Can anyone tell me where I might find easy-to-understand information on web security. I have read lots of stuff by Microsoft (Threats and Countermeasures, etc), but all I've seen presupposes I know alot already, which I don't. Any help would be appreciated, thanks....more >>

hi guyz. I want to put encryption for every querystring for my web application. for that right now i m using a custom function. can any body tell me if there is some builtin function available in .net which i can implement. wht i want is that the query string value should be sent in...more >>

i have a website that has forms authentication installed http://hbase.nohausystems.nl/ it seems to work fine ,,,, however on a few client computers it wil not logon ( not even the visitor mode that i made for unknown users , that just want to see the website ) nice thingy is that one of tho...more >>

I wonder if anyone can help. We have web application using Forms Authentication that works perfectly ok in all environments, but in the production environment the forms authentication isn't timing out and returning the user to a login screen. Instead it tries to load the requested page and fa...more >>

Thanks for your help on my previous post. I'm running XP and it was looking for a role name of : <DOMAIN>\<ROLE>, like "ABC-CORP\Administrators", and I was just evaluating "Administrators". Is that true for Win2000, too? We have some clients running Win2000 and others running XP. Do I need to eval...more >>

I run Win2k Workstation (Spk4) with IIS and the .NET Framework version 1.1. I develop on this platform with ASP.NET using Visual Studio .NET 2003. I am planning to install the latest version of the IIS Lockdown tool (with URL scan). I understand that this may interfere with some aspects of...more >>

This may have been answered in a previous post, and if so, please excuse my redundancy. I am using Windows authentication and I know about the IsInRole check, but I need to obtain a list of roles that each user is in. How is the most simple way to do that? What I need to do is to evaluate each user...more >>

I'm trying to understand how security works in a ASP.NET c# project. The global.asax has this code: protected void Application_AuthenticateRequest(Object sender,EventArgs e) { HttpCookie rolesCookie = Request.Cookies["roles"]; if ((!(rolesCookie==null)) && (!(Context.User==null))) { Gen...more >>

I am trying to copy a file to a network drive. I can do it on the domain controller/web server but not from a client. Here is the code: Dim impersonationContext As System.Security.Principal.WindowsImpersonationContext Dim currentWindowsIdentity As System.Security.Principal.WindowsIde...more >>

Hi, I have an ASP application using Forms authentication. On my development web server everything works and login is successful, but when I move my application to the production server the login page is loaded but all login attempts fail. The development server is a windows 2003 server and the ...more >>

Is it possible to have multiple web.config files in a given virtual directory in different directories? For example: http://localhost/myapp (Virtual directory maps to C:\MyApp) http://localhost/myapp/newFolder (web folder in the above virtual dir maps to C:\MyApp\NewFolder) Can I have on...more >>

I'm using FormsAuthentication to secure access to a web site. The authentication process works correctly initially. The pages on the site have a "logout" button, which basically call FormsAuthentication.SignOut() and redirect the user to the login page. The problem is that after the user logs ...more >>

First, here's a quick description of what I have so far. I have a website that I am building that contains both asp and asp.net pages. I have configured the site using a custom HTTPHandler, web.config, and a custom HTTPModule so that all requests (both asp and asp.net) go through the asp.net r...more >>

Hi Gurus, I seek you expert advice on the following scenario:- Environment: Windows 2003, IIS6, Windows Integrated Authentication, .Net Framework 1.1, ASP.Net, C# Based on the Integrated Windows Authentication, I'm trying to get the AD groups where the user's belong to from my ASP.Net page....more >>

I am fairly new to ASP.NET, and am not sure about a problem that I am having and how to resolve it. My web page needs to make a call to Process.GetCurrentProcess() for some logging class that I am using in my web page. However, when the call is made I get an exception indicating that Access i...more >>

Hi! I'm using Windows authentication in one of my ASP.NET projects because this way it's easy for me to define which users has access to which page (using the NTFS file system security settings). Now my users want to change their passwords via a web interface. Does anyone know if it is at all...more >>

I have a web service that is set to use Basic Authentication (for users outside the firewall). They are coming in over SSL. It uses Integrated Authentication for internal users. For the users who are requesting service with Basic Authentication, there is a VB.Net client application which is ...more >>

Hi there, I have created a download website for members, all downloads are held in a folder and a user can access a specific download when he has paid for them, i then write a record into the database to say the user is entitled to download this item. I then wish when the user logs on, to display al...more >>

How can I set the page that the login page needs to send the user to. I have a login page that does the RedirectFromLoginPage method, but I am now needing to explicitly tell the login page where to go instead of it looking for the previously requested page. How would I do that? My code is as f...more >>

I am trying to figure out the best way to allow users to submit HTML in a textbox, and allow them the ability to edit the text HTML submitted afterwards safely in ASP.NET + C# (submitted to a sql server database), so that the application is not subject to script attacks. Any ideas on the best op...more >>

Does anyone have any ideas or comments on this? The problem seems to stem from having Impersonate=True set in our web.config files (Version 1.1). Here is the error we encountered . The actual filename changes every time you try to load the page: An error has occurred: Access...more >>

Hi, I have a requirement that security be devised at page level, I'm am also required to keep an audit trail of who performed what action, when and what on. My current solution is as follows: Create 5 DB tables: Users, SecurityProfiles, SystemTasks, TasksProfileLinks, Audit. For this ...more >>

For the record, I am a newbie to API. Anyway, I am trying to use the Win32 API in VB.NET to set NT Security (Administrator ACE) on a remote server folder from within a backup executable I have created. The problem is I am trying to implement my translated version of the NTFS Permission example, at h...more >>

What is the difference between using a username and password in the processmodel section vs using one in impersonation in the machine.config file? What are the advantages of each and what are the usages of each? Thanks for any replies, Scott ...more >>

Anyone work with the IPrincipal object in an ASP.NET web app? Just wondering how it is used and if there are any best practice documents anyone is aware of that help describe the proper way to implement it. Thanks. V.J. EncryptaSoft.com www.encryptasoft.com ...more >>

Hello, the following question may be trivial, but after scrolling documentations on my screen for hours I'd absolutely appreciate your help: I want to have two kind of pages on my site: the ones everyone can access (allow users="*" in the web.config) and those that require forms based authe...more >>

I'm attempting to read the security event log for a WinXP Pro machine using a web form that calls a web service. Both files are stored in the same directory in IIS. The directory is set to use Windows Integrated security and I've set up the web app to use impersonation with the local admin acc...more >>

Hello people.Sorry for stupid question.But who can exlplain to me difference between IUSR_COMPUTERNAME and ASPNET account. ...more >>

Hi, I have created sub directories for my application, however, when I try to access the aspx files in the subdirectory, I get the following error : "Could Not Load A1.A2" where A1 is the name of my project and A2 is the name of my subdirectory. It looks like the program is looking for the bi...more >>

I understand how Web.Config inheritance works between a parent application and sub applications under the parent. But what I was wondering was if there was a similar way to do the same thing for the Global.asax class? Reason being, I am setting up user authentication and authorization. I have...more >>

I'd like to use role in Forms authentication and I found the following words from .net SDK about ASP.NET Authorization. " Identifies a targeted role for this element. The associated IPrincipal object for the request determines the role membership. You can attach arbitrary IPrincipal objects t...more >>

I have windows authentication setup and is working fine except for one problem. If the user wants to login using a different User ID, How do I tell windows authentication to re-authenticate the user without closing the browser. It seem that one the user logs into the system, windows authentica...more >>

I know that we can perform authentication of .aspx pages with an HttpModule, and that the same module can probably be used for static content (.htm, .jpg, etc.) by sending them through the ASP.Net pipeline. Can this approach be extended to include non-ASP.Net dynamic pages such as .asp and .jsp? I c...more >>

Hi All, I would really appreciate any ideas / clues on this issue which I am facing. I have a asp.net application, the problem is with maintaining session variables while using authentication for different users. My users are divided in groups , and have a username and pwd to login. Now if suppo...more >>

This may sound trivial but I cannot figure out how to do this... When a logged in user's session expires, I want that user redirected back to the login page with a label that says "session expired". Sounds easy, eh? First, am I correct in assuming that a session is totally separate from the "...more >>

I am using asp.net (1.1) and am setting application security in web.config using: <customErrors mode="On" defaultRedirect="Denied.htm"><error statusCode="401" redirect="Denied.htm" /><error statusCode="403" redirect="Denied.htm" /></customErrors If I try to authenticate with invalid credentials m...more >>

Well here is my problem I have a web application running in 2 web servers and I have also a cluster system. I want using the web application to write some files in the cluster discs. So I have created in my web servers a virtual directory located on the cluster discs. (Before that I ha...more >>

I am trying to stress test the effects of SSL on a web server using Web Application Stress Tool (WAST). However, when using SSL and according to the WAST Help files, the peformance HIT is in the opposite direction. It's on the clients at 5 times the load!!! as opposed the server I want to test...more >>

Hello, I already have setup SSL on my production server via purchasing a certificate and that seems to work fine as I can type in https:// and it works fine. However, I want AND need to be able to test my .ASPX webpages via SSL on my local server. What is the best way to this? Thanks....more >>

Hi, I receive this error when I try to access an olap cube with the DSPanel web part: No connection could be made because the target machine actively refused this error appear only when I access my server remotly and if the NT authentication is activated. if I use the clear/text authenti...more >>

Does any one know how to find my windows domain name with .Net Here's what I'm trying to do, I'm implementing role based security by calling WindowsPrincipal.IsInRole. This requiers the group names to be passes as DOMAINNAME/GROUPNAME. I use the same group names at all the installations but the...more >>

Hello all, I am trying to test the business logic of an application that uses Rindjael encryption, by testing it when 'tampering' with the encrypted cipher. The scenario assumes that the encrypted cipher has been tampered with (by changing some of the values, but not removing them). I expected...more >>

In the web.config how do you generate the encrypted string that can be used to store password of the identity element? ...more >>

I am using NUnitASP and I have run into problem "faking" user credentials. In my ASP.Net/C# application, I have turned off anonymous access to the web app and I allowing Windows groups to handle the permissions to the app. Things are working perfectly, i.e. only user groups that are allowed ca...more >>

Hello I'm in the finishing stages of a new CMS site and we've recently discovered a tear-out-my-hair authentication problem. Essentially, what I have is a news site. We list articles on the index page requiring registration. What I need to do is this When a user clicks on an article headline/...more >>

Hello For some strange reasons, some of my files become ReadOnly when I copy them to a subfolder to my ASP.NET application. For each new session I clear the temp folder using this code private void ClearTempFolder( //Remove all dwg-files from Tem String[] dwgFiles = Directory.GetFiles(Se...more >>

Hello, is it possible to programmatically read (and how) the public key that is embedded into an assembly that has been strongly signed??? What code would be needed??? Bob Rock ...more >>

I have a WebService executing on one server in a workgroup which needs to reach out to a folder share on another server for read/write access. I've created an identical user account on both systems (matching in username and password). I've approached the problem by writing a utility class ...more >>

Hi, Will obfuscation help in securing hard coded key in asp.net application? Thank you Vadim ...more >>

I have a fairly simple scenario. I have a root web that is set-up with a web.config file that has forms authentication on and authorization to only allow logged in users to get in. Under the root web I have another web application that has its own web.config file. If I request a file in the r...more >>