I'm trying to design a web application where people can create user Ids and passwords while signing up and then use that information to login to an account. (I know, very basic). I just can't get my mind around how to make this system most secure. the user id and password is verified at the time of logging in and at that point, I would like to create something like a session key before openning the new page.
I basically don't want to start the new page by passing regular parameters through the URL because that's very easy to manipulate and break. Can someone give me some information about creating a secure system like this and/or forward me some useful sources?? btw.. I'm using, IIS as my server, ASP.Net and VB.Net.
I have copied a web based application to a new laptop having windows xp professional. Now in one of the folders where the database is physically located, I want to give IUSR_Computermachine rights so that the applcation allows to update and insert records.
However, when I am right clicking to find the security tab, it is missing. OTher tabl like general, sharing, web sharing and customize are all there.
I am working on a commercial ASP web application which use MS Access 2000 as database.When configuring the database access,I got an error saying that this database is a read-only database.
I checked the database property,it shows that this database is archive,not read only.I can directly make change on the database using Access, so, my guess is the problem is not really database related, am I right?
According to the instruction of the software, the database folder must have read and write permissions given to the "anonymous web user account", I have set the database folder to share and gave all permissions to "anonymous logon " and "every one", but the problem is still there. I am just wondering, what is the "anonymous web user account" in Windows 2000 server and IIS?
I am using the FileSystemObject to look at the contents of a directory. The process has always worked. Recently in an attempt to increase our security, we removed full rights for everyone to files on the D:. Now I only get a blank page.
Does anyone know what USER ACCOUNT is being used to access the folder. My guess is I need to grant access to some account.
I often have permission problems when I move my pages unto different servers.It would be very handy if I could programmatically determine the anonymous user account name from my asp page.How can this be done since it is not in the request header for anonymous requests?
I have created a New Users registration form for my database. The User enters there details such as email, account, name etc, and then clicks a Register button. This should send an e-mail to the User with a link for them to click to activate there account.
When i click on register however, i get a page not found message. When i try to diplay my Confirmation page, i get the error mention ed above.
By using <authentication mode="Forms" > in web.config, we can create self-designed login page, but how to check user's account and password is vaild in another domain controller?
Does <authentication mode="Windows"> can have self-designed login page?
I want to open the MS Access file with user-level Security. I know that if I do NOT setup user-level Security in the MS Access file, and create the table for login in the MS Access file (Put the MS Access file in the server), then it works.
I did that. But, I want to know whether or not we can use ASP code to open the MS Access (MS Access user-level Security setting). This way I can put the MS Access file in the public place.
Can we do it in ASP?
The following code cannot do that: <% set conn=Server.CreateObject("ADODB.Connection") conn.Provider="Microsoft.Jet.OLEDB.4.0" conn.Open "c:/try.mdb" %>
I want to decide what should be displayed dependent on what security groups (2k server) the user belongs to. I don't appear to be able to do it with frames.
I am working on a document management system for a client. I am planning to set up the system so that documents are protected, sort of.. A user has an access level and based on that access level, a list of available documents will display as an HTML page and the user can click a hyperlink to download or view the selected document.
I am planning to handle this all through a SQL database and ASP..
What I would REALLY like to do, though, is protect a set of directories so that a user could not just enter a URL and download a document without being prompted for a username and password if he/she hasn't already logged in.
I have done something like this using AuthnetiX from Flicks Software, but this current client is trying to create a solution "on the cheap", and so I'd like to see if I can build the solution using the secuirty mechanisms built into the O/S.
What I'm thinking is that I'll set up the directories and assign a group access to each directory.. My question then is, can I add users to the "Local Users and Groups" for Windows 2000 via ASP?
How would I get a windows account name through ASP? Say I login with veamon, and the start menu says Bob Barker ...how would I get the Bob name...i can get the login name
I'm looking for an ASP script or tutorial to lockout an account after 3 or 5 failed attempts. It should be the best way to prevent my login screen against the brute force attack.
Does ASP only use the IUSR_<IIS Machine Name> to gain access to files located on a LAN, or can another user account name and password be setup? To create a file on another computer on the LAN in ASP using the FileSystemObject requires permissions on that other computer. Using a DSN for a ODBC driver requires permissions to SELECT records from a database file on another computer on the LAN. Must I use the IUSR_ account only?
I have an application that references a database on my hard drive, however I am unsure how to transfer the files to the server and keep the integrity of the database reference string.
Using classic ASP I want to check if a username and password are correct before passing the details on to an object (stocktake module) that uses them to authenticate the object. The object defaults to a preset user if the authentication fails and doesn't warn the user, so I wanted to do the check manually before passing it to the object.
I was asked by a client to make changes for their Outlook Web Access page where I need to validate Expiry Date of the Password and also the Password Length for the NT Account Policy. Initially I use javascript to do a static validation for the password expiry and password length. There request now include dynamic changes to the Javascript where if the password length is changed on the NT Account Policy, it will reflect on the client side script. Also they request for server side validation as an alternate just in case.
Can someone point me to the resources available for this. I am stuck on this one for quite a while now and no idea on how to proceed?
I was just looking things over and I noticed a new account under my users. It's and ASPNET user, (account used for ASP.NET worker process....) I hadn't noticed it before. What is is? What does it do? Should it be disabled? Should I make any changes? Have been out of the loop for a while, could someone bring me up to speed.
I wrote this script which for now it works fine. The purpose of this code is to lock the account whenever a particular document comes to its expiration date. So, if I have a document that expired on 7/31/06, the it should lock the user's account once they'd logged in.
However, the problem I am having is that is locking everyone that has already an expired document. What I would like it for the code to check during the current month. If a document expired, say yesterday 8/9/06, lock the account, else let then user continue to access their account. Code:
I have this page in which emails will be send simultaneously, one is to send at the my-sites email while the other is on the users email. Problem is once the email page is sent the my-sites email was also recorded in users email account and vise versa. Code:
IIS set up after VS.NET. On a virtual directory for a web app...I go to properties and click on the 'Directory Security' tab, click the 'Edit' button,check anonymous access, type in username/password for account, check 'Integrated Windows authentication' at the bottom...then OK out.
in web.config, I add the tag identity impersonate="true" />
firstload I get the account I typed in above...on postback it changes to my personal windows account. strange. Also when I switch on the anon user account for the whole website it works.
We have a simple asp page that query LDAP attribrute. Everithing is working fine using a native domain account. but when using an external account we have an error 70, acces denie.
Here's some basic info on our structure.
- Domain/Forest A with Exchange - Domain/Forest B with external accounts. - Forest A Trus Forest B and "Vice Versa" - asp page on a Exchange FrontEnd server on default web site (same as Exchange)
- asp page is using basic authentification. - Authentification work fine using native domain account or External domain Account.
- Getting native Windows attributes work fine with External account but the attributes starting with "ms-Exch" do not come out.(Exchange Attribute). Code:
I don't know if this is a unique problem, or I'm going about it the wrong way. I currently connect to one of our SQL servers via a priviliged account (by using RUNAS). Works with no problem. I now need the ability to connect to the same SQL server using ASP. I have the following connect string, but I'm not sure how to specify the domain in the string, or is there some other way?
How can I change the culture/region of the machines ASPNET Account??? In code, I can set it for the threat manually by using system.threading.thread.currentThread.currentUICul ture, but there must be a way to do it global on the machine: Plesk allows to change this for the machine which works fine, but how do I do it manually when no plesk is available?
Is it possible to use IIS 5.x software on WinXP/2K OS and VBScript to detect the logged in user account.
ie, we login with our firstname initial, last name (amartone) as well as the domain the computer resides in? My account is under ITU, so I am ITUamartone.
Can ASP detect this? I'm making an intranet app, and I'd rather validate users that way than have them log in over and over.
I am trying to create a form where a user has to enter information such as username, password, last name, etc...
My current code is to look at the recordset to find any existing username, and if not found, it will add the new username.
At what part of the page do I validate the password so I can determine if the user enter the password correctly the second time (to determine the password was entered twice correctly)?
I'm looking for some best practices when it comes time to allowing a user to create an account for our web app. For example, a potential customer of ours would fill out an application and then an email would be sent w/further instructions on how to activate and login to their account. What's the best way to accomplish this? Should our system create a unique password for them (initially) and then require them to create their own? I need a solution that is secure with almost no chance of someone attempting to impersonate.
How do you regenerate the ASP_NET login account? The password got changed which hosed everything. I can no longer see my web services and need to reset the ASP account. How do I do this?
We have recently upgraded our web server. The web server is in a remote location and is being administered by a contract company. After the upgrade, one of the location of our database (access) has been asssigned the following rights:
Read and Write. There are two more permissions i.e. Read & Execute and List Folder Contents which were not given permssion. With this scenario, I cannot add or update records on a web application tied to this Access database. My Is the Read & Execute not essential in order for me to insert and update or even select record in the web application.
ASPNET profile/account was accidentally deleted on NT/2000 platform. Is there anyway to get it back without reinstalling the whole exchange/IIS services?