Velocity Reviews

Velocity Reviews (
-   ASP .Net Security (
-   -   Elementary security questions (

Ted 02-07-2007 07:34 PM

Elementary security questions
I have some "How to ..." questions that ought to be basic. However, I
have yet to find the details of precisely how to do these tasks
explained in any of my references. Maybe I'm just looking in the
wrong places, but ...

1) I have been working on loging pages that eventually will be used
for each of the web applications I want to develop. It is my
understanding that to do this, I need to coordinate their web.config
files. (NB:Only .NET2 and .NET 3 are involved) But the information I
have seen regarding this showed several strings that look random, and
it is stated that by default they're generated when the application
starts. That implies that I need to somehow generate these random
looking strings and place them in all of the relevant web.congif
files. But the question of how you generate these things manually is
left unanswered. SO my question is, then, how do you generate them,
and how do you tell ASP.NET how to interpret them? I am assuming,
here, that the strings are encryptions of some data, and there are
several encryption algorithms that come to mind that are very strong
and in principle could be used. One example used SHA, but I could see
3DES or blowfish or any of several others.

2) When I created web apps using java servlets and JSP, I found it
easy to ensure that the login process was handled entirely over SSL,
and this through simple forward statements so the process of
converting a request for the login page made via http into a request
made using https. My reading of my ASP.NET reference suggests that I
can use a "requireSSL" statement somewhere, but that making a request
using http would generate an error rather than simply politely
redirecting the request to happen over https. I am really hoping I
misunderstood my book because the behaviour implied by what I
understood it to mean seems very unfreindly to the user. After all,
attempting to login over a non-secured channel may be just a question
of user error easily handled transparently for the user. In my JSP
apps, if a user requests a login page over http, he is seemlessly
redirected to it over https. And of course it is easy to configure
the JSP app so that all requests initiated over http are seemlessly
redirected to happen over https instead, as must happen is sensitive
data is involved. SO then, how do I do in ASP.NET what I routinely do
in JSP?

3) Is it possible to tell the create user wizard to login in the newly
created user (if the user was successfully created) and take the user
to a page that allows him to enter the required data. This page ought
to be shown to a user who hasn't entered the data when he logs in, if
and only if he has not yet supplied the data (e.g. because an error
happened before he completed the form but after he created his user
id). This data is sensitive, so the fewer the options to see and edit
it, the better, but the user needs to be required to enter it so the
rest of the app will work well for him. How, then do I create a page
that is viewed only after login, but only if the relevant data has not
yet been entered by the user, with the constraint that he can't use
certain pages if the data has not been stored? The logic is trivially
simple, and would be easy to place in my JSP apps, but, if I have to
manually code this, where should the code be placed? Is there an
event handler for each login control that I can catch?

4) Does the loginstatus control expose a userid value? And, when the
createuser wizard creates a user, can it guarantee that the user ids
are unique? Obviously, a user's name need not be unique, and I
personally know of many cases where it isn't (literally dozens of
situations where all the male cousins in an extended family have the
same first name if they're the eldest son within their nuclear family,
and they all have the same first name if they're the second born son
within their nuclear family, &c. - imagine the confusion with dozens
of men with the same first and family names because of this practice),
but equally obviously, a user id must be unique. It isn't clear to me
how this is handled in these controls.

I am finding that doing in ASP what I would normally hand code in JSP
is not a trivial translation.

My last question is this: Can sessions created by a JSP login page be
used by ASP.NET pages, and vice versa? If so, that would make many
things easier for me.

Thanks for your time.


All times are GMT. The time now is 08:04 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.