Quantcast
Channel: Security
Viewing all 4737 articles
Browse latest View live

Identity Without SQL Membership Database

February 10, 2017, 1:52 pm
$
0
0

Hello everyone and thanks for your help in advance.  I want to learn more about more about ASP.Net Identity.  However, virtually every example I find is closely integrated with the SQL Membership database and I find that to be both confusing as well as lacking the ability to customize.  In the past, I have typically steered clear of the membership patter due to these issues.  Would someone be able to point me to resources on how to implement Identity framework without having to use the membership provider?  I do see there are other GitHub projects where the membership provider is either extended or replaced and I want to have the in depth knowledge of how the actual security is implement exclusive of the provider.  Any insight would be appreciated.

Search

I need the missing link! - Knockout.js, MVC App, Web Api, Bearer Tokens, Forms Authentication, Identity 2 - confused!

February 12, 2017, 5:53 pm
$
0
0

Hi, I have been toying with this on and off for a little while now and I know I am missing some link that will be my lightbulb moment. I have the following;

MVC Web API - Setup and configured for oAuth

MVC Web APP - front end application using knockout.js to talk to the Web.API

Here is what I am missing;

When first hitting the web app how do you know to direct to the login page in order to authenticate? Forms authentication handles this normally by checking for the cookie does it not?

After getting a bearer token via knockout.js how do I inform the web app that the user is authenticated and be able to use things like Request.IsAuthenticated or it's equivalent?

How are bearer tokens expired if a user simply browses from the web app without logging off or closing the browser, the bearer token is still valid is it not?

How are refresh tokens to be used along with bearer tokens?

I have followed many, many blogs, writings and examples but they just seem to confuse me more, information overload and a case of too much info!

I would just love to find a very simple example to demonstrates this behaviour if anybody knows of one.

Also, having never worked with it, would I gain anything from trying to destruct an Angular example, am I correct in assuming it follows very much the same lines as knockout?

Any help will be greatly appreciated.

Failed: Password requires digit

February 13, 2017, 11:54 pm
$
0
0

The code below returns the error “Failed: Password requires digit.” Any ideas? Could it have something to do with hashing the password?

var user = new User();
var hasher = new PasswordHasher<User>();
//var users = new List<Users>()
{
    new User
    {
        UserName = "user@invalid.host",
        FirstName = "Joe",
        LastName = "Green",
        Email = "user@invalid.host",
        NormalizedEmail = "user@invalid.host",
        PasswordHash = hasher.HashPassword(user, "Testing123"),
        EmailConfirmed = true,
        LockoutEnabled = false,
        SecurityStamp = Guid.NewGuid().ToString()
    };
}
var result = await _userManager.CreateAsync(user, "Administrator").ConfigureAwait(false);

Control access to web application to authenticated users

February 14, 2017, 9:42 pm
$
0
0

I am making a web app using vb.net 4.5.2 Web Forms and Identity 2.0. I need the entire web app to be restricted to only authenticated users accept the login page. I have done this in the past with ASP.Net membership and framework 4.0.

The issue I am having is that if I have my web.config as follows:

<!--<authentication mode="None" />--><authentication mode="Forms"><forms loginUrl="~/Account/Login" timeout="28800" defaultUrl="Login.aspx"/></authentication><authorization><deny users="?"/></authorization>

...

  <appSettings><add key="autoFormsAuthentication" value="false" /><add key="enableSimpleMembership" value="false"/></appSettings>

...

  <location path="Scripts"><system.web><authorization><allow users="*"/></authorization></system.web></location><location path="Content"><system.web><authorization><allow users="*"/></authorization></system.web></location><location path="robots.txt"><system.web><authorization><allow users="*"/></authorization></system.web></location><location path="Login.aspx"><system.web><authorization><allow users="*"/></authorization></system.web></location>

I get this error: 

HTTP Error 404.15 - Not Found

The request filtering module is configured to deny a request where the query string is too long.

tp://localhost:51032/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccou.....

If I remove change the last location path= to the whole account folder The error goes away but I CAN NOT GIVE whole access to the account folder. I have tried changing the defaultUrl from the forms tag without luck. I presume that tag may be part of it as when I open up the account folder, the login page gets a ReturnUrl of ?ReturnUrl=%2F, part of the repeating sequence we get above.

I am about to loose my mind over this as I have been working on it for days to no avail.

ASP.Net Runtime Error

February 14, 2017, 8:46 pm
$
0
0

Hi

I have a simple asp.net aplication, but an security scan report is showing me that I have some security issues to solve, the main problem is the custom error handle, if I try to navigate to the following path   "/..."  (yes root following by three dots)

a runtime error is thrown, to me is an 404 error and when the app try to send the custom error page something happens and an 500 internal error is throwed, my web config is this

<customErrors mode="On" defaultRedirect="error.html">
<error statusCode="403" redirect="error.html" />
<error statusCode="404" redirect="error.html" />
<error statusCode="500" redirect="error.html" />
</customErrors>

<httpErrors errorMode="Custom" existingResponse="Auto" defaultResponseMode="File" >
<remove statusCode="403"/>
<remove statusCode="404"/>
<remove statusCode="500"/>
<error statusCode="403" path="error.html" />
<error statusCode="404" path="error.html" />
<error statusCode="500" path="error.html" />
</httpErrors>

the login generated code and sql connection

February 15, 2017, 7:40 am
$
0
0

hello every body...

using vs2015.asp.net.4.5.2.c#

on the generated login code that comes when creating a new project..

i got an error saying sql connection is close... on debug mood.. (this error occurs occasionally !! not every time )

so i have tried to move the cursor 2 line on code above and hit the f5... and this time its works....!!

the code

                // Validate the user password
                var manager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
                var signinManager = Context.GetOwinContext().GetUserManager<ApplicationSignInManager>();

                // here is the error line
                var result = signinManager.PasswordSignIn(Email.Text, Password.Text, RememberMe.Checked, shouldLockout: false);

and this is the error

An exception of type 'System.Data.DataException' occurred in mscorlib.dll but was not handled in user code

{"The underlying provider failed on Open."}

{"A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)"}

The network path was not found

thank you

 

AD Authentication and role redirect.

February 15, 2017, 2:01 pm
$
0
0

Hi,

I don't have a login page, as my site intranet site is using AD Auth, and all the examples and articles I've found seem based on building a login process. What i'm trying to do is redirect used for one or more AD groups to a certain page.

I have a .Master page that my templates are based on, so i'm assuming I would be adding code into it's code behind and then compiling. 

I had a thought a simple If Else statement would work. Assign the current groups/roles to a string then go from there, but here the AD groups are messy and people are assigned to over a dozen groups.

So it's possible i would have to loop through all the groups a user is assigned to looking for a match. If my logic is sound, i'm stuck on writing the code.

This Stack article seems the closest to what i'm trying to do, but my lack of C# is not helping.

Cheers,
Mark.

ASP.Net form authentication and IIS throws 404 error for a protected page from Google app iPhone request but public page displayed correctly

February 18, 2017, 1:37 pm
$
0
0

Our application is Identity provider and enabled sp init sso for a google iphone mobile application. We are using .Net form authentication , IIS 7.5. This flwo works perfectly across all devices and platforms and also works iwth iphone PagerDuty mobile app. The only problem is with iphone google doc mobile app. When SP init sso initiated from google doc iphone mobile app, IIS throws 404 error page for protected pages but public page displayed correctly. I spent many days with google search and tried out most of the solutions available but none of them helped to resolve thsi issue. now client needs to execute this flow daily but no solution.

Below are few things from many things I tried.

1)    <validation validateIntegratedModeConfiguration="false"/><modules runAllManagedModulesForAllRequests="true"/>

2)    <modules><remove name="UrlRoutingModule-4.0" /><add name="UrlRoutingModule-4.0"  type="System.Web.Routing.UrlRoutingModule" preCondition="" /><!-- any other modules you want to run in MVC e.g. FormsAuthentication,       Roles etc. --></modules><system.webServer>

3)    In IIS select your website and double-click Handler Mappings
      Find ExtensionlessUrlHandler-ISAPI-4.0_32bit and double-click
      In the dialog that appears, click Request Restrictions
      On the Verbs tab add the missing HTTP verbs separated by commas (in my    case it was PUT and DELETE
      Click Ok where required and answer Yes in the Edit Script Map dialog that pops up.
      Repeat for ExtensionlessUrlHandler-ISAPI-4.0_64bit
      <modules><remove name="UrlRoutingModule-4.0" /><add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" preCondition="" /></modules></system.webServer>



  4) <system.webServer><modules runAllManagedModulesForAllRequests="true"><remove name="WebDAVModule" /></modules><handlers><remove name="ExtensionlessUrlHandler-Integrated-4.0" /><remove name="OPTIONSVerbHandler" /><remove name="TRACEVerbHandler" /><remove name="WebDAV" /><add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" /></handlers><security><requestFiltering><verbs><remove verb="OPTIONS" /></verbs></requestFiltering></security></system.webServer>



   5) IIS Manager > Modules > select UrlRoutingModule-4.0 > Edit Module >     check the check-box "Invoke only for requests to ASP.NET applications or managed handlers".

6)  <security><requestFiltering><verbs applyToWebDAV="true"><remove verb="PUT" /><add verb="PUT" allowed="true" /><remove verb="DELETE" /><add verb="DELETE" allowed="true" /><remove verb="PATCH" /><add verb="PATCH" allowed="true" /></verbs></requestFiltering></security>

I appreciate any of your helps. Thanks.


Search

avoid multiple user with same credentials at a time,and calculate login and logout time ,

February 20, 2017, 12:54 pm
$
0
0

Hi Am developing ASP.net application in 3 tier Architecture ,having one login module ,i want a single user should be logged in at a time ,if he loged in with same credential on another machine ,the old session should clear,And i want to Calculate logged in time duration of perticular User.if he inactive for 30 minute session will expire and if browser is closed also clear session and count the time duration.

how to Prevent Multiple Concurrent User Logins For The Same UserName

February 21, 2012, 3:42 am
$
0
0

how to  Prevent Multiple Concurrent User Logins For The Same UserName

rying to get Roles to populate a checkboxlist based on tutorial but with using asp.net identity and c# here is my code

February 22, 2017, 11:04 am
$
0
0

https://weblogs.asp.net/scottgu/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASPNET-20-using-Windows-Authentication-and-SQL-Server

public void PopulateRoleList(string userName)
{
    var Usermanager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
    var RoleManager = new RoleManager<IdentityRole>(new RoleStore<IdentityRole>(new ApplicationDbContext()));
    userName = Usermanager.FindByName(TextBox1.Text).ToString();
    string roleNames = null;
    string roleName = null;
    roleNames = RoleManager.Roles.ToString();
    foreach (string roleName_loopVariable in roleNames)
    {
        roleName = roleName_loopVariable;
        ListItem roleListItem = new ListItem();
        roleListItem.Text = roleName;
        roleListItem.Selected = Usermanager.IsInRole(userName, roleName);
        RoleList.Items.Add(roleListItem);
    }
}
public void UpdateRolesFromList()
{
    foreach (ListItem roleListItem in RoleList.Items)
    {
        var Usermanager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
        var RoleManager = new RoleManager<IdentityRole>(new RoleStore<IdentityRole>(new ApplicationDbContext()));
        string roleName = roleListItem.Value;
        string userName = TextBox1.Text;
        bool enableRole = roleListItem.Selected;
        if ((enableRole == true) & (Roles.IsUserInRole(userName, roleName) == false))
        {
            Usermanager.AddToRole(userName, roleName);
        }
        else if ((enableRole == false) & (Roles.IsUserInRole(userName, roleName) == true))
        {
            Usermanager.RemoveFromRole(userName, roleName);
        }
    }
}
protected void LookupBtn_Click1(object sender, EventArgs e)
{
    PopulateRoleList(TextBox1.Text);
    UpdateBtn.Visible = true;
}
public void UpdateBtn_Click(object sender, System.EventArgs e)
{
    UpdateRolesFromList();
    PopulateRoleList(TextBox1.Text);
}

where TextBox.text is for username input

Trying to get Roles to populate a checkboxlist based on tutorial but using Asp.net identity and c#

February 22, 2017, 11:10 am
$
0
0

Link to article:https://weblogs.asp.net/scottgu/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASPNET-20-using-Windows-Authentication-and-SQL-Server

My Code:


public void PopulateRoleList(string userName)
{
var Usermanager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
var RoleManager = new RoleManager<IdentityRole>(new RoleStore<IdentityRole>(new ApplicationDbContext()));
userName = Usermanager.FindByName(TextBox1.Text).ToString();


string roleNames = null;
string roleName = null;
roleNames = RoleManager.Roles.ToString();
foreach (string roleName_loopVariable in roleNames)
{
roleName = roleName_loopVariable;
ListItem roleListItem = new ListItem();
roleListItem.Text = roleName;
roleListItem.Selected = Usermanager.IsInRole(userName, roleName);
RoleList.Items.Add(roleListItem);
}


}


public void UpdateRolesFromList()
{
foreach (ListItem roleListItem in RoleList.Items)
{

var Usermanager = Context.GetOwinContext().GetUserManager<ApplicationUserManager>();
var RoleManager = new RoleManager<IdentityRole>(new RoleStore<IdentityRole>(new ApplicationDbContext()));
string roleName = roleListItem.Value;
string userName = TextBox1.Text;
bool enableRole = roleListItem.Selected;


if ((enableRole == true) & (Roles.IsUserInRole(userName, roleName) == false))
{
Usermanager.AddToRole(userName, roleName);
}
else if ((enableRole == false) & (Roles.IsUserInRole(userName, roleName) == true))
{
Usermanager.RemoveFromRole(userName, roleName);
}
}
}

protected void LookupBtn_Click1(object sender, EventArgs e)
{
PopulateRoleList(TextBox1.Text);
UpdateBtn.Visible = true;
}

public void UpdateBtn_Click(object sender, System.EventArgs e)
{
UpdateRolesFromList();
PopulateRoleList(TextBox1.Text);
}
}

Windows Authentication, Custom Role Provider

February 22, 2017, 9:08 pm
$
0
0

Hi,

I'm running into an issue and hoped someone could help. I'm using Windows Authentication for an app (internal company use only) and we wanted to be able to use [Authorize(Role=)] for our controllers. I setup a custom role provider and implemented the functions. When I add for example [Authorize(Role ="Admin")] to a controller and try to get to the controller it works! My problem is, if the person ISN'T in an authorized role they are asked to enter their NTID and password by Windows. I'm wondering how to instead get the controller to say "Ok, you aren't in an authorized role, I'm gonna send the HTTP 403 code."

Thanks for your help

Matt

Registered users can't log in asp.net identity

February 23, 2017, 8:02 pm
$
0
0

I am using ASP.Net Identity 2.0 with web forms and VB. I am making an internally managed application where the users are effectively employees. I have a page where an administrator can register new users and change their passwords. Users created through the normal Register page work just fine. When I move the same code to my administration page (without the auto signin line) the users can't log in.

This is the line in question:

signInManager.SignIn(user, isPersistent:=False, rememberBrowser:=False)

Is getting the user signed in a requirement for a valid user? Is there a way for me to create this user without auto signing in as them?

mvc 5 facebook cookie

February 24, 2017, 3:06 pm
$
0
0

I have mvc 5 app with facebook login

Even if i log out the facebook cookie  persists: Why?

this way it is possible to re-login without password ......

Search

ClaimsPrincipal.Current declaration in VB.NET

February 24, 2017, 7:25 pm
$
0
0

Hello,

I am using a code in C# that works fine for a website designed in C# but I am uable to convert it to VB.NET for another site. Here is the C# functional code:

using System.Security.Claims;
dynamic principal = ClaimsPrincipal.Current;

Then I could do principal.FindFirst(ClaimTypes, givename, email etc... Whatever I need to fetch from AD.

So I tried to convert it to VB.NET like this

Imports System.Security.Claims
Dim principal As VariantType = ClaimsPrincipal.Current


But it gives me System.Security.IPrincipal implementation that supports multiple claims based identities. Value of type ClaimsPrincipal cannot be converted to VariantType.

Does someone know what would be correct VB.NET syntax for the line below to get the current logged in user?

Dim principal As VariantType = ClaimsPrincipal.Current

Thanks

Can a user alter the javascript on a an asp.net page?

February 25, 2017, 2:07 pm
$
0
0

Suppose a malicious user wants to submit a page (asp or html) that belongs to a legitimate website, but wants to either

1. change the JavaScript validation or other code in the page he is viewing

2. change a value in the viewstate or in a Gridview row.

Is that possible?  Can he do it?

Get and validate token from header

February 27, 2017, 8:06 pm
$
0
0

An external site requests a html page on my server and a authorization token will be sent in the header. 

How can I retrieve the token using javascript before the html page loads so I can validate the token?  thanks for any help.

How to store passwords in code

March 1, 2017, 1:17 pm
$
0
0

I have a form that sends emails. But i need to put in my password and username for the smtp authentication.

 await client.AuthenticateAsync("post@magnetisknord.com", "password").ConfigureAwait(false);

How do I do this the proper way?

Where is pdb symbols file for Microsoft.AspNet.Identity

March 2, 2017, 4:02 pm
Viewing all 4737 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>