|
Since you are in the context of ASP.NET, you may want to look at System.Web.Helpers.Crypto class as it provides a few handy functions to do Hashing for you. For example:
using System.Web.Helpers;
public void SavePassword(string unhashedPassword)
{
string hashedPassword = Crypto.HashPassword(unhashedPassword);
}
The Crypto.HashPassword function takes care of creating a salt for you. The returned value of that function already contains both the salt and the hashed password in a single value. All you need to do is store the username and hashed password in your database and you're done.
More info, read: Password management made easy in ASP.NET with the Crypto API | brockallen[^]
|
|
|
|
|
Very many thanks for your post, Vincent. That must be the simplest hash/salt I have seen! Thanks, to, for the link which discusses password verification for use on a log-in page.
I will give it a try.
I am assuming that, for the new user registration page, I would use (as above):
Public Sub CreateAccount(ByVal username As String, ByVal password As String)
Dim hashedPassword = Crypto.HashPassword(password)
CreateAccountInDatabase(username, hashedPassword)
End Sub
and then my 'Submit' button:
Private Sub BtnReg_Click(sender As Object, e As EventArgs) Handles BtnReg.Click
'Dim hashedPasswordText As New Label With {.Text = (Hash512(password.Text, CreateRandomSalt))}
Using connection As New OleDbConnection("connectionString")
Dim Sql As String = "INSERT INTO university (username,strEmail,hashed,salted) VALUES (@username,@strEmail,@hashed,@salted)"
Dim cmd As New OleDbCommand(Sql)
cmd.Connection = connection
cmd.Parameters.AddWithValue("@username", username.Text)
cmd.Parameters.AddWithValue("@strEmail", strEmail.Text)
Dim hashed As Boolean
cmd.Parameters.AddWithValue("@hashed", hashed)
Dim salted As Boolean
cmd.Parameters.AddWithValue("@salted", salted)
connection.Open()
cmd.ExecuteNonQuery()
End Using
End Sub
Does that look as if it may work?
Thanks again!
|
|
|
|
|
You don't need to store the salt anymore in your database as the returned value of the Crypto.HashPassword already has a Salt on it.
Dim hashedPassword = Crypto.HashPassword(password)
For example, the variable hashedPassword already contains the Hash + Salt
So your code would now be something like:
Private Sub CreateAccount(ByVal username As String, ByVal password As String, ByVal email As String)
Dim hashedPassword = Crypto.HashPassword(password)
Using connection As New OleDbConnection("connectionString")
Dim Sql As String = "INSERT INTO university (username,strEmail,hashed) VALUES (@username,@strEmail,@hashed)"
Dim cmd As New OleDbCommand(Sql)
cmd.Connection = connection
cmd.Parameters.AddWithValue("@username", username)
cmd.Parameters.AddWithValue("@strEmail", email)
cmd.Parameters.AddWithValue("@hashed", hashedPassword)
connection.Open()
cmd.ExecuteNonQuery()
End Using
End Sub
Private Sub BtnReg_Click(sender As Object, e As EventArgs) Handles BtnReg.Click
CreateAccount(username.Text,password.Text,strEmail.Text)
End Sub
PS: My apology as I'm not good at VB.NET 
|
|
|
|
|
Public Sub CreateAccount(ByVal username As String, ByVal password As String)
Dim hashedPassword = Crypto.HashPassword(password)
CreateAccountInDatabase(username, hashedPassword)
End Sub
Private Sub CreateAccountInDatabase(username As String, hashedPassword As Object)
Throw New NotImplementedException()
End Sub
Private Sub CreateAccount(ByVal username As String, ByVal password As String, ByVal email As String)
Dim hashedPassword = Crypto.HashPassword(password)
Using connection As New OleDbConnection("connectionString")
Dim Sql As String = "INSERT INTO university (username,strEmail,hashed) VALUES (@username,@strEmail,@hashed)"
Dim cmd As New OleDbCommand(Sql)
cmd.Connection = connection
cmd.Parameters.AddWithValue("@username", username)
cmd.Parameters.AddWithValue("@strEmail", email)
cmd.Parameters.AddWithValue("@hashed", hashedPassword)
connection.Open()
cmd.ExecuteNonQuery()
End Using
End Sub
Private Sub BtnReg_Click(sender As Object, e As EventArgs) Handles BtnReg.Click
'Do some forms validation here
CreateAccount(username.Text, password.Text, strEmail.Text)
End Sub
I still get one compilation error while trying to load the page I my browser and that relates to Crypto which, VS tells me, is not declared. Again, the light-bulb pops up with a few alternatives including 'generate Crypto as class'. Not sure if that's what I should opt for as I am in unfamiliar territory here.
Thanks again.
|
|
|
|
|
You need to add a reference to the System.Web.Helpers assembly, and add Imports System.Web.Helpers to the top of your code file.
You'll also want to remove CreateAccount(ByVal username As String, ByVal password As String) and CreateAccountInDatabase(username As String, hashedPassword As Object), since they're not used, and calling either of them will result in an exception.
NB: Don't remove CreateAccount(ByVal username As String, ByVal password As String, ByVal email As String), since that's the one you're using.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
You need to add a reference to System.Web.Helpers. If it's not present in your project references then add it. You will find this assembly in the Extensions group under Assemblies in Visual Studio 2010, 2012 & 2013 (Reference Manager). You can also add it via NuGet package manager.
Once you've added that reference to your project, then declare the following in your code:
Imports System.Web.Helpers
|
|
|
|
|
how to hold browsing path in fileupload control(i want to choose my choice folder) & How to get uploaded file path ,while click on show in folder(Show in Folder)?
Select Saving path: Fileupload1(Holds saving path)
Select File: Fileupload2 (file)
Show in folder(link Button)(sucessfull uploaded file show in folder)
Thanks in Advance..
|
|
|
|
|
You can't get that for security reasons.
|
|
|
|
|
I've been going to programmer seminars over the last month and learning more about .Net Core, and the concepts of breaking up my programs into smaller pieces and processes. My plan going forward is to start running my .Net Core apps in Docker Containers in my little data center first, then Azure later. So we were talking about Azure and Web Jobs, which Segway into sending email as a separate process. Rob Rich, the speaker was talking about making email more durable and stateless by making it a separate process that works off a message queue. I get the concept as if it was an illustration, but can't grasp the code architecture of it.
I currently just have classes that handle email in a separate project that is attached to the main project. The email classes just generates the email message and then calls SendMailAsync in the same external project. I'm thinking perhaps I should create a new project that just handles email. Something completely modular that I could use over and over with little configuration or integration.
My first thought is take the SendMailAsync, and create a .Net Core console app for it. Pass the mail to it, send it, if it fails add it back to the queue.
Second thought is to take all the email stuff, and create another program for it and use dependency injection to generate the message, and send it.
As an exercise towards writing better architected code, I would like to get it right this time. I'm asking for help on this.
Thanks.
Richard:
Is this what you meant by console apps?
If it ain't broke don't fix it
Discover my world at jkirkerx.com
|
|
|
|
|
Wasn't he talking about using some kind of queuing broker (e.g. Apache Kafka)? From your explanation, that is what it sounds to me.
If that's the case, you will have an application that would send a message to the queue with an email object and another application that would take those objects, send the emails and, if successful, remove them from the queue.
The broker is the specialized middle-ware responsible for saving those messages until needed and delivering them, guaranteeing that no messages are lost due to applications crashing, servers not available, etc.
|
|
|
|
|
Hi everyone
I am fairly new to MVC and I've only done simple projects without security before. I am now working in a new, more complex project that requires a security model based on role + organization.
The authorization will be based on Windows user. Once the users are validated, they will be marked as working with their default organization, but the can change the organization at any time. We are imagining a drop-down with the organizations the user belong to, and stored the current one as a session variable.
The simplest part of the projects consists of several CRUDs. We have users that are either viewers or editors in these CRUDs, but their role may vary depending on the organization they are working on.
E.g. for the "Branches" table, User "Peter" may be an editor for organization 1 and a viewer for organizations 2 and 3.
If I ignore the organization, I can easily manage the security by extending System.Web.Security.RoleProvider and handling the logic within that class. I believe I could read the current organization from the session variable (haven't tried that yet) in order to add that to the class logic, but I'm pretty sure there must be a better solution.
Can anyone suggest a better solution? Ideally it should be following the ASP.NET System.Web.Security model. Any Visual Studio integrated framework that makes this security handling easier is also very welcomed.
Thank you
|
|
|
|
|
I'm no expert at this by far. But I'll mention the HttpContext. It has a lifespan of one cycle and is stateless.
So I made a Attribute that you decorate the controller ActionResult with. It runs run before the ActionResult is fired, and passes everything downstream. Basically it's session free so you don't have to worry about restarts or what server you hit. I do remember this being a little buggy, in terms of having to erase the cookie a couple of times when exiting debug and starting again, but I think I fixed it.
[AdminCheck]
public IActionResult SomeEditor()
The AdminCheck reads the cookie with special data in it, and if the user authenticates, it creates a new HttpContext.User using a GenericIdentity and GenericPrincipal
I wrote this for .Net Core
[AttributeUsageAttribute(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
public class AdminCheckAttribute : ActionFilterAttribute, IActionFilter
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var controller = filterContext.Controller as Controller;
var httpContext = controller.HttpContext;
Model_Admin_Login pResult = SecurityCookies.CookieRead_Admin_Login(httpContext);
if (pResult.AccountName != null)
{<br />
Model_Admin_Login model = new Model_Admin_Login();
bool result = EF_Website_Users.AdminCheck_AccountName(pResult.AccountName, ref model);
if (true == result)
{
String[] newRoles = { "Administrator" };
GenericIdentity newIdentity = new GenericIdentity(pResult.AccountName);
GenericPrincipal newPrincipal = new GenericPrincipal(newIdentity, newRoles);
httpContext.User = newPrincipal;
System.Threading.Thread.CurrentPrincipal = httpContext.User;
controller.ViewData["Admin_Menu"] = true;
controller.ViewData["Admin_UserID"] = model.ID;
controller.ViewData["Admin_UserName"] = pResult.AccountName.ToLower();
controller.ViewData["Admin_ImageUrl"] = model.Avatar.Url;
controller.ViewData["Admin_ImageAlt"] = model.Avatar.Alt;
controller.ViewData["Admin_Base64"] = model.Avatar.Data != null ? Convert.ToBase64String(model.Avatar.Data, 0, model.Avatar.Data.Length) : null;
}
else
{
controller.ViewData["Admin_Menu"] = false;
}<br />
}
else
{
controller.ViewData["Admin_Menu"] = false;<br />
}
base.OnActionExecuting(filterContext);
}
}
If it ain't broke don't fix it
Discover my world at jkirkerx.com
|
|
|
|
|
Thanks for your reply Jim. I will look into the example you provided.
When you said "It has a lifespan of one cycle and is stateless.", you mean that it won't survive a IIS/Server reboot? As long as it keeps track of sessions (which I'm pretty sure it does), we are OK with it.
Thanks you
|
|
|
|
|
On the contrary quite the opposite.
Because it reads the cookie you set with say the user name and a special token you craft when validated or authenticated the first time, the attribute will revalidate the authentication being stateless and durable, it will survive a server reboot, or say a worker process recycle and can be used in multiple Docker containers using Kubernetes.
Just add another column to your user database table to store a token that you carefully craft.
Using Sessions to store a value or to maintain authentication is dangerous and not durable in an environment that is suppose to be stateless. It may work today, but can be the cause of your worst mistake ever.
If it ain't broke don't fix it
Discover my world at jkirkerx.com
|
|
|
|
|
Hi,
I received a security issue recently.It seems to be "Man in the middle attack".
Suppose browser send a request to UI server and receive the response.
But before response is received by browser, it is intercepted by some proxy (like fiddler or burpproxy), the hacker who hold the response, he first change it and then send to the browser.
The actual user doesn't know that the response has been changed.
The application is running on https (SSL), then also it is getting changed.
I tried below things.
1- I analyzed HPKP (http public key pinning). It is aimed to fix these types of issues but it is not supported by all the browser (IE Safari).
It is supported by Chrome but i read an article that even chrome is planning to stop its support for HPKP.
2- I thought to send the encrypted data and decrypt at browser using javascript.
But javascript logic is not possible to hide from hacker.
I heard several article where it is said that javascript logic can be tried to hide, but we can not be sure that it can't be found by hacker.
Please provide some guidance where I should look for the solution to prevent this type of attack.
Regards,
Saurabh
|
|
|
|
|
If your site is always running over HTTPS, then requests and responses cannot be read or modified by a MitM. The only exceptions would be:
- The attacker has convinced a rogue CA to issue an invalid cert for your site.
This would likely be detected pretty quickly, and would result in browsers dropping that CA from their "trusted CAs" list.
HPKP[^] can help to prevent this; but if the user's first access to your site is via a compromised network, the HPKP information could also be removed or compromised.
- The attacker has compromised the user's computer, and installed their own root cert in the trusted store, allowing them to issue invalid certs for any site.
HPKP might help in this case; but if the user's computer has been compromised, the cached pins could also have been deleted or modified.
- The attacker has compromised the user's computer, and installed malware to modify pages after the browser has downloaded them.
As a site owner, there is nothing you can do to prevent this sort of attack. Even if you add CSP[^] to control which scripts can run, the malware can just remove that header.
A more likely scenario is if your site is initially served over HTTP, in which case, a MitM attacker can prevent the redirection to HTTPS, and is free to do whatever they want with your site's content.
HSTS[^] can help to prevent this, but your user would need to access your site via a clean network first.
You can request to have your site included on the "preload" list[^], which would ensure it's only ever accessed over HTTPS, even for new users. But if you ever wanted to switch back, it could take many months for your site to be removed.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Thanks Rechard,
I will try the options provided by you and get back.
|
|
|
|
|
Hi,
I am getting the following error in my Production Server, the application is working fine in Dev environment, so if I have to keep Logging etc and deploy the application, and Web Service, it takes a bit of time like Code Review etc, is there any way to find out where is the Exception happening etc? Without another deployment?
Thanks in advance.
Thanks,
Abdul Aleem
"There is already enough hatred in the world lets spread love, compassion and affection."
|
|
|
|
|
Assuming you're calling a WCF service, you can turn on message logging in the config file:
Message Logging | Microsoft Docs[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Well I've made it this now, which is pretty good. I've almost completed the porting over the front end of my portfolio website and I'm working with the database now, in which I chose MongoDB since that seems to be the buzz word for job apps.
A couple I don't understand about MongoDB. Guess the first question is the auto increment for the index column. Guess Mongo uses a unique identifier based on some other logic, so I used ObjectId.GenerateNewId(); Below is an example of my controller code which writes to Mongo successfully. see the CRMMessage;
Q1: Should I just get rid of the "Id" which was int and is now string and just use InternalId? Or does MongoDB have the same mechanism that will auto increment?
So before I added the the respository to the controller function, it worked fine. Angular would register a success and run my success code. But now it returns something I can't see, which results in Error 500 according to Chrome F12.
Q2: Should I just change IActionResult to void and return nothing? I'm lost here on this.
[HttpPost]
public IActionResult AddMessage([FromBody] CRMMessage message)
{
if (message == null)
{
return BadRequest();
}
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}
_crmRespository.AddMessage(new CRMMessage
{
InternalId = ObjectId.GenerateNewId(),
Name = message.Name,
CompanyName = message.CompanyName,
EmailAddress = message.EmailAddress,
PhoneNumber = message.PhoneNumber,
PhoneMobile = message.PhoneMobile,
TimeZone = message.TimeZone,
TimeStamp = message.TimeStamp,
UpdatedOn = message.TimeStamp,
Message = message.Message,
RememberMe = message.RememberMe
});
return CreatedAtRoute("GetSingleMessage", new { id = message.Id }, message);
}
This is my Angular 6, TypeScript onSubmit Function. I know this question is in the wrong section bought thought I'd ask anyways since it tied together. I wonder how it knows the difference between a success and an error. There are tools like postman in which I need to learn how to use.
onSubmit() {
this.dataService.addMessage(this.model).subscribe(
() => {
this.messageSuccess = true;
this.getStartedForm.reset();
this.model.name = '';
this.model.companyName = '';
this.model.emailAddress = ''
this.model.phoneNumber = '';
this.model.phoneMobile = '';
this.model.message = '';
setTimeout(() => {
this.messageSuccess = false;
this.getStartedModal.hide();
this.router.navigate(['/home/getStarted']);<br />
}, 3000);
},
error => {
console.log(error);
}
);
My Angular journey has been confusing because there are so many different examples and versions of Angular. I'm actually dual developing between a pure Angular 6 app in cli and this .Net Core 2.1 version so I can see the different between the two, determine which info is correct. Angular 6 using cli and ng on a text editor is more straight forward to learn first.
Any thoughts besides giving up would be appreciated.
If it ain't broke don't fix it
Discover my world at jkirkerx.com
|
|
|
|
|
Did some reading up on it and now it makes sense to me.
Changed the id to InternalId that was generated by MongoDB.Bson and called GetSingleMessage to confirm the write, which results in a 201 code.
This must be part of the CRUD operation procedure.
I'll read up on the Id part, auto-increment for MongoDB. Then figure out if I need it the value of not, and whether it should be a string or int.
Must admit it was exciting to see my angular app work correctly.
var result = CreatedAtRoute("GetSingleMessage", new { id = message.InternalId }, message);
return result;
If it ain't broke don't fix it
Discover my world at jkirkerx.com
|
|
|
|
|
Hi,
I am trying to use Elmah for my ASP.Net MVC application, in which I was somewhat successful, I could able to see errors like if I try to access url without action method like 404 etc.
But I have questions how Elmah works like
- If I have multiple layers like one Web Service and another one is UI layer, then is it better to include Elmah in both projects separately or just adding it on one Project UI is fine?
- Elmah to Work do I need to log the Errors into Elmah Database explicitly or is the Elmah going to catch the exceptions and write it in the Elmah Database, I have included the Connection string and details in the Web Config of both the Service and UI and included the DLLs as well in both the applications. Is it enough or do I need to write the Exceptions into the Elmah Db
- If I have multiple layers of application, one in that is UI layer and another one is Web Service Layer, then how would I know if any error happened in Data access layer within Web Serice or Business layer within Web Service, do I need to log it into Database of Elmah or how can I do that?
- Which is better way to log errors using Elmah, file or Database, I am using Database, it it ok?
- My most important Concern is how to secure my application? When I have Elma, it shows that we can directly access the errors, I want to make sure only the Developers should be able to access the Errors or Exceptions information, not even Admin users of the Application, can you please give me some suggestions.
I have these questions, can anybody please help me with these, thanks in advance.
Thanks,
Abdul Aleem
"There is already enough hatred in the world lets spread love, compassion and affection."
-- modified 13-Aug-18 12:18pm.
|
|
|
|
|
I am Creating my dashboard page to show line chart pie chart and bar chart in asp.net web form. I don't have any idea about that can you help me to develope the page or any links where i can get demo. Which js file i have to use for this. I don't have idea please suggest me or give me the sample code asap. Its client urgent requirement. help me please.
|
|
|
|
|
Use Google to find a charting library.
|
|
|
|
|
When i host WEB API on cloud and call from Another application then facing this issue
Server Error in '/' Application.
The remote name could not be resolved
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Net.WebException: The remote name could not be resolved:
-:Please help:-
|
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
