I have a Web Application (C# pages mixed with ASP.NET and some Javascript pages) on a Windows 2008 Server with IIS 7.0. I have just a few users that will hit this externally (not on the server). So in order for them to get a simple Username/Password form to pop up, what must I do? Could the users Usernames and Passwords just be added to a section in the webconfig file so I could maintain it that way?
View 1 Replies
any link or reference will be appreciated reagarding sample Library application in .net 2.0
View 2 RepliesWe're planning to build a web application that needs to be highly secure because a lot of money and reputation is at risk. Therefore I'm looking for tools and technologies that in that endeavor. The tools and technologies should prevent things like SQL injection, cross-site scripting vulnerabilities, remote code execution etc.
Our team has a solid knowledge about such vulnerabilities. But every developer makes mistakes, and a simple mistake shouldn't lead to a security vulnerability. They should be prevented or detected by web application framework, application server, programming language, security library, code analyzer etc.
A simple example: If you insert data into HTML, it needs to be escaped so it's properly displayed and not misused for injecting scripts. Some web application frameworks put this burden on the developers. If they forget the escaping in one place, they've got a security problem. A good tool wouldn't just do the escaping automatically, it would even prevent the developers from doing it forcefully.
I'm not looking for recommendations regarding the firewall (we have a good one), hardening the operating system (that's part of the plan), use of encrypted communication (it will be the only option) and secure authentication (a hardware token will be used). Rather, the recommendations should center around the application server and the web application software to be built.
We also fully understand that writing secure software is more than just technology: It involves knowledgable people, management attention, time and money and software quality processes. So far, this is not the problem and not the focus of this question.
I should mention that we have a certain bias towards Java and .NET.
So what tools and technologies or combinations thereof can you recommend us?
I have a graphical user interface for my company product.I want to secure the data being sent back and forth between client and server.
Is SSL one of the options? some1 tell me the steps on how to implement it in my application code.
Do i need to buy the certificate or can i make it.. which is the best choice?
I am logging in using FormsAuthenticationTicket as follows:
Session["userName"] = UserName.Text;
Session["password"] = Password.Text;
Session["domain"] = Domain.Text; [code]....
I have developed An Inventory Management System in ASP.Net . The application is hosted now ... From manager to data entry operator every1 z having seperate login , roles and limitation to access website ... From Our office every1 is accessing the application and working on it. My question is even they can access the apllication from public PC (Browseing Center) ?? coz they knew the password. Am i rite. Now, I need to restrict my application access in public PC (Browseing Center)? Can i limit accessing of my website application only in office not in public PC (Browseing Center)? can i allow certain IP to access my website application?
View 11 RepliesI have asp.net application deployed on local server what i want is to access application remotely through public(live)[We have one)..
View 5 RepliesI am rather new to asp.net but I have built a couple of apps that do not require users to login. am having some problems moving my secure .net application from my laptop to a production server, however, and I am hoping someone can help me. On my laptop my application's user authentication functions as it should, but when I move my application to a webserver I get an assortment of errors. Forgive me if these questions are a little basic. My first question is this. In a production environment do I move the ASPNETDB.MDF file in the App_Data folder to my SQL server? Is it OK to rename it to something more descriptive?
View 4 RepliesI am trying to find a solution to control the number of logins on asp.net application. I need to install the application in the client server, and set the number of licences. e.g. only 10 users are allowed to access the app.
Every time someone tries to login I need to check how many user are logged in, compare with the total allowed then authorize that user to proceed.
I tried with Certificate, but I couldn't see where to match the number of logged in users with the max number of allowed user.
Also I would like to use the IP address as identifier, then if I open 3 browser windows, it count only one user logged.
Basically this web application will be sold by licences. We need to control the logins per computer, and not per user, and block logins if the limit of logins are reached.
Be built an MVC application. Some of the pages require being under SSL encryption. Means the whole site need to be broken down to sections (http and https)The immediate solution that comes to my mind is creating two IIS sites (port 80 and 443) and break the application to two sites (public-http and private-https). Since the site is complex, breaking it into two applications will be huge work.What is the easiest way of doing this?Is there any link or article that explains the best practices doing this?
View 1 RepliesWe need to secure how our web application access our SQL 2008 database on our hosted server. Any pointers where this is covered in detail? We have the following questions:1. right now the network service account runs the application pool containing our application in IIS. Should we define a local windows user account to run this application in IIS 6? Should we switch to Windows authentication?
View 3 RepliesI can access a module from code behind but not from the aspx page in inline VB code <% ... %>.
I know its got to be something simple but I can't seem to find the answer anywhere.
I am interested in finding out how I would go about displaying a website wiithout forms authentication but to utilise forms authentication when the user makes a request by clicking in the signin button, and then the user will view other pages that are private and secure,
View 2 RepliesMy web application will be launched through existing thick client applications. When launched, an HTTP POST request will be generated including information like the userID and additional context information (basically stuff like the target user's name, birthday, etc.).
My plan for authentication is for there to be a look-up table in the database. If the username is already there, automatically login the user, but if there is no entry in the database, redirect the user to an initial login page which will be used to create that database entry.
My question is how to secure this against MITM and other security holes. How can the request generated through the thick client be on an SSL connection? Doesn't an SSL connection have to be authenticated with the username (and password) first? And if so, will the additional context information be publicly exposed until the user is logged in?
I have a browser compatibilty problem with https? I have SSL installed and is in usage. Until today morning, my https part is working well. From then, Https is shown as https(with slashed in red color) saying the page has some insecure content. I have not changed any code and suddenly i see this problem in chrome. In IE 8, i see the same problem but on every page, it shows me a popup if i should allow to opne secure and non secure or just secure. Firefox has no issues . It shows correct https without any problem. I am fed up with it searching all over. Why is this happenening for me in Chrome and IE 8.
View 3 RepliesI'm looking at starting a new web app which needs to be secure (if for no other reason than that we'll need PCI (Payment Card Industry) accreditation at some point). From previous experience working with PCI (on a domain), the preferred method is to use integrated windows authentication which is then passed all the way through the app to the database using kerberos (so the NT user has permissions in the DB). This allows for better auditing as well as object-level permissions (ie an end user can't read the credit card table). There are advantages in that even if someone compromises the webserver, they won't be able to glean any/much additional information from the database. Also, the webserver isn't storing any database credentials (beyond perhaps a simple anonymous user with very few permissions for simple website config)
So, now I'm looking at the new web app which will be on the public internet. One suggestion is to have a Active Directory server and create windows accounts on the AD for each user of the site. These users will then be placed into the appropriate NT groups to decide which DB permissions they should have (and which pages they can access). ASP.Net already provides the AD membership provider and role provider so this should be fairly simple to implement. There are a number of questions around this - Scalability, reliability, etc... and I was wondering if there is anyone out there with experience of this approach or, even better, some good reasons why to do it / not to do it.
I have a custom mini login user control that I have embedded in the top of my website which shows on every page. These pages are non-secure HTTP://. I would like to avoid having to redirect the user to a HTTPS page to perform the login but I definitely don't want to send login credentials to the server in plain text.
I am trying find a method to send the user's login credentials encrypted via https from a non-secure (http) page.
I tried to set the postbackurl for the login button to itself but in https, but the user's input is not retained and the buttonLogin_click is not fired when I set the button postbackurl property. My ASP.net web application is VB.Net framework 4.0
I am assuming this can be done because I see lots of websites where login fields are on available on every page and they are running http and I can believe they are not encrypting the login credentials.
How do declare a public variable .aspx web page that can be used in all the pages within my web application? And/or create a Public Sub?
View 3 Replies[URL=http://img833.imageshack.us/i/errortnk.jpg/][IMG]http://img833.imageshack.us/img833/5995/errortnk.jpg[/IMG][/URL]
Why is this happen? Whenever i drag wat tool from toolbox, it all become big size and long.
I would like to know how deadlock is happen, i have facing alot of sql deadlock in my event handle on server computer.
View 3 RepliesI have a GUI when i log in i create a cookie and it encrypt it. I am usin SSL.
I check in the Login.aspx page if the cookie is secure, which it is. but then before going to the default page it goes to the Global.ascx page.
Here in the Application_AuthenticateRequest it gets the cookie and decrypts it for the default page..
Now i know that it is getting the same cookie as all the other attributes match the one that was created in the Login.aspx page excet that the secure value is "False".
this is the case for all other pages after default. the value of the cookie.secure is false.
why is this happening as i want all the pages to be secure by SSL.
Also the pages are opening as https not http.
here is my web.config
[code]....
After logging to the mvc site using a secure connection (https), calling actions using https connection show up with the user logged in but calling actions using http it bahaves as if user didn't log on. Since I need to use a virtual directory for https connections(and can't use that directory for http connection) Https links start with: [URL]
View 1 RepliesI'm working on a legacy web application - frames and a mixture of html, asp and aspx. The entire site is https. For some strange reason when I hit a specific page I get the magic message that says the Page contains both secure and nonsecure items. (IE obviously doesn't want to tell me what those resources are) I have checked the page that's being loaded and there are absolutely no http://... links - everything is relative links.
I have fired up fiddler and checked what's being requested - everything looks fine. I am completely at wit's end here. I have absolutely no idea why I'm getting this message, but it's completely screwing with the site.
I have a question about C Sharp ASP.NET:Is there a difference (in code speed, resources) between:public static variable declared in public static class MyGlobals in a 'Code File' template;and the variable declared in a normal 'Class File' template;I use this variable in 2 different Class Files and also in _Default Page codebehind cs file.In fact in my case I need about 20 global variables of type List<string>.
View 9 RepliesI am developing a web application in which the clients wants to send a pdf copy of aa Authenticated Page to users and as well as to the administrator..
As I google about this problem but didnt find any solution.
Because in all cases I have to pass the url of the secure page to the function...and in runtime when function make a webrequest to the page it will always generate the PDFof the login page.
So is there any way to generate the PDF of a secure page in C# ASP.Net
I've got an external site that's built in SharePoint 2007. the user of the site need to have an option to view the full site when accessed from a mobile device. I am thinking of just creating a button control to do this. The question is, what would be the best solution to do this?
View 1 Replies
