Sunday 13 May 2012

ASP.NET Security

The security in ASP.NET framework is done in two steps:
  • Authentication 
  • Authorization

So in this article we will discuss about both of the above mentioned steps.


AUTHENTICATION:


  • The new feature  of ASP.NET form Authentication  which uses the membership feature uses the user credentials for this purpose.   
  • This feature of membership control supports :  SqlMembershipProvide and  ActiveDirectoryMembershipProvider
  • also ASP.NET also provides the built in support Login controls that enables you to create a login and user registration form without writing any code. 
  • Modes of authentication

  1. Window based
  2. Form based
  3. windows Password

  • Method of authentication : Authenticating the user is handled by the code written in the web.config file of your application.
  • Syntax :
For window based authentication:
<authentication mode="Forms">

For Form based authentication:

<authentication mode="Forms">
  • Protecting form authentication:This is done by securing the user credentials and authentication ticket. This can be done encrypting the cookies.
User credentials can be secured by using Strong passwords to protect against the brute force attack of password guessing.

And also by using hash values of the password for storage.This one basically slows down the process attacks. 


Protecting the authentication tickets provides shield against attacks such as:

  1. spoofing and impersonation, 
  2. session hijacking,
  3. elevation of privilege.
  • using strong password:  Use attributes such as
  1. Minimum length of password
  2. use alphanumeric characters                   
  • Avoid using persistent cookies on client computers.
  • SQLServer authentication:                                          Syntax:SqlConnection conn = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDBFileName=|DataDirectory|\\Database.mdf;Integrated Security=true;user instance=true;");
  • Using single user authentication across multiple applications: Generally this is need in enterprises so save the time of the employees from authenticating themselves again and again for using different applications .
This is done by means of sharing the authentication tickets across various application. Since we are sharing a single authentication key we need to the authentication ticket to be decrypt by every application sharing it to authenticate the user.So we manually provide the validationKey and decryptionKey values and these values are stored inside the <machineKey> element inside the web.config file.

To manually generate these values for the validationKey and decryptionKey we can use algorithms like RNGCryptoServiceProvider  to generate a cryptographically strong random number.


<machineKey validationKey="Hsbfb636576sahfj\mfhhshnj234235"  
           decryptionKey="shakh7857jkjjco985\fhhegf476343" 
           validation="SHA1" decryption="Auto" />

AUTHORIZATION:


  • The new feature  of ASP.NET framework is user authorization which support the  Role Manager, which is used to manage the user roles in  role store database.
  • This Role manager in tur supports the following :
  •   WindowsTokenRoleProvider for Windows groups
  •   SqlRoleProvider for role stores in the SQL Server databases
  •  AuthorizationStoreRoleProvider for roles in Active Directory Application Mode (ADAM) and XML data stores.
In order to use the Role manage we have to enable. And this is done in our application's Web.config file.
  • Syntax :
 <roleManager enabled="true" />
  • Types of authorizations:
  1. URL authorization: It restricts access to specific files and folders within our application's Uniform Resource Identifier (URI) namespace.
  2. File authorization:Used with Window based form authentication .
  3. Role authorization:  can be used declaratively or programmatically.
  •  Protecting the authorization cookie while using role caching :To protect the authorization cookie you need to encrypt and integrity check it, use SSL to protect the cookie over the wire, and do not persist the cookie on the client. When using role caching securing the roles cookie is of prime importance. This is to stop users modifying the list of roles to which they belong, and to stop intruders from gaining information about the roles used by your application.
  • Role Caching : We can even cache the Roles in cookies this is done in this manner:
       <roleManager enabled="true" 
       cacheRolesInCookie="true" .../>
  • Role authorization :                                                                                                                                                                                                                                                                        <system.web><roleManager enabled="true" /></system.web>

CSS stylesheet to create horizontal navigation bar

Description:
The purpose of this article is to show how a horizontal navigation bar achieved using HTML/CSS without the use of tables, images, Javascript, or any other scripting manipulation. The following example validates according to W3C standards, and is compatible with all modern browsers. 




Html page 
___________________________________________________________________________


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>SOMETHING</title>


<link href="css/Navbar.css" rel="stylesheet" type="text/css" />
</head>


<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" background="Image/Background.jpg">
<table width="100%" border="0" cellpadding="0" cellspacing="0" background="Image/Background.jpg">
<tr>
<td>
<img src="Image/Capture.JPG" width="70%" align="center" height="150" />
</td>
</tr>
<tr>
<td>
<div id="navbar" style="margin-top:10px;margin-bottom:20px">
<ul>
<li><a href ="CMS.html" title="View home Page">Home</a></li>
<li><a href ="Login.html" title="Go to Login page">Login</a></li>
<li><a href ="register.html" title="Register Yourself">Register</a></li>
<li><a href ="Help.html" onmouseover="Show()" onmouseout="Hide()">Help</a></li>
<li><a href ="Contact.html" title="Contact technical support">Contact</a></li>
<li><a href ="FAQ.html" title="View Frequently asked questions">FAQ</a></li>
</ul>
</div>
</td>
</tr>
<tr>
<td>
<div id="welcome" style="widht:100%">
<div style="border: 1px solid gray; margin-top: 20pt; margin-bottom: 10pt; width:100%">


<div id="register" style="width:60%">
<div style="border: 1px solid gray; margin-top: 20pt; margin-bottom: 10pt">
<ul>
<font color="#0066CC"><u>Registeration</u> </font>
<li>
Every participant in a conference served by this site,must maintain a single PIN and password. The same PIN must be used forall conferences
</li>
<li>
Follow the link <a href="Register.html">Register</a>
</li>
</ul>
</div>
</div>
</td>
</tr>
</br>
</br>
<tr align="center" height="100">
<td>
<div id="copyright" style="background-color:#000;width:100%">
<div style="border=1px solid gray; margin-top:170px">
<ul>
<font color="#00FFFF"><b>Copyright </b></font>
</ul>
</div>
</div>
</td>
</tr>
</body>
</html>
------------------------------------------------------------------------------------------------------------
navbar.css
_________________________________________________________________________________




@charset "utf-8";
#navbar {
}
#navbar ul {
        margin: 0;
        padding: 5px;
        list-style-type: none;
        text-align: center;
        background-color:#039;
        }


#navbar ul li {
        display:inline;
        }


#navbar ul li a {
        text-decoration: none;
        padding: .2em 1em;
        color: #fff;
        background-color:#039;
        }


#navbar ul li a:hover {
        color: #000;
        background-color: #fff;
        }
#navbar ul li a#onlink:hover{
background:#FFF;
color:#FFF;
text-shadow:1px 1px 1px #000;
}
#navbar {
}


Breaking down the CSS 



  • As with most modern navigation bars, this code is based on the unordered list (<ul>) tag. This makes semantic sense, a navigation bar is really nothing but a list of links leading into your site. The traditional horizontal orientation is simply a convenient means to get all of our most important list items “above the fold,” so the user can see them without having to scroll down the page.
<div id="navbar" style="margin-top:10px;margin-bottom:20px">
<ul>
<li><a href ="CMS.html" title="View home Page">Home</a></li>
<li><a href ="Login.html" title="Go to Login page">Login</a></li>
<li><a href ="register.html" title="Register Yourself">Register</a></li>
<li><a href ="Help.html" onmouseover="Show()" onmouseout="Hide()">Help</a></li>
<li><a href ="Contact.html" title="Contact technical support">Contact</a></li>
<li><a href ="FAQ.html" title="View Frequently asked questions">FAQ</a></li>
</ul>
</div>
  • Making It Horizontal:



#navbar ul li {
        display:inline;
        }

File upload to MyphpAdmin database


<?php
mysql_connect("localhost","","");
mysql_select_db("myconf") or die( "Unable to select database");

if ((($_FILES["file"]["type"] == "application/pdf"))
&& ($_FILES["file"]["size"] < 200000))
  {
  if ($_FILES["file"]["error"] > 0)
    {
    echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
    }
  else
    {
    echo "Upload: " . $_FILES["file"]["name"] . "<br />";
    echo "Type: " . $_FILES["file"]["type"] . "<br />";
    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
    echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";

    if (file_exists("upload/" . $_FILES["file"]["name"]))
      {
      echo $_FILES["file"]["name"] . " already exists. ";
      }
    else
      {
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "upload/" . $_FILES["file"]["name"]);
      echo "Stored in: " . "PDF/" . $_FILES["file"]["name"];
      }
    }
  }
else
  {
  echo "Invalid file";
  }

$order="INSERT INTO submission(author,title,type,file,submissionDate,email,discipline)
VALUES ('$_POST[author]','$_POST[title]','$_POST[type]','$_POST[file]',SYSDATE(),'$_POST[email]','$_POST[discipline]')";


if(mysql_query($order))
{
echo "Submission Succeeded";
}
else
{
echo("Submission failed");
}
?>

Time Machine: Time Machine: Use of package in java program

Time Machine: Time Machine: Use of package in java program: Time Machine: Use of package in java program : "Package statement defines a name space in which classes are stored. package cuboid3; cl...