If I turn off anonymous access to an ASP page and then use "Integrated Authentication" in a Intranet environment, I expected the user context to be the user who is accessing the page. It doesn't seem to be the case.
I'm using a component (ASPUpload) to move a file to a share point on another box. The user context that I thought I was running under has write access to this share but I keep getting a 500 back when I run the page. Local paths work fine, share points are a no go.
I turned to basic authentication, put the name of the domain in the domain box and then used the same username and password to access the page and it copied the file with no problems. So in this case it seems that the user context WAS the user I expected.
I'm getting the following error in my event log: Failed on creation from object context: CoCreateInstance (ProgId: SOFTWING.ASPtear) (CLSID: {A06F79A7-A329-11D2-880F-0020AFD81B6D}) (Microsoft Transaction Server Internals Information: File: i:vipersrc untimecontextccontext.cpp, Line: 1347) I have checked Microsoft and following their instructions ensured the correct permissions are set on the relevent dll
I had previously posted this in inetserver.asp.components, I don't think that was the right place... anyways, here is a repost:
We are currently using ASP.NET 2.0 to revamp one of our web applications. Let me try to briefly explain how each page is laid out...
Usually within the page, there are 3 components... The header, the body, and the footer. The header and footer are user controls created by one of our developers, and contain things that all the pages in our web app should contain. This is done to avoid inconsistencies (so you only change the header once instead of changing it 20 times - once for each page).
The developer who created the header user control used Context.Items to store some information. On my pages, I am trying to use PostbackUrl to post form information from one page to another.
The problem I am having is this: Both my pages call the header control. When I use PostbackUrl and PreviousPage, I think the header control from the previous page gets "copied" over to the page I am posting to. So in the second page, I get something like a "dictionary keys have to be unique" exception. I think this is because the Context.Items wasn't "cleared" from the PreviousPage since it was "copied" over, so when the header user control tries to add the same key to Context.Items in the second page, I get an exception.
I temporarily solved this problem by using Request.Form[...] rather than PreviousPage.FindControl(...). I'm not sure if this is the right way to do it, or if it will cause any problems.
So my question is: Can PostbackUrl and Context.Items work together? I guess I could put some try/catch statements in the header control, but unfortunately I don't have access to that file.
I bulding some application in ASP . i want that my App. will search some context at office files. how do i do it whitout Index serive ? ther is any API ? ther is any ASP code ?
So I have this database working JUST fine for a week, then I add another table to it and then this is where things starting getting crazy. Here is my db conn code:
IIS can handle security on its own without the need for complex scripting and i like the idea of being able to just let the system do it however im not sure how to set such things up and would that mean that if you used something like integrated windows authentication that security is delt with by windows and its users info rather than getting the info from a database of my choosing ?
the whole concept is quite confusing to me but there must be a simple ish way to set up at least some form of secure site area within my web.
I am starting to learn asp and I have IIS installed on my WIN xp pro machine. Do I have to worry about security for any reason at all. I don't believe I have file sharing on at all, then again, I don't know if that has anything to do with this.
How do I run security through all of the pages? The users log in, an asp checks their password, then what do I do to secure the pages from users that do not enter the password?
Developed a web application which adopts a custom security model which displays a login page and requests a username/password combination. The username works in a mixed-mode of usernames matched with the windows login name and some extra accounts (similar to SQL mixed-mode security). Web application is executed both in the corporate intranet and externally on the web. Getting user complaints about having to login to the web application when they have already logged-on to windows. I have coded a challenge/response (response.status=401) to get a user's window login through the ServerVariables. This seems to work OK for the intranet access. If the user's windows account is not located in the application database then I redirect to the standard login page for the username/password combination. When the application is executed across the internet through a firewall, the user is prompted by IE to enter the windows domain, username, and password. There seems to be no mechanism to avoid this because of the challenge/response code. I wish that with external access from the internet that users are automatically directed to the application login screen and not faced with the IE windows authentication dialog.
Does anyone know how to implement one way hashing or encryption using ASP 3.0 and no additional components.
I need to secure a intranet application which is being moved online, currently the passwords are stored in plain text, ideally id like to hash the passwords in the database and hash the form data when testing, but I don't seem to be able to find any hashing methods for standard ASP, perhaps someone has a nice code snippet for hashing.
is there a way to login to a particular security group from asp?I use IP addresses and email addresses to identify web users and most have general IWAM_COMPUTERNAME access. Once web users login is there a way to give SOME of them access to a NT security group based on stored NT user/password information?
I am working on a new feature on my website where people can write their own HTML files. They are actaully going to have .ASP extensions, and are hosted on my webserver. So, what security issues can you suggest? So far all I have got is disabling '<% %>' tags. Anything else?
I'm developing a local intranet site. i'm just new in ASP, could anyone help me how to put security?i have username and password but i want the site not to go back on the previous pages after logging off.
I'm using macromedia dreamweaver and VBscript, i have a database using MS Access.
i am developing a project thats gonna handle some transactions too.Since this is my first commercial project so i am worried about its security. so my question is "is asp safe enough to use with something serious ?" or i should use something else like PHP .
I'm about to embark on a project that will allow my clients to produce invoices via any internet enabled PC. This post is regarding the security options available to me.
I will implement a Username/Password scheme to restrict access to the facility, but since part of the facility will allow access to customer information I wondering if I should also look at a more secure protocol than simple HTTP.
I have very little knowledge regarding the options available to me and as such I'm hoping someone can give me some suggestions of an overview of the different things I could use.
One more conceptual thing! Tell me if i am right! I have developed a concept that SSL does three jobs!
1) It forces the client to connect ot the server through SSL port rather than 80 2) It sends data from client to server encrypted! 3) It provides a certificate from the third party (SSL provider) that we are the rightful owners of this website!
I've been apointed the task of looking through some code for security risks. Up until now it's been PHP, but now a person want's me to look through ASP and ASP.Net files.
The problem is that I don't really know what to look for. Can someone tell me. As many things as possible. in as much detail as possible. even things that normally aren't very risky.
I'd like to start using global.asa to store things like connection strings to databases and the like. As I understand it, you have to save the file in the root of your app.
My concern is that storing the location of databases within the ASA file might be a security issue. Is there any way for a user to get at the information contained in that file and, by extension, get at the databases themselves?
I'm not really asking about "someone stole my credit card info through cookies".
Here's the deal:
I have 2 sites (different domain names) running from one server. One is SSL the other is not. The SSL site has a login and password, which return the user's unique id, which is stuck into a session cookie.
This cookie is then checked at every page because every page is built based on the user's id. If it is not present, the user is redirected to the login page. If the id is wrong, there will be no information shown on the page.
My question is this, can the other (non-SSL) web site see this cookie? The site has no asp or anything else, but if someone "broke into" the non-secure site, could they read the cookie from the other site?
If I store login information in a cookie is it possible for the PC owner to modify the cookie without it making it valid?
For example if in the cookie I store the current user, say "Bob" - if Bob edits his cookie by hand to say "Alan" will the server accept the cookie as valid? Or will it realise that it has been tampered with and discard it?
Anyone recommend a good reference on this sort of thing?
my system is at testing phase. how do i test my system to check its security especially at the login page? i am running it at localhost. i have tried sql injection but nothing happened. i just saw the invalid login username or password error only.
you know when you have a browser based application (written in ASP or whatever), which uses a database, how can you ensure that the username and password of the database is secured? My ASP application has got a file containing all the information you need to connect to the SQL database, if anyone happens to get hold of that file on the Web server then he'll be able to do anything he wants.is there a safer way to handle this?
I just finished my database. There is one problem however, I had to give write permissions to my file with the extension mdb its an access file. The thing is that now all anyone has to do is figure out the page name and their browser will begin to download my database.
That is a major security hazard, what the heck do I do. Am I supposed to just hope no one ever figures out what that specific page name is ?
I'm trying to get the NT login id of a user on a web page without making the user type it into a login box. I'm using the LOGON_USER server variable. The problem is, if the web page allows anonymous access, LOGON_USER returns nothing. If the page is set to Basic Security, the NT login popup box comes up, even though the user is already logged into the network, and HAS access to this page.
Moreover, if I try this on my PC instead of our webserver, it works like I would expect. That is, when set to Basic Security, it does NOT pop up a login box if the user is allowed to view the page, and LOGON_USER returns the userid. Is there some setting on the server I need to change? Or something else?
I was wondering if anyone could help me with a querystring problem. My problem is that users are assigned certain parts of a document, therefore users can only view parts of the document that they have been assigned.
The page with the document is called document.asp and when a user is assigned part of the document they are given a link to the document.asp with the section id in the querystring.
For example a user may be only allocated section 1 of the document. The link they receive has section=1 in the querystring. When clicked the link takes them to the document.asp. The header of the document.asp contains the following: Code:
I have rolled out my simple ASP site, just updates a few fields in a database, it works fine for administrators, but the local users are getting a page can't be displayed error stating the database is opened exclusively (this is not the case) or they don't have rights. The database s shared to everyone as well as the actual web server.
It's funny that this has not been invented yet, or has it?: You store your DB outside your default website. It is accessed only through your ASP code and a ODBC-connection. This way your DB is not obtainable for the web user. Why doesn't Any One create a connection corresponding to ODBC, lets call it FileConnect that in the same way allows us, in a web site, to have directories and files that are really hidden?
I have to allow access for administrators to sections of my website which contain sensitive data. Ther is a link on the homepage called "Admin Login". They are asked for a PIN number which is a randon four letter four number combo and if they get that correct then have to enter their personal username and password.
The text field inputs are cleaned before being used to make up dynamic SQL by replacing all apostrophes with the below function
function clean(clean_this) clean=trim(replace(clean_this,"'","''")) end function
Is this all safe....I am slightly uneasy about having the login on the website and it could be hidden in a special link only given to admins - but this is the same mechanism that ebay and amazon etc rely on to let people log in....
I'm doing s simply email form, with just three fields, one each for name, email, and the message body of the email. It goes straight to CDO, and takes the user to a thank you page.
What kind of damage can I expect to need to protect myself from? I mean, if there were a database involved, I'd need to protect against SQL injection, things like that. But in this case, there's no database. I plan to put a maxlength on the fields, but is there anything else I should beware of, and if so, what can be done about it?