in plain-text in the code. Now, I presume it's easy to decompile a code using a tool and getting your hands on the password. Since these are my AD Admin-credentials this is not that good.The AuthenticationTypes are secure, I think. They encrypt the data before sending it to the network.So there's just the problem of the plain-text password. I've searched for it on Google but can't find the proper solution. I've found alot about encrypting passwords in the web.config.
I've created a website with users and passwords and such for authentication.When a user is created through the "administer website" function of asp.net 4.0 where are the passwords stored? Is there a way to manually change passwords in the database?
I'm creating an ASP.NET application which uses Facebook Connect and fbml tags. It also uses the LinkedIn widget. When I run this app in any browser, there are no warnings and everything works. However, in IE, a message like this comes up:
Security Warning: The current webpage is trying to open a site in your Trusted sites list. Do you want to allow this?
Current site:http://www.facebook.com Trusted site:http://localhost
(same for LinkedIn.com). I know how to fix this from a client perspective and to stop the security warning showing up. However, is it possible to ensure this message doesn't come up as it could be off putting for users who don't know how to suppress this warning? I haven't tried uploading it to my webhost, so not sure if this message will appear for everyone in production. However, I always get it on my local machine.
(None of my pages use SSL, so I don't think that's the issue. I tried using FB's HTTPS urls but that didn't make a difference).
I'm trying to find out how i store user names and passwords in the web.config file. I have tried looking for documentation on this but haven't found any so far.
I see in the class library it says that the Authenticate method of the FormsAuthentication class is for use in authenticating credentials against those stored in the config file, but i don't know how to store them there to begin with. I want to store two username:password pairs in the web.config file preferably encrypted.
one of these username:password pairs i want to be hard coded. The other i want to be able to be reset with a password reset form which I will code later. I guess there maybe a method for creating a sername:password entry in the web.config which could be used with my password reset form if such a method exists. But I need to know how to hand code the username:password entries into the web.config file to begin with and to beable to create the hard coded pair.
code I need to add to my web.config file i need to add and in what section?
also can you point me in the direction of a method used for creating username:password entries in web.config
I setup a website to use hashed passwords with the membership provided by Asp.net. I'm looking for a way to convert all passwords to clear text. Hashed passwords are overkill for this site and many users can't figure out how to cut and paste the complex temporary password when they request a forgotten password. I understand that you can't retrieve a hashed password.
I have been killing myself over this for a couple weeks now and cannot find a viable solution. Here's my scenario:
I have a DTSX package that imports user data from an external database. It then creates user accounts and profiles in the local database. Users can also be created via a custom ASP.NET Membership Provider. The provider must be able to authenticate both types of users.
This was all fine and dandy during development because passwords were stored as clear text. However, now that we're ready for release the passwords format of the provider must be set to encrypted and so the users created via the DTSX must be created with an encrypted password. (I'd prefer the passwords were hashed but the client's requirements are that passwords be recoverable). The real problem seems to be creating an encrypted password within the DTSX that will be decryptable by the ASP.NET Membership Provider.
My original solution was to have the DTSX call a CLR stored procedure that had access to the same encryption logic as the provider. I got it working but our client wouldn't enable CLR integration. So that's out the window. Now I'm investigating alternatives. One alternative is to simply use the built-in encryption methods of T-SQL. But how do I share the keys used for the encryption/decryption?
My question is, is it possible to generate a password in T-SQL, say using EncryptByKey, that will also be decryptable by my provider? This means that the key in SQL must match the key in my machineKey configuration.
