Security

How to make MVC3 application authenticate both Windows and Forms

2013-05-19T17:45:00.11-04:00

I am developing an MVC3 application for a customer service team. I am using default login and registration controls in my application. I have to use both Form Authentication and Windows Authentication. For the customers who come online to insert their comments, it will be Form Authentication for them. For the customer service staff, the system has to use their Windows Authentication to login them (if they they have logged into the their windows account the website should recognize their login details and authenticate them.) How can I make my MVC3 application to authenticate both Windows Authentication for the staff and Forms Authentication for others? Thanks

Site directs to login when login successful

2013-05-18T23:06:11.05-04:00

So I have been developing and testing an ASP.NET 4.0 site on IIS7.5 with no problem.

I can login (using forms auth) and it would direct me to the right page and be able to carry out actions - things like submitting a form.

But when deployed to IIS6 (WS2003 + all updates), I get VERY wierd and unexplained behavior when even after logging in, it seems to come back to the login page. There is no code to do this at all.

Sometimes it directs me to a page I expect but then when submitting the page (i.e button click), directs me back to the login page... when i login again, directs me back to the login page.

looked in the eventlogs - no events logged.

any ideas what could be happening here?

verification through Email

2013-05-18T07:20:08.66-04:00

i am creating a website for event registration online , in which i have designed a page for cancellation of registration ,that page will take user id to cancel the registration .

for that i want to authernticate the user through email id .

how can i achieve this , please provide me the code and explanation

Error Event 1309

2013-05-19T06:23:49.44-04:00

Dear all,

We developed an app using WCF and a client ASP.net and we have this error. Help me please.

Application information:
Application domain: /LM/W3SVC/2/ROOT/SCMClient-1-130133783332281776
Trust level: Full
Application Virtual Path: /SCMClient
Application Path: D:\SCM\publicar\SCMClient0\
Machine name: SERVIDOR

Process information:
Process ID: 6852
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE

Exception information:
Exception type: MessageSecurityException
Exception message: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.

Server stack trace:
at System.ServiceModel.Security.SecuritySessionClientSettings`1.SecurityRequestSessionChannel.ProcessReply(Message reply, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)
at System.ServiceModel.Security.SecuritySessionClientSettings`1.SecurityRequestSessionChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at SCMClient.ServicioUsuario.IServicioUsuario.GetMenuUser(CierreUsuarioDTC usuarioDTC)
at SCMClient.ServicioUsuario.ServicioUsuarioClient.GetMenuUser(CierreUsuarioDTC usuarioDTC) in C:\Users\Wilfredo\Desktop\CierreMinaCode - copia (2)\SCMClient\SCMClient\Service References\ServicioUsuario\Reference.cs:line 295
at SCMClient.Master.Main.CargarMenu() in C:\Users\Wilfredo\Desktop\CierreMinaCode - copia (2)\SCMClient\SCMClient\Master\Main.Master.cs:line 35
at SCMClient.Master.Main.Page_Load(Object sender, EventArgs e) in C:\Users\Wilfredo\Desktop\CierreMinaCode - copia (2)\SCMClient\SCMClient\Master\Main.Master.cs:line 25
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

The message could not be processed. This is most likely because the action 'http://tempuri.org/IServicioUsuario/GetMenuUser' is incorrect or because the message contains an invalid or expired security context token or because there is a mismatch between bindings. The security context token would be invalid if the service aborted the channel due to inactivity. To prevent the service from aborting idle sessions prematurely increase the Receive timeout on the service endpoint's binding.

Request information:
Request URL: http://sreasons.com/SCMClient/Views/View_inicio.aspx
Request path: /SCMClient/Views/View_inicio.aspx
User host address: 190.40.101.64
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE

Thread information:
Thread ID: 22
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at SCMClient.ServicioUsuario.IServicioUsuario.GetMenuUser(CierreUsuarioDTC usuarioDTC)
at SCMClient.ServicioUsuario.ServicioUsuarioClient.GetMenuUser(CierreUsuarioDTC usuarioDTC) in C:\Users\Wilfredo\Desktop\CierreMinaCode - copia (2)\SCMClient\SCMClient\Service References\ServicioUsuario\Reference.cs:line 295
at SCMClient.Master.Main.CargarMenu() in C:\Users\Wilfredo\Desktop\CierreMinaCode - copia (2)\SCMClient\SCMClient\Master\Main.Master.cs:line 35
at SCMClient.Master.Main.Page_Load(Object sender, EventArgs e) in C:\Users\Wilfredo\Desktop\CierreMinaCode - copia (2)\SCMClient\SCMClient\Master\Main.Master.cs:line 25
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Custom event details:

Automatically create account for employee using membership MVC3

2013-05-18T21:04:22.65-04:00

Hello everybody ! Fisrtlly ,using MVC3 in a Humain Ressource Management project (SQL Server 2008 r2, Entity framwork) . I have a table named "Employee" in my database that content Employee information, my problem is how to create account for everey employee automatically after adding. So ,how to connect my table "Employee" to the "aspnet_users" table in the memebership provider !!! and the relation betwwen tables (one to one or one to many ???)

send email using C# Visual Studio 2010

2013-04-17T13:36:34.1-04:00

i want to create a website that will send an email after registration using asp.net and c# visual studio 2010 .

does any one can tell me the procedure to send email and i am working from home .

is it possible to send email with the help of gmail settings , if yes , then tell me how?

How To Protect My Website From Automated Posts (Can't Use Captcha)

2012-09-08T11:42:03.867-04:00

Hello, i have MVC3 social website, users can place comments on an article by ajax. such commenting can be automated to ruin to the website. how to protect myself from that? sure i can't use captchas here, we don't expect the user enters that difficult thing everytime it posts something.

thank you :).

File Upload Type Check Headers

2013-05-16T13:34:32.047-04:00

        if (fluTypeCheck.HasFile)
        {
            string strExt = System.IO.Path.GetExtension(fluTypeCheck.FileName);
            string strPath = fluTypeCheck.PostedFile.FileName.ToString();
            if (System.IO.File.ReadAllText(strPath).Contains("%PDF-1"))
            {
                Response.Write("<script>alert('Its a Pdf')</script>");

            }
            if (System.IO.File.ReadAllText(strPath).Contains("\x4D\x5A") || System.IO.File.ReadAllText(strPath).Contains(".bin�]"))
            {
                Response.Write("<script>alert('Its an Exe')</script>");

}

            if (System.IO.File.ReadAllText(strPath).Contains("\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00"))
            {
                Response.Write("<script>alert('Its a doc')</script>");
            }

}

How to use fields from aspnet_tables on a Custom table

2013-05-16T21:33:45.26-04:00

Hi, I'm doing a Basic Web Site for a project, and i came across a problem.

Basically, one of the requirements of the Web Site is to have a table that contains the Users that register on the site. Basically it has to have something like User_ID, User_Name, Password and Role....(I created the roles ("Basic User" and "Admin"))

What i had in mind was to create a table that has the ID starting at 1 and every time someone registers, it adds the username,pass and role... i.e.(1 User1 Pass Basic User

2 User2 Pass Admin etc..)

The thing is that i cant seem to be able to get those fields from the tables (aspnet_Users, aspnet_Roles) all on one custom table with an id that starts at 1 ... what i want is every time someone registers the id is incremented by one and the user added to the table and to associated with that id ...

I hope i making myself clear xD, if not i'll try to be more specific

Hope someone can help, Thanks in advance

Two applications cannot be login and used together on a client browser

2013-05-17T01:11:07.733-04:00

Dear All,

In a Windows Server 2008 (64bit), there is an IIS. Under the default web site, there are two asp.net 4.0 applications (Application A and B) using Forms Authentication.

Each application has unique machine key.

However, on a browser with different tab, when having signed in to application A, application B is automatically signed off. When sign in to application B again, application A is signed off. The signing are mutual exclusion.

How to solve this?

Unable to connect to SQL Server database

2013-05-17T13:37:50.713-04:00

Hi all, i have being trying to create roles through asp.net membership providers. but it shows me "Unable to connect to SQL Server database"

Roles.CreateRole("Admin");

But when i use plain ado.net connection class and open connection for the same connection string it works.

 SqlConnection con = new SqlConnection("Data Source=abc;Initial Catalog=xyz;User ID=sa;Password=abc@12345;");

con.Open();

Kindly help

Thanks in advance

FormsAuthentication through JScrip from content page!

2013-05-17T11:13:26.007-04:00

A question please

I have a content page in a website using a master page to display contents

The content page contains several javascript functions, that read and authenticate certificate on a smartcard that the user must use

The javascript part is working and it can read the certificate from the smartcard and check that the pincode is correct

From there I need to use FormsAuthentication

So the problem is calling an ASP.NET function that sets the user to be authenticated so that he /she will be able to access the rest of the website

I have used several tricks, tried using JS to set a value to a box in a form (Using getElementById() ) and then submitting the form, the problem is that I ended up with nested forms (the submition form within the main master form) so submit() did not work

I tried calling a static function from within jscript, and I can call such a function but I dont know how to set authentication from within a static function

I am lost here, any help would be much appreciated

Regards

autorization

2013-05-12T19:45:38.827-04:00

Im looking for complete autorization for enterprise application?does Net sql azman right for this?

Thanks

File uploads not working in IIS7 working fine on IIS6 version

2013-05-16T20:13:19.13-04:00

All these years worked on IIS6 version, used to give permissions to IUSR_MACHINENAME, aspnet and IUSR_WPG acct, with read write permissions on folders. it worked fine.

here n IIS7, gave permissions to IUSRS, IWPG and also found aspnet account. but it doesn't work. Also teh interface inemgr is changed too quiet a bit.

Can someone please kindly help provide steps to give permissions to file folders on C and d drive of teh server to accept file uploads via our web application.

Thank you very much for the helpful info.

Forms Authentication, timing out in less than timeout period.

2013-05-06T20:05:37.977-04:00

Hi I have forms authentication set up for a VB.Net 4.5 application with both the forms timeout and the sessionState timeout set to 20 minutes. It works fine on my development machine. However on the Shared hosted server(Not a web farm), user is redirected to login page in less than 20 minutes of inactivity. What am I missing?

Below is my web.config: As you can see, I have a tried to set the machineKey tag as well, but the issue remains.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  
  <system.webServer>
    
    <directoryBrowse enabled="false" />
    
    <modules>
        <remove name="FormsAuthenticationModule" />
        <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
        <remove name="UrlAuthorization" />
        <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
        <remove name="DefaultAuthentication" />
        <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
    </modules>
    
    <httpProtocol>
        <customHeaders>
            <remove name="X-Powered-By" />
        </customHeaders>
    </httpProtocol>
    
  </system.webServer>

  <system.web>

	<customErrors mode="Off" />
	
	<compilation debug="true" />
    
	<httpRuntime enableVersionHeader="false" />

    <!--The <authentication> section enables configuration   of the security authentication mode used by
      ASP.NET to identify an incoming user.   -->
      <authentication mode="Forms">
        <forms cookieless="UseDeviceProfile" loginUrl="Login.aspx" defaultUrl="default.aspx" name=".ASPXAUTH" protection="All" requireSSL="false" timeout="20" slidingExpiration="true" />
      </authentication>
    
      <authorization>
        <deny users="?" />
        <allow users="*" />
      </authorization>

    <!--Made the session timeout and the form authentication timeout so that the user is redirected back to login    page after 20 minutes and when they log back in they start with a new session as well.-->
    <sessionState cookieless="UseDeviceProfile" mode="InProc" regenerateExpiredSessionId="false" timeout="20" />
       
    <pages masterPageFile="~/MyMaster.master" enableViewState="true" enableViewStateMac="true"/>
	
    <machineKey  validationKey="86D46F91F5256B84881E32AE2573A5F2BC559403B8CA54886FC90F93C8D64B8A7D32DC158276F88AE9979CDBB9756F8CAF1B5E2FD602C07BD107057DCEC18ECE"
decryptionKey="3FD0350DB53C873554FE357616969A2A653B9EE5C36BDEB1F7D9F8EBC87EF9C5"
validation="SHA1"
decryption="AES" />
  </system.web>

   
</configuration>

Multiple membership providers into users and roles

2013-05-15T16:11:41.87-04:00

In my web.config, I have multiple membership providers from 3 different domains. The root domain and 2 child domains. I need to be able to add users from the child domains into my roles, but my it seems to only let me add users from the domain that is listed as the "default provider" in the web.config. How can I do this? Thanks

Private Sub BindUsersToUsersList() 

Dim users As MembershipUserCollection = Membership.GetAllUsers() 

UserList.DataSource = users  UserList.DataBind()

End Sub

</providers>  </

membership>

</div> </div>

Using multiple login screens

2013-05-16T16:21:26.117-04:00

Hi. I have 1 Admin folder which contains all control panel aspx files which can only be access by the site's administrators, on top of that I also have the usual login for the site visitors, both login screens have to be different, my question is how can I use a different admin login screen for the files in the Admin folder such that when users try to access the aspx in Admin folder, they will get one login screen and another one when access the site's content apsx which are restricted to signed-up members.

I am using the default framework 4.5 membership.

Thanks.

When to use AntiSamy?

2013-05-15T20:45:47.657-04:00

Can we use AntiSamy to validate user input? All of our inputs are pretty standard alphanumeric fields etc..not HTML input. From what I have read AntiSamy is primarily used for sanitizing HTML/CSS input by the user.

To provide some background to my situation. Our security team has suggested using AntiSamy to address Cross-Site scripting for .Net application(ported over from classic ASP) as the current application fails XSS attacks. I was considering doing actual user input validation using regular expressions based on a basic whitelist.

So now I am confused if we can even use AntiSamy for user input validation(when user is supposed just enter text data..not HTML/CSS). I also see that there is not much support for advanced processing options in .Net.

https://www.owasp.org/index.php/AntiSamy_Version_Differences

Web servis security

2013-05-16T14:06:47.28-04:00

Hi ;

I created asp.net web service for connect from other platform.When I typed url address I succesfully connect and show items in db.But Web service hasn't any authentication.
How can I provide web service security?

The parameter 'username' must not contain commas. Parameter name: username

2013-05-16T10:28:47.347-04:00

Hello Everyone,

I am experiencing a very strange problem in login system, When user was entering user and password he is getting below error

The parameter 'username' must not contain commas. Parameter name: username

But 2 days back he was able to login with same credential successfully but now he is unable to login we are sure that he is not using any comma's in the username, So is there any way we can stop

Thanks,

Shabbir