I'm just wondering if the built in Hashing in the ASP.Net membership good password security, or if there is more that I should do to protect my passwords? If so, what should I look into for a higher level of security?
View 2 RepliesI am planning to write a custom 'password reset control' that allows an Administrator to reset the user's password, while using the ASP.NET built-in 'login' and 'create new user' controls. For this reason, I will need the hashing algorithm (hopefully I can call some .NET class and method) to perform this.
View 1 Repliesis there a way to snag the database id of a newly created user after CreateUser has been called? I need to be able to tie that id to another database table. From what my book shows me, it looks like member info is encrypted, so merely looking at the membership database table.
View 11 RepliesI am creating a interface for User Role Management based on built in membership provider.I want to display all the roles as check boxes for a selected user. I am able to display all the roles in the database, but not able to load the specific user roles. For example, I am able to publish role 1 role 2 role3 role 4 as check boxes. But if the user is already flagged as role 1 and role 3, I am not able to show that data (role1 and 3 should be checked when form loads, but right now, they are not checked)...How do I get the roles as checked boxes display on a page.I am using a repeater control to display roles as check boxes on the page..
<asp:Repeater ID="UsersRoleList" runat="server">
<ItemTemplate>
<asp:CheckBox runat="server" ID="RoleCheckBox" AutoPostBack="true" Text='<%# Container.DataItem %>'
[code]...
used the built-in Membership framework and has implemented his own provider by creating a class that inherits from MembershipProvider (found in System.Web.Security). I actually went ahead and created a custom provider which inherits from MembershipProvider. The problem is that there are several methods I do not really need. Also, the schema is totally different. Plus, most methods return a MembershipUser which means my User class has to inherit from it as well. So really, what benefits does the MembershipProvider and the whole Membership framework add to my system? Do these benefits justify the fact that I won't be using most of the methods on the class?
View 7 RepliesI am using ASP.NET 3.5 and SQL Server 2005.currently while creating users, the password will be stored in the database using SHA256 algorithm. And in the Log In time entered password will be hashed with a salt and this salted password only transmitted through network (javascript). This is for incresing security without using SSL connection.I am planning to use ASP.NET 3.5 login controls How can I use client side hashing (SHA256 salted hashing) along with ASP.NET Login Controls. And also each login attempt should be logged, in a separate database table with IP address, user agent and so on.
View 3 RepliesI want to apply some better security measures to an existing web application. Currently, my connection string contains the user name and password in plain text. I'm also using a custom membership provider, which stores user names and passwords in the web.config file as plain text [URL] I would like to secure this information using an algorithm such as SHA1.
View 1 RepliesBefore I continue I'm going to let everybody know that I am not trying to follow a traditional .Net Membership Provider. I'm attemping to write my own Membership Provider which does not extend the default .Net Membership Provider b/c I feel that in areas it can become extremely cumbersome. Please keep this in mind before responding. Also keep in mind that I am trying to learn from this experience, not find an easy solution for some client's application.I am writing a custom membership provider that has password formatting functionality similar to .Net's default membership provider. I'm looking for soe good/easy examples of ways to encrypt/decrypt or hash password values. I previously tried going the RSA route, but got stuck when I had to Import an RSAParameter and was unsure of how to generate a RSAParameter.
I would like to have both Hashing and Encryption available, but only need Encryption. I'm also looking for a very strong encryption. I'm storing the password format in an external .xml file (similar to how the web.config stores the password format for .Net's Membership Provider) which will become manageable from the administrative side of my webapplication.If anybody knows of any existing Encryption libraries that may provide assistance, please feel free to post links. I only ask that they be open source solutions so I can see how they went about doing this.
I'm running into a weird issue that I can't find an answer for anywhere I've looked (and I've looked a ton).I built a web deployment project with Visual Studio 2008 Team System on my old Win XP machine. This has always worked flawlessly and installed everywhere. I can also copy this MSI to my new Windows 7 Ultimate machine and it again installs just fine.
HOWEVER, when I rebuild that exact same web deployment project on my new Win7 machine, also using VS2008, the MSI will build OK, but when I then run it to install my software I get a dialog box telling me "the installer was interrupted." Interestingly, when I built this MSI in my new environment one additional warning popped up during the build process, which was "Unable to copy the schema file '(null)'"After many searches and reading different web pages, I know this has to do with these two registry keys:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftVisualStudio9.0DeploymentSchema]
"DefaultMSISchemaFile"="c:\Program Files\Microsoft Visual Studio 9.0\Common7\Tools\Deployment\Vspkgs\..\VsdSchema\Schema.msi"
"DefaultMSMSchemaFile"="c:\Program Files\Microsoft Visual Studio 9.0\Common7\Tools\Deployment\Vspkgs\..\VsdSchema\Schema.msm"
Yet, everything checks out. All permissions are correctly configured, etc., etc.Then, when I enable the built-in administrator account and log in as that, and then rebuild this same web deployment MSI the "Unable to copy the schema file '(null)'" warning no longer appears. Then when I log back out, log back in as myself and then run this newly built MSI it installs fine, just like the original one that was built on XP.I also tried uninstalling VS2008 and re-installing it as the super user, but that also didn't change anything. And yes, I did also configure devenv.exe to run as administrator.
Has anybody seen this? Or is it a requirement that you can only compile deployment projects as the super user? That cannot be right.I've been thrashing for more than five days and for the life of me cannot figure this out. Of course, I can run as the super user when developing, but I thought the new security model in Win7 was designed exactly so you don't have to.
Is there a in built function in ASP.NET to hash passwords??
View 5 RepliesI am looking for something that takes an IIS/ASP.NET website that uses forms authentication and repeatedly tries to log in, either with all possible passwords or with passwords from a dictionary.
I can probably write something up, but I wondered if there was anything publicly available that would be better implemented.
I am looking for a good video that shows in detail how to implement Impersonation.
Does anyone have websites that i can go look at?
I'm using my own role management and user management in my application, i now need to use forms authentication. How can i do this?
View 3 RepliesI'm having hard time to figure out whats going on with my IIS.My application was running in IIS very well untill I used Visual studio Copy website to update the files in the wwwroot.All of a sudden I got this error.My application works fine from the file system.I tried deleting my application from IIS and uninstalled from control panel and ran the newly built msi/exe but I never got my application back what so ever.This is web.config for reference.I've also tried <trust level="Full"> element but this didn't help.I remember the whole problem started when I was trying to debug the functionality to upload and download files in ASP.Net.
[Code]...
I'm working on a website where it should be possible for registered users to upload word documents. The administration of users is done through Membership and Profiles. When the documents have been uploaded, the following needs to be achieved:Non-registered users should not be allowed to download documents I should be able to control which users that has access to which documents I should be able to register which user downloads which documents I should be able to track how many times a document has been downloaded
Can this be achieved be using Membership and Profiles?
I'm trying to use the Membership.CreateUser method without passing a security question and answer. I set them to string.empty, but no go. I have my provider set to not require a question in my web.config. What am I doing wrong?
[Code]....
I'm using ASP.NET membership for a site that will serve primarily sophisticated users. I understand the difference between hashed and encrypted passwords, and I'm trying to decide between the two.After my last client complained bitterly about hashed passwords being a total PITA, I've started to favor encrypted passwords. But someone suggested this just isn't secure enough.So my question is: What, exactly are the risks of encrypting passwords? Any person with the ability to steal passwords by decrypting them from the database would surely have the ability to reset them if they were hashed, no? I'm having trouble seeing where someone could cause trouble with encrypted passwords but couldn't with hashed ones. Making it convenient for users is also important.
View 4 RepliesI'm administrating servers running IIS 6, hosting a website on ASP.NET 2.0. Yesterday I installed .Net framework 3.5, and all my user authentication system was lost. Users can't log in, because their password arn't getting authenticated, maybe because the hash function has changed in 3.5??? I can't really get to the code, but I know it uses an extention called CodeSmith.Do you know of any break my upgrade the 3.5 ugrade could couse?
View 1 RepliesThis is my first membership provider; I converted the sample provider [URL] to SQL. I created a vb class provider and put it into the App_Code folder. After it was created I tried to modify my webconfig but the error pops up. I don't know what else to try, I don't know if I have missed something
webconfig:
[code]....
I have started to implement asp membership. I go the administration page and click provider. I have a database on a server on the local network that i want to install my members tables in. When i run the
aspnet_regsq.exe it doesn't ask me what SQL database i want to use and seems to default to my local SQL Server 2005 installation. How I change this to use my SQL Express database on a local server?
I have to implement a small webshop. Basically it's just a website with a huge backend ERP System and with the possibility to sell one (yap, really only one!) product on the website. The only requirement is a MySQL Server. The backend is almost finished (about 95%) and is secured with the .net MemberShip Provider for MySQL (the one in MySql.Web from the MySql Connector .NET).
Now to my question: I can set up the membership system easily but I do not need such things like username or password-question but I would need a reference to an address table to store the users home address. So, it is possible to change or customize the membership system to for eg. a unique customer id instead of the username column and set this in codebehind when the user is creating a new account? And is it possible to insert new users/customers from codebehind in an easy way? (I mean without checking each foreign key and inserting the customer reference to the userinrole table and so on...)
I am building a site and I want to use the default membership controls provided with asp.net like Login View Control etc. I don't want to use the ASP.Net Membership DB as I want to use my own Security structure and I don't want to inherit the ASP.Net membership class either. In my case how can I use these controls to aid me like how will a login view control detect if someone is authenticated or not.
View 7 RepliesI'm trying to optimize my ASP.NET thumbnailing script, so it doesn't resize all the images all the time, and one part of the problem is choosing the hash function for the thumbnail naming/checking procedure.Is crc32 up to the task - I'm asking cause the input data is small(only relative path, size and date)?
View 1 RepliesUsually in sub-folder we will limit the access right to some roles and this feature requires pre-defined database schema.
However, if i still want to use this role feature of asp.net, but I do not like the pre-define database schema, I want to extract role information from my own database table and bind it to the role.
So, I am the approach David Hayden posted on his blog [URL] to create a salt and hash the user's password by taking the user's raw password and the generated salt and using SHA1 to hash the value. I then store the salt and the hashed password in the database. zhe website is currently load balanced, so I was wondering if resulting hash value would be the same for both servers. Here is the snippet of code posted on David Hayden's blog:
private static string CreateSalt(int size)
{
//Generate a cryptographic random number.
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
// Return a Base64 string representation of the random number.
return Convert.ToBase64String(buff);
}
private static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = String.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(
saltAndPwd, "sha1");
return hashedPwd;
}
The reason I ask is that this code uses the code snippet: FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPwd, "sha1");