SqlServer membership/role - Web.Config

Discussion in 'ASP .Net Security' started by David Thielen, Jun 2, 2006.

  1. 4. Is this the correct & complete Web.Config for the SqlServer
    membership/role provider:
    <roleManager enabled="true"/>
    <authentication mode="Forms">
    <forms loginUrl="login.aspx">
    </forms>
    </authentication>
    <authorization>
    <deny users="?"/>
    </authorization>
    <membership defaultProvider="AspNetSqlMembershipProvider"/>

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com
     
    David Thielen, Jun 2, 2006
    #1
    1. Advertising

  2. Hi Dave,

    Thank you for posting.

    As for the configure snippet you provided, it indicates that you're using
    Forms Authentication and the MemberShip Provider is the default
    Sqlmembership Provider. And the SqlMembershipProvider use all the default
    setting as configured in the machine.config. You can find the default
    setting for SqlMembershipProvider in your machine.config's <membership>
    section. The default one is as below:

    =========in machine.config======
    <membership>
    <providers>
    <add name="AspNetSqlMembershipProvider"
    type="System.Web.Security.SqlMembershipProvider, System.Web,
    Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
    connectionStringName="LocalSqlServer" enablePasswordRetrieval="false"
    enablePasswordReset="true" requiresQuestionAndAnswer="true"
    applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed"
    maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7"
    minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10"
    passwordStrengthRegularExpression="" />
    </providers>
    </membership>
    ==================

    You can override or change some of the options in your application by
    redefine it in the web.conifig. e.g.

    =======in web.config==========
    <membership>
    <providers>
    <remove name="AspNetSqlMembershipProvider">
    <add name="AspNetSqlMembershipProvider"
    type="System.Web.Security.SqlMembershipProvider, System.Web,
    Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

    our custom options settings ................

    />
    </providers>
    </membership>
    =======================

    #membership Element (ASP.NET Settings Schema)
    http://msdn2.microsoft.com/en-us/library/1b9hw62f.aspx

    Regards,

    Steven Cheng
    Microsoft Online Community Support


    ==================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    ==================================================


    This posting is provided "AS IS" with no warranties, and confers no rights.



    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Steven Cheng[MSFT], Jun 2, 2006
    #2
    1. Advertising

  3. Hi;

    Should I change the provider setting? And if so to what (and why)?

    Also, is the roleManager/authentication/membership settings I have correct?
    It all works fine but I want to make sure I haven't left a security hole.

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com



    "Steven Cheng[MSFT]" wrote:

    > Hi Dave,
    >
    > Thank you for posting.
    >
    > As for the configure snippet you provided, it indicates that you're using
    > Forms Authentication and the MemberShip Provider is the default
    > Sqlmembership Provider. And the SqlMembershipProvider use all the default
    > setting as configured in the machine.config. You can find the default
    > setting for SqlMembershipProvider in your machine.config's <membership>
    > section. The default one is as below:
    >
    > =========in machine.config======
    > <membership>
    > <providers>
    > <add name="AspNetSqlMembershipProvider"
    > type="System.Web.Security.SqlMembershipProvider, System.Web,
    > Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
    > connectionStringName="LocalSqlServer" enablePasswordRetrieval="false"
    > enablePasswordReset="true" requiresQuestionAndAnswer="true"
    > applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed"
    > maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7"
    > minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10"
    > passwordStrengthRegularExpression="" />
    > </providers>
    > </membership>
    > ==================
    >
    > You can override or change some of the options in your application by
    > redefine it in the web.conifig. e.g.
    >
    > =======in web.config==========
    > <membership>
    > <providers>
    > <remove name="AspNetSqlMembershipProvider">
    > <add name="AspNetSqlMembershipProvider"
    > type="System.Web.Security.SqlMembershipProvider, System.Web,
    > Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
    >
    > our custom options settings ................
    >
    > />
    > </providers>
    > </membership>
    > =======================
    >
    > #membership Element (ASP.NET Settings Schema)
    > http://msdn2.microsoft.com/en-us/library/1b9hw62f.aspx
    >
    > Regards,
    >
    > Steven Cheng
    > Microsoft Online Community Support
    >
    >
    > ==================================================
    >
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    >
    > ==================================================
    >
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    >
    >
    >
    >
    >
    >
     
    David Thielen, Jun 2, 2006
    #3
  4. Thanks for your response Dave,

    So far I don't think there is any security holes and all the setting you're
    currently applying are the default setting. Why do you want to change it?
    If is only when the default setting doesn't quite meet your requirement
    will you need to customize it. As I've provide the example that redefine
    the SQL Membership provider setting in application's web.config file, you
    can customize some of the attributes of that provider if you want.

    Regards,

    Steven Cheng
    Microsoft Online Community Support


    ==================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    ==================================================


    This posting is provided "AS IS" with no warranties, and confers no rights.



    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Steven Cheng[MSFT], Jun 5, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chris Snyder
    Replies:
    1
    Views:
    603
    Nicole Calinoiu
    Aug 23, 2004
  2. Dan Sikorsky
    Replies:
    3
    Views:
    582
    Swanand Mokashi
    Apr 11, 2006
  3. =?Utf-8?B?SmVmZnJleQ==?=

    Upgrading ASP w/SQLserver 2000 to ASP.NET w/ SQLserver 2005

    =?Utf-8?B?SmVmZnJleQ==?=, Apr 6, 2007, in forum: ASP .Net
    Replies:
    2
    Views:
    482
    sloan
    Apr 27, 2007
  4. CSharpner
    Replies:
    0
    Views:
    1,048
    CSharpner
    Apr 9, 2007
  5. Smokey Grindle

    membership / role provider in a web service?

    Smokey Grindle, May 7, 2007, in forum: ASP .Net
    Replies:
    3
    Views:
    519
    Steve C. Orr [MCSD, MVP, CSM, ASP Insider]
    May 8, 2007
Loading...

Share This Page