.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
david stephan
Gaurav Pal
Post New Web Links

Security Question Answer Retrieval

Posted By:      Posted Date: August 21, 2010    Points: 0   Category :ASP.Net

I know there is a method built in for retrieving the encrypted password, but how do I retrieve the encrypted security answer?

What I want to do is have a member profile update screen that the end user can update their password and security question and answer. However, when they get to this page, I want to already be showing the security question (the easy part) and its answer (the not so easy part).

I have updated web.config with passwordFormat=Encrypted and have added a machineKey with the generator (forgot the link, but located on eggheadcafe somewhere).

I haven't done ANYTHING yet, since I already have a user store with hashed information. I wanted to get some functionality done before publishing, wiping the store and recreating users (only a couple developers).


View Complete Post

More Related Resource Links

Question about URL security

Hi I'm creating a website where I want people not to be able to create link to certain pages. The site work like this: The user do a serch for a document and click the link to view it, then he can view the document. If the user somehow adds the URL to favorites he should not be able to view the document when he at some time later tries to view the document. In addition if the user sends the URL to other people they should not be able to view the document. Any suggestions how to implement this?  

public web methods...how to make private? Security question


I understand how to set security for a ASP.NET web page, how to encrypt a Silverlight page, and a WCF application, but my question goes to this:  given a web method, which by definition must be public, how do you keep people from accessing it outside of your client program?

If your program (client) is the only way to access this web method, then there's no problem.  But it is impossible to make a web method private--it won't compile--so how to keep people from using it?  The only thing I can think of is that if you call your web method by an obscure sounding name, it's likely nobody will guess the URL, and if you set your server so it cannot be searched (dir *.*) by the public, it's unlikely anybody will ever guess the name of the web method.  But this is hardly 100% secure.  And what if you call your web method "DoWork", which is the default OperationContract name in Visual Studio?

What am I missing?



//what I have in mind

public interface IService1
        string DoWork();


public string DoWork()
//secret stuff in here
string SecretStuff = "S

security question about dynamic data


apologies if this has been answered before.

it seems that the scaffolding that generates the list, edit, details apsx pages uses querystrings to pass the primary key for the relevant record. thus is i have a list.aspx showing me a grid of records, the edit hyperlink will be something like http://../tblTable/edit.aspx?ID=n where n is the key of the record to edit.

however, obviously this is not secure for a multi-user site as someone else with a valid login could potentially see records which they shouldnt simply by trying different "ID=n" values?

is there a way to change this behaviour in a Dynamic Data site or will i have to manually code to ensure a user only see records intended for them?

any help is gratefully appreciated



Using Sharepoint 2003 - Data Security Question

We need to limit visibility of data in a datasheet to users based on their ID, NOT on who created or loaded the data.  If this is possible, how do we accomplish this?

question about multi user website and security



i am developing a multi-user website using Dynamic Data and wondered if someone could answer the following or provide advice:

what is the best way of protecting data so someone (who has a login to the site) cannot see records intended ONLY to be viewable by another valid user?

as far as i can see a user can simply tamper with querystring or url values (if using routing) and bring up the details of records they should not.


any help qould be gratefully appreciated. i am drawing a blank so far and the easiest option may be to back to a traditional asp.net site where i can control things simply by use of a Session variable (UserID)



Newbie User Import Question re: One way external trust & Security



There is a business initiative to install a Dev Sharepoint 2007 server in our Trusting Domain. My internal corp network will be Corp.COM. The 3rd party network will be 3rd.COM.  Currently 3rd.COM has a Oneway External Trust pointing inward to Corp.com.  Corp.COM Domain and Forest levels are WIndows 2003. 3rd.com Domain level is Windows 2000 Mixed and the Forest is Windows 2000.

The Dev sharepoint server is located in 3rd.Com domain and the consultant is trying to import Corp.com users by pointing the user profile connection to Corp.com active directory. Needless to say this will fail because there is a one way trust in place so 3rd.com users are allowed to read Corp.Com active directory. Not to mention there are no firewall ports open for this anyway. My questions are...

How can we securely allow this sharepoint server to import in 3rd.com to import users from Corp.com?

Ideally we would like to use a service account from Corp.com to import the accounts. We would also like to either

(A) encrypt the sharepoint servers communication to our Corp.com active directory. because there are Two firewalls between the trust ports would be specifically opened from Sharepoint server <-> Corp.com DC

(b) some how use the existing trust to facilitate this procedures. no additional ports opened on the firewalls.

Any ass

"newby" question about packet sniffing and security and fraud prevention


Basically, I am looking for a reliable source of where I can start to learn to master this. While I can continue to work on this using perl, I am hoping there is something in .NET that supports this so that I can get better performance from compiled code.  Having programmed in C++ for so long, C# strikes me as trivially easy to use: the two are so similar, and the more advanced features of C++ don't seem to be there.

I am a "newby" only in the sense that normally I work on application software (such as statistical or data mining applications: I have programmed in FORTRAN and C/C++ for decades).  I am just beginning to examine low level programming tasks such as examining the lower OSI layers.

I have written some code aimed at one form of ecommerce fraud based on CGI programming in perl.

Maybe the question is naive, but I thought I might be able to get a clue about suspicious incoming traffic if I can compare the IP address information at the IP layer with the IP information in selected HTTP headers.  I would guess that the first thing to do is to be able to sniff incoming packets, and the next is to relate the incoming packets to the requests that have been made to our httpd server (I have access to both MS IIS and Apache, so whatever I do, I can host it on either, depending on what will give the best

Can somebody answer this multiple choice question regarding exceptions ?


You are creating a class library that will be used by several applications. You need to create a custom exception that will be thrown if an application attempts to retrieve product information using an invalid product number.

You need to create the ProductNotFoundException class. From which class should you derive ProductNotFoundException?

A: ApplicationException

B: SystemException

C: Exception

D: ArgumentException


Update Active Directory attributes - Security Answer and Password - Console Application



I need to update active directory properties(attributes) through console application like Title,mail,sn,passwordQuestion,passwordAnswer.

DirectoryEntry.Properties["passwordQuestion"].Value = "What is your Favorite Color?";
DirectoryEntry.Properties["passwordAnswer"].Value = "green";

after updating , i check the attributes in Active Directory. All its fine.

the "password answer" saved as plan text.

After logged into asp.net portal with user's credential, it is working fine. After logout, When i goto click forgot password link, it ask the email address after that display the security password question and need to be enter the security password answer.

when i enter the security password answer in the text box , after click submit, it throw the error.

Invalid length for a Base-64 char array. Exception Stack Trace: at System.Convert.FromBase64String(String s) at System.Web.Security.ActiveDirectoryMembershipProvider.Decrypt(String encryptedString) at System.Web.Security.ActiveDirectoryMembershipProvider.ResetPassword(String username, String passwordAnswer) at System.Web.Security.MembershipUser.ResetPassword(String passwordAnswer) at


But i update the passwordQuestion,passwordAnswer through web application(portal)

Multiple choice security question


Which one of the following attribute would you use to minimize the security risk by limiting the assembly's privileges so that it can access only  the boot.ini file ?

a  [assembly:FileIOPermissionAttribute(SecurityAction.PermitOnly,Read=@"C:\boot.ini")]

b  [assembly:FileIOPermissionAttribute(SecurityAction.RequestMinimum,Read=@"C:\boot.ini")]

c   [assembly:FileIOPermissionAttribute(SecurityAction.RequestOptional,Read=@"C:\boot.ini")]

Is a the correct answer ?

Can anyone answer of my Question regarding SQL server database connectivity??

I want to connect my sql server database using my desktop application. Now Just tell me can i connect directly to my database using IP Adress in my connection string????? my database

Exist is in other country


Please clear this confusion.


Thank in advance


MVC Security question


I have the following code for a user logon page.  Is the model only accessible by the current user?  How does MVC handle the data in the model to keep it secure and the site stable?

    public class DomainUserModel
        public string Username { get; set; }

        public string Password { get; set; }

        public string Domain { get; set; }

        public ActionResult Index(DomainUserModel domainUserModel)
            return RedirectToAction("Image", domainUserModel as DomainUserModel);

        public ActionResult Image(DomainUserModel domainUserModel)
            var roleModel = new CredentialsModel();
            roleModel.Username = domainUserModel.Username;
            roleModel.Password = domainUserModel.Password;
            roleModel.Domain = domainUserModel.Domain;
            roleModel.Roles = svcRole.CheckUserRoles(domainUserModel.Username);
            return View(roleModel);

Silverlight and WCF 'simple question' (right), involving https vs transport security


Two questions:  I’m familiar with WCF and using it with Silverlight, https:, and I have a remote web server that I have a SSL / TLS certificate on.


I want to encrypt login and/or data to and from the web server.  Already I can do this on localhost, using this video:  http://www.silverlight.net/learn/videos/silverlight-videos/using-aspnet-secure-services-and-applications-services/

    (“In this video, Tim Heuer demonstrates two important features of Silverlight and ASP.NET, using secure web services and using ASP.NET application services from within Silverlight. This demonstration walks through securing services and interacting with the ASP.NET authentication services to restrict use as well as directly interact with ASP.NET application services from within a Silverlight application.”)

 Also I have reviewed this video on localhost:


Need help creating an admin tool to reset password without question/answer



I'm dealing with a scenario where a legitimate user doesn't have a clue about his password, secret question or the answer. So, I was trying to create an admin tool that would help me in situations like these where the admin should be able to type in username and reset the password without having to know/enter answer to secret question. I understand that I need to make some changes to the web.config for this to work. I thought I made all the changes but my ResetPassword() requests are still not working.

Here's my web.config settings for the provider.

<membership defaultProvider="AspNetMembershipProvider">
      <add connectionStringName="MyConnectionString" 

Security Settings Question


I am building a ASP.NET 2.0 web application for my client. The site is temporarily hosted on a Windows XP Pro sp2 box with IIS 5.1. The site is completely secured using only Windows Authentication. No other security options are turned on in IIS. I also need to vary the access to subdirectories as well so I have created three windows groups, Admin, Test and User.

The first problem I ran into was, domain users were able to get access to the site even though they were not in any of the three windows groups. The root configuration was:

<deny users="?" />
<allow roles=".\Admin,.\Test,.\User" />

I missed the inherited <allow users="*" /> which is why they were granted access. So I added in a <deny users="*" /> which seem to fix the problem. The question I have is it didn't seem to matter if the <deny users="*" /> was before or after the <allow roles=".\Admin,.\Test,.\User" />. I would have thought that putting it before would disallow all users.

Secondly, I have a sub-directory called Admin where I only want users in the Admin group to have access. The configuration in that directory was:

<deny roles=".\Test,.\User" />
<allow roles=".\Admin" />
This worked but what has caught me by surprise was t

Please Indicate "Mark as Answer" if a Post has Answered the Question



While reading a reply to your question, you will notice a button with an icon that says "Mark as Answer."   Please select this button when a reply answers your question.


There are several reasons to do this:

  • Our search engine weights Answered questions more highly. By marking Answers you increase the chances that others searching this forum will find the answer directly rather than re-posting the question.
  • You give credit to the hard working folks who ans

WSE 3 question about WS Security headers


Dear all,

we are experiencing the following troubles with WS Security header in SOAP messages (we are still using WSE 3 with .NET 2.0 and generate the client proxy classes with the wsewsdl3 tool).

We are using a username token to pass a username and password necessary to call a web service method (web service is not under our control). If we use a bad password, we will get a SoapException on reception which is expected. Using the correct password, the authentication runs ok and the web service sends us a response with expected data (we used wireshark to confirm this). But the web service also inserts a WS Security header in the response with the same username token (plain text or hashed password). And this leads to a ResponseProcessingException on the client side telling us that username and password could not be verified (on the client side). Huh. So the points are:

1. Why does the web service send back the username token? We did not find anything that it should be done this way in the WS Security standard.

2. How can we tell our client proxy to (at least) ignore the security header to prevent the exception? We tried to use a custom security assertion with ReceiveSecurityFilter installed, but the exception is raised before ValidateMessageSecurity is called. The only way we found was to override the ProcessMessage method of the filter and

ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend