.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

MVC Security question

Posted By:      Posted Date: October 22, 2010    Points: 0   Category :ASP.Net

I have the following code for a user logon page.  Is the model only accessible by the current user?  How does MVC handle the data in the model to keep it secure and the site stable?

    public class DomainUserModel
        public string Username { get; set; }

        public string Password { get; set; }

        public string Domain { get; set; }

        public ActionResult Index(DomainUserModel domainUserModel)
            return RedirectToAction("Image", domainUserModel as DomainUserModel);

        public ActionResult Image(DomainUserModel domainUserModel)
            var roleModel = new CredentialsModel();
            roleModel.Username = domainUserModel.Username;
            roleModel.Password = domainUserModel.Password;
            roleModel.Domain = domainUserModel.Domain;
            roleModel.Roles = svcRole.CheckUserRoles(domainUserModel.Username);
            return View(roleModel);

View Complete Post

More Related Resource Links

Security Question Answer Retrieval


I know there is a method built in for retrieving the encrypted password, but how do I retrieve the encrypted security answer?

What I want to do is have a member profile update screen that the end user can update their password and security question and answer. However, when they get to this page, I want to already be showing the security question (the easy part) and its answer (the not so easy part).

I have updated web.config with passwordFormat=Encrypted and have added a machineKey with the generator (forgot the link, but located on eggheadcafe somewhere).

I haven't done ANYTHING yet, since I already have a user store with hashed information. I wanted to get some functionality done before publishing, wiping the store and recreating users (only a couple developers).


Question about URL security

Hi I'm creating a website where I want people not to be able to create link to certain pages. The site work like this: The user do a serch for a document and click the link to view it, then he can view the document. If the user somehow adds the URL to favorites he should not be able to view the document when he at some time later tries to view the document. In addition if the user sends the URL to other people they should not be able to view the document. Any suggestions how to implement this?  

public web methods...how to make private? Security question


I understand how to set security for a ASP.NET web page, how to encrypt a Silverlight page, and a WCF application, but my question goes to this:  given a web method, which by definition must be public, how do you keep people from accessing it outside of your client program?

If your program (client) is the only way to access this web method, then there's no problem.  But it is impossible to make a web method private--it won't compile--so how to keep people from using it?  The only thing I can think of is that if you call your web method by an obscure sounding name, it's likely nobody will guess the URL, and if you set your server so it cannot be searched (dir *.*) by the public, it's unlikely anybody will ever guess the name of the web method.  But this is hardly 100% secure.  And what if you call your web method "DoWork", which is the default OperationContract name in Visual Studio?

What am I missing?



//what I have in mind

public interface IService1
        string DoWork();


public string DoWork()
//secret stuff in here
string SecretStuff = "S

security question about dynamic data


apologies if this has been answered before.

it seems that the scaffolding that generates the list, edit, details apsx pages uses querystrings to pass the primary key for the relevant record. thus is i have a list.aspx showing me a grid of records, the edit hyperlink will be something like http://../tblTable/edit.aspx?ID=n where n is the key of the record to edit.

however, obviously this is not secure for a multi-user site as someone else with a valid login could potentially see records which they shouldnt simply by trying different "ID=n" values?

is there a way to change this behaviour in a Dynamic Data site or will i have to manually code to ensure a user only see records intended for them?

any help is gratefully appreciated



Using Sharepoint 2003 - Data Security Question

We need to limit visibility of data in a datasheet to users based on their ID, NOT on who created or loaded the data.  If this is possible, how do we accomplish this?

question about multi user website and security



i am developing a multi-user website using Dynamic Data and wondered if someone could answer the following or provide advice:

what is the best way of protecting data so someone (who has a login to the site) cannot see records intended ONLY to be viewable by another valid user?

as far as i can see a user can simply tamper with querystring or url values (if using routing) and bring up the details of records they should not.


any help qould be gratefully appreciated. i am drawing a blank so far and the easiest option may be to back to a traditional asp.net site where i can control things simply by use of a Session variable (UserID)



Newbie User Import Question re: One way external trust & Security



There is a business initiative to install a Dev Sharepoint 2007 server in our Trusting Domain. My internal corp network will be Corp.COM. The 3rd party network will be 3rd.COM.  Currently 3rd.COM has a Oneway External Trust pointing inward to Corp.com.  Corp.COM Domain and Forest levels are WIndows 2003. 3rd.com Domain level is Windows 2000 Mixed and the Forest is Windows 2000.

The Dev sharepoint server is located in 3rd.Com domain and the consultant is trying to import Corp.com users by pointing the user profile connection to Corp.com active directory. Needless to say this will fail because there is a one way trust in place so 3rd.com users are allowed to read Corp.Com active directory. Not to mention there are no firewall ports open for this anyway. My questions are...

How can we securely allow this sharepoint server to import in 3rd.com to import users from Corp.com?

Ideally we would like to use a service account from Corp.com to import the accounts. We would also like to either

(A) encrypt the sharepoint servers communication to our Corp.com active directory. because there are Two firewalls between the trust ports would be specifically opened from Sharepoint server <-> Corp.com DC

(b) some how use the existing trust to facilitate this procedures. no additional ports opened on the firewalls.

Any ass

"newby" question about packet sniffing and security and fraud prevention


Basically, I am looking for a reliable source of where I can start to learn to master this. While I can continue to work on this using perl, I am hoping there is something in .NET that supports this so that I can get better performance from compiled code.  Having programmed in C++ for so long, C# strikes me as trivially easy to use: the two are so similar, and the more advanced features of C++ don't seem to be there.

I am a "newby" only in the sense that normally I work on application software (such as statistical or data mining applications: I have programmed in FORTRAN and C/C++ for decades).  I am just beginning to examine low level programming tasks such as examining the lower OSI layers.

I have written some code aimed at one form of ecommerce fraud based on CGI programming in perl.

Maybe the question is naive, but I thought I might be able to get a clue about suspicious incoming traffic if I can compare the IP address information at the IP layer with the IP information in selected HTTP headers.  I would guess that the first thing to do is to be able to sniff incoming packets, and the next is to relate the incoming packets to the requests that have been made to our httpd server (I have access to both MS IIS and Apache, so whatever I do, I can host it on either, depending on what will give the best

Multiple choice security question


Which one of the following attribute would you use to minimize the security risk by limiting the assembly's privileges so that it can access only  the boot.ini file ?

a  [assembly:FileIOPermissionAttribute(SecurityAction.PermitOnly,Read=@"C:\boot.ini")]

b  [assembly:FileIOPermissionAttribute(SecurityAction.RequestMinimum,Read=@"C:\boot.ini")]

c   [assembly:FileIOPermissionAttribute(SecurityAction.RequestOptional,Read=@"C:\boot.ini")]

Is a the correct answer ?

Silverlight and WCF 'simple question' (right), involving https vs transport security


Two questions:  I’m familiar with WCF and using it with Silverlight, https:, and I have a remote web server that I have a SSL / TLS certificate on.


I want to encrypt login and/or data to and from the web server.  Already I can do this on localhost, using this video:  http://www.silverlight.net/learn/videos/silverlight-videos/using-aspnet-secure-services-and-applications-services/

    (“In this video, Tim Heuer demonstrates two important features of Silverlight and ASP.NET, using secure web services and using ASP.NET application services from within Silverlight. This demonstration walks through securing services and interacting with the ASP.NET authentication services to restrict use as well as directly interact with ASP.NET application services from within a Silverlight application.”)

 Also I have reviewed this video on localhost:


Security Settings Question


I am building a ASP.NET 2.0 web application for my client. The site is temporarily hosted on a Windows XP Pro sp2 box with IIS 5.1. The site is completely secured using only Windows Authentication. No other security options are turned on in IIS. I also need to vary the access to subdirectories as well so I have created three windows groups, Admin, Test and User.

The first problem I ran into was, domain users were able to get access to the site even though they were not in any of the three windows groups. The root configuration was:

<deny users="?" />
<allow roles=".\Admin,.\Test,.\User" />

I missed the inherited <allow users="*" /> which is why they were granted access. So I added in a <deny users="*" /> which seem to fix the problem. The question I have is it didn't seem to matter if the <deny users="*" /> was before or after the <allow roles=".\Admin,.\Test,.\User" />. I would have thought that putting it before would disallow all users.

Secondly, I have a sub-directory called Admin where I only want users in the Admin group to have access. The configuration in that directory was:

<deny roles=".\Test,.\User" />
<allow roles=".\Admin" />
This worked but what has caught me by surprise was t

WSE 3 question about WS Security headers


Dear all,

we are experiencing the following troubles with WS Security header in SOAP messages (we are still using WSE 3 with .NET 2.0 and generate the client proxy classes with the wsewsdl3 tool).

We are using a username token to pass a username and password necessary to call a web service method (web service is not under our control). If we use a bad password, we will get a SoapException on reception which is expected. Using the correct password, the authentication runs ok and the web service sends us a response with expected data (we used wireshark to confirm this). But the web service also inserts a WS Security header in the response with the same username token (plain text or hashed password). And this leads to a ResponseProcessingException on the client side telling us that username and password could not be verified (on the client side). Huh. So the points are:

1. Why does the web service send back the username token? We did not find anything that it should be done this way in the WS Security standard.

2. How can we tell our client proxy to (at least) ignore the security header to prevent the exception? We tried to use a custom security assertion with ReceiveSecurityFilter installed, but the exception is raised before ValidateMessageSecurity is called. The only way we found was to override the ProcessMessage method of the filter and

Help me solve this question:Invalid value for key 'integrated security'


I has develop a website using vS10 using Operating system vista and was working well however i apply it at different os which is window 7 it appeared this error

Invalid value for key 'integrated security'.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ArgumentException: Invalid value for key 'integrated security'.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[ArgumentException: Invalid value for key 'integrated security'

sql security question regarding sample 'pubs' database


if i have a sql login that belongs to the server role 'public' .


it does not have user access in  any database . however it can access pubs sample database why?

sql security question??

how do i know the present password for login 'sa' of my sql server 2005

SharePoint Tutorial - Security

Security in SharePoint is comprised of users, groups and roles.

Users, Groups and Roles

A user account comes from the authentication system. For example, if Active Directory is used to authenticate then the user accounts will come from it.

There are two types of groups SharePoint uses: domain groups and SharePoint groups.

Asp.net web site security database


Hello all, I'm new to asp.net and I'm currently practising some few stuffs. I'm creating a hotel reservation system using ASP.net Web site in visual studio 2008 and I currently don't have an App_Data in my solution explorer unlike visual web developer.

1. I have planned to make users of the website login before making their reservations.

2. I have also planned to develop the website such that I will be able to know all reservations made by each user.

First and formost, I will like to know how I can access/View the security database?

Secondly, how do I link my custom made reservation database and the security database in order to achieve my second plan above.?

Someone help me.

Thank you.

ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend