I am rather new to asp.net but I have built a couple of apps that do not require users to login. am having some problems moving my secure .net application from my laptop to a production server, however, and I am hoping someone can help me. On my laptop my application's user authentication functions as it should, but when I move my application to a webserver I get an assortment of errors. Forgive me if these questions are a little basic. My first question is this. In a production environment do I move the ASPNETDB.MDF file in the App_Data folder to my SQL server? Is it OK to rename it to something more descriptive?
I want to insert in two table at the same time.I write this:
DALBase MyDALBase = new DALBase(); int categoryId=Convert.ToInt32(MyDALBase.ExecuteScaler(System.Data.CommandType.StoredProcedure, "insertmainmenu", new SqlParameter[]{ new SqlParameter("@NodeName",txt_mainmenuname.Text),
[Code]....
but the problem is I havent access to categoryId before InsertI need categoryId to make a Urlstring url = txt_ MainEnName.Text + ".aspx" + "&CategoryId=" + categoryId;@Url =urlHow can i do it?
I've developing an ASP.NET application that interfaces with Google Maps and retrieves marker information from a database. The marker information is split into tables in the database, where the name of the table reflects a company (e.g. CompanyA_MarkerData, CompanyB_MarkerData etc). In order to periodically update the map with new marker data, I use setTimeout in JavaScript to regularly call my 'UpdateMarkers' JavaScript function. 'UpdateMarkers' makes a call to a web service which performs the database query and returns a list of markers back to the JavaScript, which in turn updates the map.
The main issue I have with this method is that my web service requires that I pass it the name of the company so that it knows which table in the database to access. As you can imagine , this poses a security risk as anyone can pass a different company name to the web service and be able to retrieve the data from other companies, as well as their own.
In order to avoid this problem, I am restructuring my program as follows: When the system administrator creates users for my application, they can also assign a company ID to this user. The company ID is stored using the Profile object in ASP.NET. I am moving the web service code into a class with shared functions so that they can be called only within my pages (but not by anyone, like with web services). The functions will still require a company name passed to be passed to them. However, rather than the JavaScript making direct calls to these shared functions, the JavaScript will call a set of page methods (which as I understand it, are not public like web services). These page methods will then use the Profile object to retrieve the company name attached to the user currently logged in and then make a call to my shared database functions and return the info back to the JavaScript.
I think that this second method is more secure than the first, because I don't allow the client to pass different options to my code and retrieve unauthorized data. The server side code works out the parameters that need to be sent. However, I am wondering if there is a better way of doing this that I am missing out?
If I deploy my ASP.NET project to a shared server web hosting, then is there a way to secure my source files so that the provider will not be able to access the source?. For example, the provider of my web hosting may download my files and then he will be able to get access to all my source.
I recently came aware of some knowledge I was not aware of before. One of my friends said that publishing a website with the code behind is a security risk. Instead, he insisted I only publish with the DLL's to prevent hackers from altering your code. Is this true? What are the advantages and disadvantages for doing this?
I have a Web Application (C# pages mixed with ASP.NET and some Javascript pages) on a Windows 2008 Server with IIS 7.0. I have just a few users that will hit this externally (not on the server). So in order for them to get a simple Username/Password form to pop up, what must I do? Could the users Usernames and Passwords just be added to a section in the webconfig file so I could maintain it that way?
Code in DLL can only be obfuscated. IN my DLL how can I import a third party DLL into my DLL? Can I obfuscated the code but not the functions and sub header names?
To be able to implement paging i need to create a helper class (as mentioned on one example in the net ); so i have created a class that encapsulate the paging logic
public class PagingList<T> : List<T> . ..
but when i reference this class in my view using the code below:-
Models.PagingList<Article>
The following error occurred. Server Error in '/' Application. Compilation Error Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately. Compiler Error Message: CS0246: The type or namespace name 'Article' could not be found (are you missing a using directive or an assembly reference?) Source Error:
[Code]....
Source File: c:UsersMohannadAppDataLocalTempTemporary ASP.NET Files oot1f3f505f568b8e69App_Web_index.aspx.82d38c66.ffjpt45i.0.cs Line: 172 Show Detailed Compiler Output:
We're planning to build a web application that needs to be highly secure because a lot of money and reputation is at risk. Therefore I'm looking for tools and technologies that in that endeavor. The tools and technologies should prevent things like SQL injection, cross-site scripting vulnerabilities, remote code execution etc.
Our team has a solid knowledge about such vulnerabilities. But every developer makes mistakes, and a simple mistake shouldn't lead to a security vulnerability. They should be prevented or detected by web application framework, application server, programming language, security library, code analyzer etc.
A simple example: If you insert data into HTML, it needs to be escaped so it's properly displayed and not misused for injecting scripts. Some web application frameworks put this burden on the developers. If they forget the escaping in one place, they've got a security problem. A good tool wouldn't just do the escaping automatically, it would even prevent the developers from doing it forcefully.
I'm not looking for recommendations regarding the firewall (we have a good one), hardening the operating system (that's part of the plan), use of encrypted communication (it will be the only option) and secure authentication (a hardware token will be used). Rather, the recommendations should center around the application server and the web application software to be built.
We also fully understand that writing secure software is more than just technology: It involves knowledgable people, management attention, time and money and software quality processes. So far, this is not the problem and not the focus of this question.
I should mention that we have a certain bias towards Java and .NET.
So what tools and technologies or combinations thereof can you recommend us?
I will have my asp.net site on a shared hoster. Whats the best way to prevent others hacking and viewing my code? The code I most want to secure is in usercontrols and some more code is in class modules. vb.net/MSVS2005/Ajax) Or do I secure the whole site? I also here some encypting code tools cant handle sophisticted code. Also does encryption slow down code and make the site harder to manage...
I am trying to find a solution to control the number of logins on asp.net application. I need to install the application in the client server, and set the number of licences. e.g. only 10 users are allowed to access the app.
Every time someone tries to login I need to check how many user are logged in, compare with the total allowed then authorize that user to proceed.
I tried with Certificate, but I couldn't see where to match the number of logged in users with the max number of allowed user.
Also I would like to use the IP address as identifier, then if I open 3 browser windows, it count only one user logged.
Basically this web application will be sold by licences. We need to control the logins per computer, and not per user, and block logins if the limit of logins are reached.
I am developing 2 Applications. One WebForms and the other is MVC. How can i secure the code such that when i deploy them to the clients production environment, they cannot be simply picked up, copied and repackaged by someone else?. I simply need a way to protect my intellectual property. Can this be done in Visual Studio 2010?
We need to secure how our web application access our SQL 2008 database on our hosted server. Any pointers where this is covered in detail? We have the following questions:1. right now the network service account runs the application pool containing our application in IIS. Should we define a local windows user account to run this application in IIS 6? Should we switch to Windows authentication?
My web application will be launched through existing thick client applications. When launched, an HTTP POST request will be generated including information like the userID and additional context information (basically stuff like the target user's name, birthday, etc.).
My plan for authentication is for there to be a look-up table in the database. If the username is already there, automatically login the user, but if there is no entry in the database, redirect the user to an initial login page which will be used to create that database entry.
My question is how to secure this against MITM and other security holes. How can the request generated through the thick client be on an SSL connection? Doesn't an SSL connection have to be authenticated with the username (and password) first? And if so, will the additional context information be publicly exposed until the user is logged in?
I have a browser compatibilty problem with https? I have SSL installed and is in usage. Until today morning, my https part is working well. From then, Https is shown as https(with slashed in red color) saying the page has some insecure content. I have not changed any code and suddenly i see this problem in chrome. In IE 8, i see the same problem but on every page, it shows me a popup if i should allow to opne secure and non secure or just secure. Firefox has no issues . It shows correct https without any problem. I am fed up with it searching all over. Why is this happenening for me in Chrome and IE 8.
I have a custom mini login user control that I have embedded in the top of my website which shows on every page. These pages are non-secure HTTP://. I would like to avoid having to redirect the user to a HTTPS page to perform the login but I definitely don't want to send login credentials to the server in plain text.
I am trying find a method to send the user's login credentials encrypted via https from a non-secure (http) page.
I tried to set the postbackurl for the login button to itself but in https, but the user's input is not retained and the buttonLogin_click is not fired when I set the button postbackurl property. My ASP.net web application is VB.Net framework 4.0
I am assuming this can be done because I see lots of websites where login fields are on available on every page and they are running http and I can believe they are not encrypting the login credentials.
If I have users upload images to my web server, and they are simply stored in a folder, how secure are they? This of course is assuming that IIS is configured not to serve image files directly from a browser request, or mods are made in the web.config file to prevent direct access, etc, ex:[URL]
I'm wondering if theres already a combo let say jQuery - Some C# DLL to proive a secure both way communication between ASPX forms with jQuery and a control layer based on ashx files with C# classes...[From comment below]Well I see I have to be more specific. The are things like sniffers on simple network analysis tools even like Firebug that let you see the data transfered via POST or GET. The idea to secure a Server Client application is to ensure that data isn't corrupt and compromised, and to achive that you have to make imposible to an atacker to report false info so the best is to have improved some cryptographyc algorithms both on client and server to crypt decrypt encode decode data...
How do I go about securing files that are stored on the server? We have an ASP.NET app which generates PDFs. These are not stored in the wwwroot folder but in another folder i.e. C:inetpubdata. This provides more security but maybe not enough. The ASP.NET/IIS process will need write access to this folder so it generate the PDFs there.
Once the pdf is generated, it can be viewed using an ASP.NET form called viewpdf.aspx with the file to be viewed add to the query string like so viewpdf.aspx?FILE=mynewfile.pdf. This is loaded from a gridview.
The full path to C:inetpubdata is resolved and loaded in the Page_load event of the viewer page. Now I'm wondering how to secure this. Anybody could just view the file. Not by entering in the URL, as it won't been seen by IIS (its not in wwwroot), but could change the querystring in the viewpdf page.
I have a GUI when i log in i create a cookie and it encrypt it. I am usin SSL.
I check in the Login.aspx page if the cookie is secure, which it is. but then before going to the default page it goes to the Global.ascx page.
Here in the Application_AuthenticateRequest it gets the cookie and decrypts it for the default page..
Now i know that it is getting the same cookie as all the other attributes match the one that was created in the Login.aspx page excet that the secure value is "False".
this is the case for all other pages after default. the value of the cookie.secure is false.
why is this happening as i want all the pages to be secure by SSL.
After logging to the mvc site using a secure connection (https), calling actions using https connection show up with the user logged in but calling actions using http it bahaves as if user didn't log on. Since I need to use a virtual directory for https connections(and can't use that directory for http connection) Https links start with: [URL]