Security

Stored Procedure vs. Direct Sql access. - Which is better? Understanding both.

SubsonicRecordPool — Sun, 13 Sep 2009 19:43:16 GMT

Can someone explain to me why one is better than another?

and

Can someone explain to me why one would be used instead of the other?

what are the benefits of each?

I understand how to use both, but i am not sure why a SP is better than a direct SQL access. Both require a server transfer and communication. It seems to me that a SP is best when accessing multiple tables....

The SP may be more secure?

Malicious script added in my website automatically

smartymca — Sat, 21 Nov 2009 15:12:52 GMT

My website get infected by some malicious script My site is in Asp.net and i have used master page, some unknown script tag added outsite of content place holder.And my site gives error. Is this a virus attack or any malware. I have removed many time but when i uploaded pages after sometime my site get infected with those scripts Please suggest me to get rid of this problem. I have also scanned my machine with AVG antivirus but problem is still there Which is the best antivirus software to protect thesre kind of attacks Please help me.. Here is the error Server Error in '/' Application. -------------------------------------------------------------------------------- Parser Error Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately. Parser Error Message: Only Content controls are allowed directly in a content page that contains Content controls. Source Error: Line 566: Line 567: Line 568: Source File: /SearchResult.aspx Line: 568 -------------------------------------------------------------------------------- Version Information: Microsoft .NET Framework Version:2.0.50727.3603; ASP.NET Version:2.0.50727.4049

Share authentication from ASP.Net to PHP.

Grzesiek23 — Sat, 21 Nov 2009 17:38:11 GMT

Hello!

I have web application writen for ASP.Net.

Now my friend is building few modules in PHP and he need to get user's state of authentication.

In ASP.Net I can get it easily by Page.User.Identity.IsAuthenticated - but how to share it to PHP?

Please help us :)

Explicitly requesting Windows Authentication for some users on a Forms Authentication site

hillb — Sat, 21 Nov 2009 02:15:18 GMT

Here's my problem. I have an ASP.Net C# website sitting on a webserver that is a member of my domain, but which is also located within a DMZ and is visible across the Internet. The web application was originally written to utilize Forms Authentication, and simply verifies that users are members of our local Active Directory. All of this currently works fine.

We have received a request from the PHB to mimic Windows Authentication behavior for this web application when local intranet users attempt to access it. We use Windows Authentication on many of our Sharepoint and .Net intranet applications, and our users like the behavior. Because the server is a member of our domain (and because we have a GPO specifically adding it to our local Intranet security group), it would be fairly trivial to just activate Windows Authentication and automatically log local users in, but PHB has decreed that we must maintain our "user friendly" browser form based logins for remote users. He, and his bossling peers, want the best of both worlds.

So, here's the question. Is there a way to programatically specify, at runtime, which authentication method to use? Or have Forms be the default, and only demand Windows if the request meets a certain criteria (such as a connection from anywhere in our 10.10.0.0/24 subnet)?

Essentially, we need to leave the Forms Authentication in place, and just figure out a way to seamlessly log in our intranet users as well.

Yep, not asking for much at all. The searches I've done online have offered contradictory answers as to whether this is possible, and several posts indicating it might be possible were specific to .Net 1.1. My number one question is: Can this even be done, using .Net 3.5 on a Win2K8/IIS7.5 server? If so, can anyone offer any pointers? If not, does anyone have any suggestions as to a different way to solve this problem?

Roles.GetAllRoles() returns no roles

deanlaw — Thu, 19 Nov 2009 18:35:45 GMT

I am using a custom provider for my roles. I've create a few roles, but when I try to populate a select box using Roles.GetAllRoles(), it returns an empty select box. If I look in my provider DB, the roles are listed there, but I can't return the list. Here is the code from my Web.config file

Here is how I am generating the select box.

rolesArray = System.Web.Security.Roles.GetAllRoles()

RolesListBox.DataSource = rolesArray

RolesListBox.DataBind()

rolesArray = Roles.GetAllRoles()
RolesListBox.DataSource = rolesArray
RolesListBox.DataBind()

Am I doing something wrong?

Thanks,

Logging user depending upon rights

ally138411 — Thu, 29 Oct 2009 09:57:53 GMT

Hi,

can anyone plz tell me how to make the login screen authenticate user and log him depending upon the rights assigned to him. i have 3 kinds of rights to users ADMIN, SUPER USER, NORMAL USER.

heres my code...

<%@ Page Language="VB" AutoEventWireup="false" CodeFile="Login.aspx.vb" Inherits="_Default" %>
<%@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit" TagPrefix="cc1" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="Head1" runat="server">
    <title>Welcome to MIS</title>
</head>
<body style="background-color: #9966FF">
    <script type="text/JavaScript">

</script>

    <form id="Login" runat="server">
    <div>
         
         <asp:Image ID="Image1" runat="server" Height="170px" ImageUrl="~/RANGARAlogo1.jpeg"
            Width="600px" meta:resourcekey="Image1Resource1" /><br />
        <strong><span style="color: #33ffff">If You are a new User Please click on this link
            to register yourself in order to access this page.</span></strong><br />
        <asp:LinkButton ID="LinkButton1" runat="server" Font-Bold="True" Font-Names="Courier New"
            Font-Size="Large" ForeColor="#FFC0C0" Height="30px" PostBackUrl="~/Userfrm.aspx"
            Width="100px">REGISTER</asp:LinkButton><br />
    </div>
            <asp:ScriptManager ID="ScriptManager1" runat="server">
        </asp:ScriptManager>
        <cc1:DropShadowExtender ID="DropShadowExtender1" runat="server" TargetControlID ="Panel1" Rounded ="True" Enabled="True" >
        </cc1:DropShadowExtender>
        <asp:Panel ID ="Panel1" runat="server" BackColor ="ActiveBorder" Width ="430px" HorizontalAlign ="Center" meta:resourcekey="Panel1Resource1">
        <cc1:NoBot ID="NoBot1" runat="server" CutoffMaximumInstances ="3" CutoffWindowSeconds ="15" ResponseMinimumDelaySeconds ="10" OnGenerateChallengeAndResponse ="NoBot1_GenerateChallengeAndResponse" meta:resourcekey="NoBot1Resource1"/>
        <asp:Login ID="Login1" runat="server" BackColor="#F7F6F3" BorderColor="#E6E2D8" BorderPadding="4"
                    BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana" Font-Size="0.8em"
                    ForeColor="#333333" Height="200px" Width="230px" OnAuthenticate="Login1_Authenticate" meta:resourcekey="Login1Resource1">
                    <TitleTextStyle BackColor="#5D7B9D" Font-Bold="True" Font-Size="0.9em" ForeColor="White" />
                    <InstructionTextStyle Font-Italic="True" ForeColor="Black" />
                    <TextBoxStyle Font-Size="0.8em" />
                    <LoginButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" BorderStyle="Solid" BorderWidth="1px"
                        Font-Names="Verdana" Font-Size="0.8em" ForeColor="#284775" />
                    <LayoutTemplate>
                        <table border="0" cellpadding="4" cellspacing="0" style="width: 423px; border-collapse: collapse;
                            height: 246px">
                            <tr>
                                <td style="height: 194px; width: 371px;">
                                    <table border="0" cellpadding="0" style="width: 415px; height: 271px">
                                        <tr>
                                            <td align="center" colspan="2" style="font-weight: bold; font-size: 0.9em; color: white;
                                                background-color: #5d7b9d">
                                                Log In</td>
                                        </tr>
                                        <tr>
                                            <td align="right" style="width: 160px">
                                                User Name:</td>
                                            <td>
                                            <cc1:TextBoxWatermarkExtender ID="TextBoxWatermarkExtender1" runat="server" WatermarkText ="Please Enter UserName Here" TargetControlID ="UserName" WatermarkCssClass ="watermark" Enabled="True">
                                                </cc1:TextBoxWatermarkExtender>
                                                 <asp:TextBox ID="UserName" runat="server"
                                                    Width="220px" CausesValidation="True" Height="20px" meta:resourcekey="UserNameResource1"></asp:TextBox>  *



                                            </td>
                                        </tr>
                                        <tr>
                                            <td align="right" style="width: 159px">
                                                Password:</td>
                                            <td>
                                                 <asp:TextBox ID="Password" runat="server" Width="220px" TextMode="Password" CausesValidation="True" Height="20px" meta:resourcekey="PasswordResource1"></asp:TextBox>*
                                            </td>
                                        </tr>
                                        <tr>
                                            <td colspan="2">
                                                <asp:CheckBox ID="RememberMe" runat="server" Text="Remember me next time." meta:resourcekey="RememberMeResource1" />
                                            </td>
                                        </tr>
                                        <tr>
                                            <td align="center" colspan="2" style="color: red">
                                                <asp:Literal ID="FailureText" runat="server" EnableViewState="False" meta:resourcekey="FailureTextResource1"></asp:Literal>
                                            </td>
                                        </tr>
                                        <tr>
                                            <td align="right" colspan="2" style="height: 40px">

                                                <asp:Button ID="LoginButton" runat="server" BackColor="#FFFBFF" BorderColor="#CCCCCC"
                                                    BorderStyle="Ridge" BorderWidth="1px" CommandName="Login" Font-Bold="True" Font-Names="Courier New"
                                                    Font-Size="Medium" ForeColor="#284775" Height="30px" Text="Log In" Width="90px" meta:resourcekey="LoginButtonResource1"   /> 
                                            </td>
                                        </tr>
                                    </table>
                                </td>
                            </tr>
                        </table>
                    </LayoutTemplate>
                </asp:Login>
        </asp:Panel>
         
                <asp:Label ID ="Label1" runat ="server" meta:resourcekey="Label1Resource1" ></asp:Label></form>
</body>
</html>

Imports System
Imports System.Collections
Imports System.Configuration
Imports System.Data
Imports System.Web
Imports System.Web.Security
Imports System.Web.UI
Imports System.Web.UI.HtmlControls
Imports System.Web.UI.WebControls
Imports System.Web.UI.WebControls.WebParts
Imports System.Data.OleDb
Imports System.DBNull
Imports System.Data.SqlClient
Partial Class _Default
    Inherits System.Web.UI.Page

    Private Function GetConnectionString() As String

        Return System.Configuration.ConfigurationManager.ConnectionStrings("MydbConnectionString").ConnectionString
    End Function

    Protected Sub Login1_Authenticate(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs)
        Dim EncryptedPwd As String = Nothing
        Dim chkpass As String, pass As String, x As Integer
        chkpass = LCase(Trim(Trim(Login1.Password)))
        pass = ""
        For x = 1 To Len(chkpass)
            pass = Chr((Asc(Mid(chkpass, x, 1)) * 2) + 3) & pass
        Next
        EncryptedPwd = pass
        Dim conn As SqlConnection
        Dim cmd As SqlCommand
        Dim cmdString As String = "select * from aspnet_Membership where UserName='" & Trim(Login1.UserName) & "' and Password='" & EncryptedPwd & "'"
        Dim cmdString1 As String = " select AdminRights from aspnet_Membership where UserName='" & Trim(Login1.UserName) & "'"
        conn = New SqlConnection(GetConnectionString())
        cmd = New SqlCommand(cmdString, conn)
        cmd.Parameters.Add("@UserName", SqlDbType.VarChar, 20)
        cmd.Parameters("@UserName").Value = Login1.UserName
        cmd.Parameters.Add(EncryptedPwd, SqlDbType.VarChar, 20)
        cmd.Parameters(EncryptedPwd).Value = Login1.Password
        conn.Open()
        Dim myReader As SqlDataReader
        myReader = cmd.ExecuteReader(CommandBehavior.CloseConnection)
        If myReader.HasRows = True Then
            While myReader.Read()
                If Session("AdminRights") = "True" Then
                    FormsAuthentication.RedirectFromLoginPage(Login1.UserName, False)
                    Response.Redirect("~/Home.aspx")
                Else

                    Response.Redirect("~/Login.aspx")
                    Response.Write("You dont Have Sufficient Rights to View this Page yet Please Login Again Later")
                End If
            End While

            'ElseIf Session("Normal") = "True" Then
            '   FormsAuthentication.RedirectFromLoginPage(Login1.UserName, False)
            ' Response.Redirect("~/dailyreport.aspx")


        Else
            Try
            Catch ex As System.Data.SqlClient.SqlException
                Dim msg As String = "Insert Error:"
                msg += ex.Message
                Throw New Exception(msg)
            Finally
                conn.Close()
            End Try
        End If
        myReader.Close()
    End Sub

    Protected Sub NoBot1_GenerateChallengeAndResponse(ByVal sender As Object, ByVal e As AjaxControlToolkit.NoBotEventArgs) Handles NoBot1.GenerateChallengeAndResponse
        Dim state As AjaxControlToolkit.NoBotState
        NoBot1.IsValid(state)
        Label1.Text = state.ToString()

    End Sub

End Class

controlling timeout

eracekat69 — Sat, 21 Nov 2009 11:34:04 GMT

Hi All,

How can the automatic timeout (by which a user gets logged out due to inactivity) be controlled?

I tried this:

But this does not work. While the code suggests that the user is never timed out (or only after a very very long time), this is not what is happening, I still get a timeout after around 30 min.

Thanks.

Damian

Forms Authentication login - protect pages?

matthisco — Sat, 21 Nov 2009 14:28:56 GMT

I can get the script below to redirect the user depending upon the username. However, i can browse to th page neds.aspx, can any please tell me how I can protect his page and bring up login.aspx, if you try and browse to it without logging in?

Thanks in advance

login code

   if(username.Text = "admin" and password.Text = "test")


   FormsAuthentication.SetAuthcookie(username.Text , false)
       Response.Redirect("upload.aspx")

       elseif (username.Text = "neds" and password.Text = "test")
FormsAuthentication.SetAuthcookie(username.Text , false)
       Response.Redirect("neds.aspx")
       else

       messagebox.text = "wrong username"

   end if

web.config

<?xml version="1.0" encoding="utf-8" ?>
<configuration>

<system.web>
    <customErrors mode="Off"/>
    <compilation debug="true"/>
    <authentication mode="Forms">
      <forms loginUrl="login.aspx" defaultUrl="default.aspx" />
    </authentication>
</system.web>
<location path="Upload.aspx">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
</location>
</configuration>

windows authetication with XP

sp_412000@yahoo.com — Sat, 14 Nov 2009 12:28:09 GMT

I want to set up windows authentication on my XP machine. It's stand alone computer. When I switch on, it leads me to start menu w/o asking user name and password.

I added following code in the web.config file.

When I run the application, it asks for username and password.

What should I type in? Please help me.

where can i find editional user information in my database in clear text?

johan.jacobs — Thu, 19 Nov 2009 16:46:11 GMT

Hello,

I'm trying to add additional information to my user when he wants to register on my website?
I used the following coding:

I added some input fields in the createUserWizard:

<tr>
<td>
                                <asp:TextBox runat="server"></asp:TextBox>
</td>
</tr>

Code behind my page:
Protected Sub CreateUserWizard1_CreatedUser(ByVal sender As Object, ByVal e As System.EventArgs) Handles CreateUserWizard1.CreatedUser

Dim nGeb As ProfileCommon = ProfileCommon.Create(CreateUserWizard1.UserName, True)

        'Profielgegevens van nieuwe gebruiker aanpassen
        nGeb.Name = CType(CreateUserWizard1.CreateUserStep.ContentTemplateContainer.FindControl("txtName"), TextBox).Text
        nGeb.Save()
end sub

In web.config I added:
<authentication mode="Forms" />
    <profile enabled="true" >
      <properties>
        <add type="String"/>

      </properties>
    </profile>

When I click register I get a finish and in my user list I can find the new user.
But where can I find the extra information in clear text?

So that I can use the user information for the invoices…

FormsAuthention Login Issue

sgeorge80 — Sat, 21 Nov 2009 08:51:44 GMT

While using login control the user HttpContext user identity is get authenticated after the cookie is created.

If I am customising the login by using a normal button and creating formsauthentication ticket and cookie in the button click event, the User. IsAuthencticated is false in the first page life cycle but it will be true in the next postback.

Is there anyhow i can get IsAuthenticated as true after validating the user and creating the cookie and adding it to the current httpcontext?

to get list of users for a specifed role

abrly — Sat, 21 Nov 2009 08:03:32 GMT

Hi day,

am trying to list all the users in a specifed role from aspnetdatabase. for this i fetch the UsersInRoles, But When I pass the

role id to fetch the userId , i am getting error since roleid is guid type.

could you please give me some solution for this or any other alternative way to get the list of users for a specific role

thanks in advance.

my code as follows

Public Sub GetTheListOfUsers(ByVal sRoleName As String)

Dim DsUserList As New DataSetDim sRoleID As String = Nothing

sSQL = "Select RoleId From aspnet_roles Where RoleName='" & Trim(sRoleName) & "' "

cmdUser1.CommandText = sSQL

cmdUser1.CommandType = CommandType.Text

cmdUser1.Connection = ASPNETConnection1

DrUser1 = cmdUser1.ExecuteReader()

If DrUser1.HasRows Then

DrUser1.Read()

sSQL = "Select UserId from aspnet_UsersInRoles where RoleId='" & DrUser1("RoleId") & "'"

cmdUser2.CommandText = sSQL

cmdUser2.CommandType = CommandType.Text

cmdUser2.Connection = ASPNETConnection2

DrUser2 = cmdUser2.ExecuteReader

If DrUser2.HasRows Then

While DrUser2.Read

sSQL = "Select UserName,LastActivityDate From aspnet_Users Where UserId='" & DrUser2("UserId") & "'"

cmdUser3.CommandText = sSQL

cmdUser3.CommandType = CommandType.Text

cmdUser3.Connection = ASPNETConnection3

DrUser3 = cmdUser3.ExecuteReader

DrUser3.Read()

If DrUser3.HasRows Then

sSQL = "Insert Into UsersInRole(UserName,LastActivityDate)Values('" & Trim(DrUser2("UserName")) & "','" & DrUser2("LastActivityDate") & "')"

cmdUser4.CommandText = sSQL

cmdUser4.CommandType = CommandType.Text

cmdUser4.Connection = MLEConnection3

cmdUser4.ExecuteNonQuery()

cmdUser4.Dispose()

End If

cmdUser3.Dispose()

DrUser3.Close()

End While

cmdUser2.Dispose()

DrUser2.Close()

End If

' end here

End If

DrUser1.Close()

cmdUser1.Dispose()

End Sub

Login redirection to correct sites (folders)

Crayons — Fri, 13 Nov 2009 11:17:02 GMT

Hello,

I am building a site in which the user who is registering/creating their own login can select what role they are. I used the Login control built into VWD and added the option to select a role or "type" as I called it. I am trying to figure out how I can re-direct the user to the appropriate site according to their role. For example, if the user selects artist, as soon as they click the create account buton, I need it to send them to the "artist" site.

Heres the code im using:

<asp:DropDownList ID="DropDownList1" runat="server" 
                                        DataSourceID="SqlDataSource1" DataTextField="RoleName" 
                                        DataValueField="RoleName" Height="18px" Width="123px">
                                        <asp:ListItem>Fan</asp:ListItem>
                                        <asp:ListItem>Artist</asp:ListItem>
                                        <asp:ListItem>Band</asp:ListItem>
                                        <asp:ListItem>Studio</asp:ListItem>
                                        <asp:ListItem>Business</asp:ListItem>
                                    </asp:DropDownList>

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.Security;

public partial class _Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }

    protected void CreateUserWizard1_CreatedUser(object sender, EventArgs e)
    {
        DropDownList ddl = (DropDownList)CreateUserWizard1.FindControl("ddlRoles");

        try
        {
            Roles.AddUserToRole(CreateUserWizard1.UserName, ddl.SelectedValue);
        }
        catch (Exception ex)
        {
            throw ex;
        }
    }
    protected void LinkButton1_Click(object sender, EventArgs e)
    {

    }
}

Any help is greatly appreciated! :)

Changing the application name dynamically

sudheer_p — Sat, 21 Nov 2009 05:12:39 GMT

Hi,

I have requirement ,i need to chnage the application name of the membership and role provider dynamically by using the url.

From one of the forums i have found that ,we can assign the application name from the Application_PreRequestHandlerExecuite.

i have changed the application name successfully,but the event reads all the requests(like request for CSS,Request for images,etc...).

In this process i am unable to get the desired name from the url.

can any one suggest the best place to retrieve the http Url available in the Address bar and ignore the all other requests.

Login program

moni_bansal — Fri, 20 Nov 2009 17:50:40 GMT

Hello good people

I have to make one login program in database have 3 fields membership,ID,Password.

I have to expire session in 5 min,same IP check and Membership level Check

I am using asp.net 3.5 please help me I'm new in dot net

many website request and occupy bandwidth

dr_csharp — Thu, 19 Nov 2009 07:46:00 GMT

hi friends

last night my website was in attack,i count page view in session start and it was about 40,000 last night !

i checked it,and i found some one trying to request my Default.aspx page over and over .. and in some time sequence his/her IP addresses changed !

what can i do in this situations ?

security exception while displaying obout grid control

jacz — Sun, 08 Mar 2009 05:54:48 GMT

Hello!

When I would like to display an aspx web page with a simle obout grid control, the web page says:

Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

The grid control has no connectionstring it should be only the empty grid.

Other obout controls works great even with database connection.

Could you help me?

Thank you!

login problem??

.net_junkie — Fri, 20 Nov 2009 17:37:40 GMT

hi all i want to avoid going to login page after the user logged out,i mean after logging in if he press backspace he sholud not enter into the website like many sites he has to stay in logging page how to do it?? i have used some java script but if i use that one when ever i press backspace in my website its not goinf back wards can anyone help me??

SQL Membership + Remote database queries

wulfgarpro — Mon, 16 Nov 2009 02:58:56 GMT

Hi,

My application has SQL based membership enabled for logging in. I had some issues with access certain files .. to which required the following ammendment to the web.config file.

<location path="Style.css">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
</location>
<location path="Images/mdi.png">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
</location>
<location path="Images/favicon.ico">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
</location>

From the local side .. everything works fine .. queries to the remote database successfully execute.

My problem occurs when the application is served via the web server (also the remote SQL server) .. i recieve the following error when trying to perform a database execution.

Login failed for user ''. The user is not associated with a trusted SQL Server connection.

Any ideas ?

wulfgarpro.

How do I identify urls for pages that don't need forms authentication?

paulkienitz — Fri, 20 Nov 2009 22:41:43 GMT

Here's the situation: most pages on the website require login. A few do not; these public ones are listed in web.config in sections that go <location path="blah.aspx"> <system.web> <authorization> <allow users="*" />. The rest have to get a forms authentication ticket, which they are granted by an HttpModule that handles the AuthenticateRequest event. When it doesn't grant one, the request gets redirected to our "login" page, which is actually an error-message page that terminates the application. (This is because user login is handled by a separate portal, rather than within our own app.) The most common way that the "login" error page gets invoked is when someone's authentication times out -- then the next time they click something, it redirects to the error page, which says "OurApp timed out due to inactivity".

This all works fine for normal page loads. But certain pages are using ajaxy client callbacks based on SetCallbackEventReference. When the authentication times out, the callback retrieves a copy of the error page, which it is unable to process as either a success or an error message. I figured the way to handle this is to have the error page render a different output when the failing request was a callback. But after it's redirected to that page, all the request information that allows it to tell whether it's a callback is gone.

But the HttpModule that does authentication can check that. So I have it see if it's a callback with no authentication ticket, and if so, it does RedirectToLoginPage("iscallback=1"), which tells the error page to treat it as a callback.

Unfortunately, this test might also trigger for any request that doesn't need authentication. Like for instance, every little gif image on the page.

The question: How can I tell if a given URL is one of those that will go ahead with no problem in the absence of an authentication ticket? I don't want to do any redirecting in that case.

Alternately: is there a way to tell, after RedirectToLoginPage, whether the request that was redirected from was a callback? (The test I'm using in the HttpModule is just to check for Request.Forms["__CALLBACKID"].)

Permission in a folder of file server

aspfun — Thu, 19 Nov 2009 13:54:52 GMT

I used code "ds.WriteXml" to export dataset to xml to a file server (Not web
server. This folder do not have web share)

server name: allorder

folder and path: d:\order2009\

file name: neworder.xml

How to tell newwork guy to setup permission for this folder (order2009)?
I got answers as below. Which one is right?
So far, I assign everone for full control but boss do not want to use EVERYONE.

1) <MACHINE NAME>\ASPNET
2) NT AUTHORITY\NETWORK SERVICE

how can i get nonce value??

cotzan — Wed, 18 Nov 2009 16:25:02 GMT

hi friends.

how can i bind nonce of a password value to label.

ex: 1232322 is my paasword. i have to show its Nonce value.

regards.

Windows Authentication with Impersonation... Help Needed

VinnyPip — Fri, 20 Nov 2009 18:12:45 GMT

when the app is hosted on a domain server and you navigate to the page locally it grabs the user that's logged onto the local machine running and displays that to the user

"Hello username"

but for some reason when in production it's always NT AUTHORITY\NETWORK SERVICE and i don't know why...

if i have this line in my web.config: <identity impersonate="true" /> then it will error on pageload saying there was an error trying to impersonate.

so i take that line out... now when the app needs to impersonate on the fly, as it's been coded to do, it won't impersonate at all and i think it's because that line was removed... I AM GOING CRAZY!

any suggestions?

Help, user created logged automaticly

asp.41net — Wed, 18 Nov 2009 15:52:26 GMT

Hi there, im having some trouble and i dont seem to find whats wrong.

i followed the security asp tutorials and i created a form to create users and asign them thier roles after they are created, but the problem is that i unchecked the option log on the user recently created but it is still loggin the users i created, so is there another option i need to check up in order to accomplish that when i create a new users they dont get logged in automaticly?

thanks in advance

IIS 7.5 on windows 7 - forms authentication across multiple virtual directories is failing.

ishai1 — Thu, 19 Nov 2009 21:45:52 GMT

I just upgraded to windows 7 and I'm trying to get a few existing apps to work.

Our apps use a single sign on solution. We have several web sites (hosted as virtual directories) and the single sign on web app is another virtual directory.

When a user tries to access any of the apps he's redirected to the SSO app to login. Once the user logs in he's redirected back to the app he came from.

This worked great on XP, but once I upgraded to win 7, all I get is the following error:

Access is denied.

Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.

and this is in the event log:

Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.
Event time: 11/19/2009 4:22:00 PM
Event time (UTC): 11/19/2009 9:22:00 PM
Event ID: c26119aa16f84f3fa84affb9c9141deb
Event sequence: 8
Event occurrence: 7
Event detail code: 50201

All applications are using the same app pool (the classical pool right now, but I also tried it with the default app pool) and I have a machinekey set in machine.config.

What configuration change am I missing here?

thanks,
Ishai