Elementary security questions

Discussion in 'ASP .Net Security' started by Ted, Feb 7, 2007.

  1. Ted

    Ted Guest

    I have some "How to ..." questions that ought to be basic. However, I
    have yet to find the details of precisely how to do these tasks
    explained in any of my references. Maybe I'm just looking in the
    wrong places, but ...

    1) I have been working on loging pages that eventually will be used
    for each of the web applications I want to develop. It is my
    understanding that to do this, I need to coordinate their web.config
    files. (NB:Only .NET2 and .NET 3 are involved) But the information I
    have seen regarding this showed several strings that look random, and
    it is stated that by default they're generated when the application
    starts. That implies that I need to somehow generate these random
    looking strings and place them in all of the relevant web.congif
    files. But the question of how you generate these things manually is
    left unanswered. SO my question is, then, how do you generate them,
    and how do you tell ASP.NET how to interpret them? I am assuming,
    here, that the strings are encryptions of some data, and there are
    several encryption algorithms that come to mind that are very strong
    and in principle could be used. One example used SHA, but I could see
    3DES or blowfish or any of several others.

    2) When I created web apps using java servlets and JSP, I found it
    easy to ensure that the login process was handled entirely over SSL,
    and this through simple forward statements so the process of
    converting a request for the login page made via http into a request
    made using https. My reading of my ASP.NET reference suggests that I
    can use a "requireSSL" statement somewhere, but that making a request
    using http would generate an error rather than simply politely
    redirecting the request to happen over https. I am really hoping I
    misunderstood my book because the behaviour implied by what I
    understood it to mean seems very unfreindly to the user. After all,
    attempting to login over a non-secured channel may be just a question
    of user error easily handled transparently for the user. In my JSP
    apps, if a user requests a login page over http, he is seemlessly
    redirected to it over https. And of course it is easy to configure
    the JSP app so that all requests initiated over http are seemlessly
    redirected to happen over https instead, as must happen is sensitive
    data is involved. SO then, how do I do in ASP.NET what I routinely do
    in JSP?

    3) Is it possible to tell the create user wizard to login in the newly
    created user (if the user was successfully created) and take the user
    to a page that allows him to enter the required data. This page ought
    to be shown to a user who hasn't entered the data when he logs in, if
    and only if he has not yet supplied the data (e.g. because an error
    happened before he completed the form but after he created his user
    id). This data is sensitive, so the fewer the options to see and edit
    it, the better, but the user needs to be required to enter it so the
    rest of the app will work well for him. How, then do I create a page
    that is viewed only after login, but only if the relevant data has not
    yet been entered by the user, with the constraint that he can't use
    certain pages if the data has not been stored? The logic is trivially
    simple, and would be easy to place in my JSP apps, but, if I have to
    manually code this, where should the code be placed? Is there an
    event handler for each login control that I can catch?

    4) Does the loginstatus control expose a userid value? And, when the
    createuser wizard creates a user, can it guarantee that the user ids
    are unique? Obviously, a user's name need not be unique, and I
    personally know of many cases where it isn't (literally dozens of
    situations where all the male cousins in an extended family have the
    same first name if they're the eldest son within their nuclear family,
    and they all have the same first name if they're the second born son
    within their nuclear family, &c. - imagine the confusion with dozens
    of men with the same first and family names because of this practice),
    but equally obviously, a user id must be unique. It isn't clear to me
    how this is handled in these controls.

    I am finding that doing in ASP what I would normally hand code in JSP
    is not a trivial translation.

    My last question is this: Can sessions created by a JSP login page be
    used by ASP.NET pages, and vice versa? If so, that would make many
    things easier for me.

    Thanks for your time.

    Ted, Feb 7, 2007
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Last Timer

    Elementary question on const

    Last Timer, Jan 30, 2005, in forum: C++
    Mike Wahler
    Jan 30, 2005
  2. Lionel B
    Gianni Mariani
    Mar 3, 2005
  3. Sathyaish

    Elementary questions from a beginner

    Sathyaish, Mar 1, 2004, in forum: C Programming
    Richard Bos
    Mar 4, 2004
  4. Merrill & Michele

    elementary construction

    Merrill & Michele, Sep 22, 2004, in forum: C Programming
    Mark McIntyre
    Sep 27, 2004
  5. Merrill & Michele

    elementary construction +1

    Merrill & Michele, Sep 24, 2004, in forum: C Programming
    Mark McIntyre
    Oct 18, 2004
  6. Merrill & Michele

    elementary construction +2

    Merrill & Michele, Sep 27, 2004, in forum: C Programming
    Mark McIntyre
    Sep 29, 2004
  7. bromio

    elementary code needed

    bromio, Jul 10, 2006, in forum: C Programming
    Robbie Hatley
    Jul 11, 2006
  8. Replies: