Last post Sep 30, 2016 05:55 AM by Deepak Panchal
Sep 01, 2016 08:12 PM|Karl Mitschke|LINK
I'm creating a replacement for Microsoft's iisadmpwd password change facility which allows our users to change their domain passwords when not on a domain joined PC.
I have 5 textboxes:
am converting the contents of the password text boxes to secure strings before sending to AD, but I'd prefer that when users enter data into the text boxes it's appended to a secure string automatically.
I see various solutions for Windows Forms such as
http://weblogs.asp.net/pglavich/Secure-TextBox-Updated but I cannot find one for Web Forms.
Is there any such control?
Sep 02, 2016 06:27 AM|lextm|LINK
Can you pause for a while to think about the design of ASP.NET (or a web page in general)?
Users open a web browser and type the password in a web page there. Then an HTTP POST sends the data to the server side (ASP.NET on IIS). It is completely different from WinForms where all things happen on the same machine. You need to find other ways to
secure the password.
Sep 02, 2016 10:15 AM|Deepak Panchal|LINK
Generally SecureString is used for the client side applications.
and for web form applications people generally use Form Authentication and SSl. so if you have options to try a new thing you can try to implement that in your code.
then also if SecureString is only the option that you want to use then please visit the link below for getting information regarding SecureString and method to append data.
in the link below you will find a discussion regarding using securestring in Asp.net.
Is there any benefit to using SecureString in ASP.NET?
Sep 02, 2016 02:11 PM|Karl Mitschke|LINK
I guess I should have mentioned that the application uses SSL from the client to the page.
I read the stack overflow discussion already - I am following the "transferring authentication credentials from one system to another." reasoning to use secure strings to send the data to AD, which is working well.
I believe I already mentioned that I am using secure strings, and copying the data from the text boxes to the secure strings, so I don't need a refresher on appending the data to secure strings :)
My only goal here is to attempt to prevent the data from remaining in memory on the server.
Sep 02, 2016 06:25 PM|Karl Mitschke|LINK
Maybe I am over worrying here.
There are 5 servers running Server 2012 R2 which only 3 people have any real reason to ever login to - for installing patches.
So, the real odds of someone capturing the memory of the server should be pretty small?
Plus, they'd have to capture the memory of all 5 to have any kind of chance to capture a password.
Not to mention that this page will probably not get accessed much.
I'm just surprised there is not a textbox control that can append to a securestring and delete each character as it's entered.
Sep 29, 2016 05:48 AM|Deepak Panchal|LINK
is your issue solved?
if your issue is solved. would you like to share the solution?
if your issue is not solved till now then please let me know so that I can try to give you further suggestions to solve your issue.
Sep 29, 2016 02:24 PM|KarlMitschke|LINK
My issue is not resolved.
Sep 30, 2016 05:55 AM|Deepak Panchal|LINK
I try to find related to your issue.
but I did not find any exact solution for that.
I find Web parts to make web page secure.
Because Web Parts is a feature of ASP.NET, and Web Parts controls are extended ASP.NET server controls, Web Parts pages are susceptible to all the same risks as ASP.NET pages. A Web application with pages that use Web Parts controls is really just a specialized
type of ASP.NET application, and an application that uses Web Parts can run in any trust level that an ordinary ASP.NET application can. For general information about ASP.NET Web site security, see
ASP.NET Security. However, Web Parts has some unique security issues that normal ASP.NET pages do not have. These issues are discussed in the following sections.
Securing Web Parts Pages