Wednesday, June 25, 2014

Session Hijacking Prevention


 Is it possible to steal a cookie and authenticate as an administrator?

Yes it is possible, if the Forms Auth cookie is not encrypted, someone could hack our cookie to give themselves elevated privileges or if SSL is set to not required, copy some other person's cookie.
Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed.
 However, there are steps we can take to mitigate these risks:
On the system.web/authentication/forms element:
  1. requireSSL=true. This requires that the cookie only be transmitted over SSL
  2. slidingExpiration=false. When true, an expired ticket can be reactivated.
  3. cookieless=false. Do not use cookieless sessions in an environment where are you trying to enforce security.
  4. enableCrossAppRedirects=false. When false, processing of cookies across apps is not allowed.
  5. protection=all. Encrypts and hashes the Forms Auth cookie using the machine key specified in the machine.config or web.config. This feature would stop someone from hacking their own cookie as this setting tells the system to generate a signature of the cookie and on each authentication request, compare the signature with the passed cookie.
Note: If you so wanted, you could add a small bit of protection by putting some sort of authentication information in Session such as a hash of the user’s username (Never put the username in plain text or their password). This would require the attacker to steal both the Session cookie and the Forms Auth cookie.
Currently in portal cookie expiration is 1 year for users who have checked “Save Your User Name on This Computer” this has to be set to shorter period.

Links referred are below:

at No comments:
Labels: , , , , , ,

Generic Methods

Generics in C#

Generic in C# means common to or applicable to an entire class. As most of the developers think Generic is to define type-safe data structures without committing to actual data types, but is it the only reason why Generics are for?The answer is BIG NO.

In this article we will focus on what other important aspect can be achieved in our daily programming by using Generic. We will see how to use Generic and avoid method overloading.

The below program shows the use of method overloading to display content of int, double & char array.

using System;
class OverloadedMethods
{
static void Main(string[] args)
{
  // create arrays of int, double and char
  int[] intArray = { 1, 2, 3, 4, 5, 6 };
  double[] doubleArray = { 1.1, 2.2, 3.3, 4.4, 5.5, 6.6, 7.7 };
  char[] charArray = { 'H', 'E', 'L', 'L', 'O' };

  Console.WriteLine("Array intArray contains:");
  DisplayArray(intArray); // pass an int array argument
  Console.WriteLine("Array doubleArray contains:");
  DisplayArray(doubleArray); // pass a double array argument
  Console.WriteLine("Array charArray contains:");
  DisplayArray(charArray); // pass a char array argument
} // end Main
// output int array
static void DisplayArray(int[] inputArray)
{
  foreach (int element in inputArray)
      Console.Write(element + " ");
  Console.WriteLine("\n");
} // end method DisplayArray
// output double array
static void DisplayArray(double[] inputArray)
{
  foreach (double element in inputArray)
      Console.Write(element + " ");
  Console.WriteLine("\n");
} // end method DisplayArray
// output char array
static void DisplayArray(char[] inputArray)
{
  foreach (char element in inputArray)
      Console.Write(element + " ");
  Console.WriteLine("\n");
} // end method DisplayArray
} // end class OverloadedMethods


When we run the program output would be following:



For Array intArray contains:
1 2 3 4 5 6

For Array doubleArray contains:21.1, 22.2, 23.3, 24.4, 25.5



For Array charArray contains:
H E L L O





This
 looks pretty simple, but did you notice we had to write the same logic 
thrice for int, double and char. What if we had do write similar 
processing for all the data types, it would have taken hundred's of 
line.



To
 overcome this from C# 2.0 Generic methods have been introduced. If we 
have similar operation to be performed by several overloaded methods we 
can write a single generic method declaration that can be called at 
different times with arguments of different types. Based on the types of
 the arguments passed to the generic method, the compiler handles each 
method call appropriately. All generic method declarations have a type 
parameter list delimited by angle brackets (<> in this example) 
that follows the method's name. 





Below we see the same code written using Generic method.





using System;
using System.Collections.Generic;

class MethodGeneric
{
    static void Main(string[] args)
    {
        // create arrays of int, double and char
        int[] intArray = { 1, 2, 3, 4, 5, 6 };
        double[] doubleArray = { 21.1, 22.2, 23.3,24.4, 25.5};
        char[] charArray = { 'H', 'E', 'L', 'L', 'O'};

        Console.WriteLine("Array intArray contains:");
        PrintArray(intArray); // pass an int array argument
        Console.WriteLine("Array doubleArray contains:");
        PrintArray(doubleArray); // pass a double array argument
        Console.WriteLine("Array charArray contains:");
        PrintArray(charArray); // pass a char array argument
    } // end Main

    // output array of all types
    static void PrintArray<T>(ref T inputArray)
    {
        foreach (var element in inputArray)
            Console.Write(element + " ");
        Console.WriteLine("\n");
    } // end method PrintArray


} // end class MethodGeneric






This
 program has the same output as the previous one, but we reduced the 
number of lines in the program. A generic method’s body is declared like
 that of any other method. Just like type declarations, method 
declarations can be generic i.e., parameterized by one or more type 
parameters. A type parameter is an identifier that is used in place of 
actual type names. The type parameters can be used to declare the return
 type, the parameter types and the local variable types in a generic 
method declaration. The type parameters act as placeholders for the 
types of the arguments passed to the generic method.












at





No comments:
  


















Labels:
,
,
,

















          

        

          

        

Thursday, September 23, 2010


          

        









Microsoft Web Farm Framework: Microsoft Web Farm Framework














Microsoft Web Farm Framework













Microsoft Web Farm Framework for IIS7 enables administrators to provision, scale and manage their web infrastructure


Microsoft has released Web Farm Framework Beta, which enables us to easily provision and manage a farm of web servers. It enables to automate the installation and configuration of platform components across the server farm, and enables to automatically synchronize and deploy ASP.Net applications across them. It also supports integration with load balancers, enables to automate update across our servers so that our site/ application is never down or unavailable to customers.
Web Farm Framework can be used to :
    

  • Provision web platform and content
    • 

  • Scale web infrastructure and resources using ARR and 3rd party load balancers
    • 

  • Manage multiple servers or a farm using a unified interface
    • 



Using Web Farm Framework to Provision and Scale a Web FarmThe Microsoft Web Farm Framework enables you to easily define a “Server Farm” that you can add any number of servers into. Servers participating in the “Server Farm” will then be automatically updated, provisioned and managed by the Web Farm Framework.

What this means is that you can install IIS (including modules like UrlRewrite, Media Services, etc), ASP.NET, and custom SSL certificates once on a primary server – and then the Web Farm Framework will automatically replicate and provision the exact same configuration across all of the other web servers in the farm (no manual or additional steps required).

You can then create and configure an IIS Application Pool and a new Site and Application once on a primary server – and the Web Farm Framework will automatically replicate and provision the settings to all of the other web servers in the farm. You can then copy/deploy an ASP.NET application once on the primary server – and the Web Farm Framework will automatically replicate and provision the changes to all of the web servers in the farm (no manual or additional steps required).

The Web Farm Framework eliminates the need to manually install/manage things across a cluster of machines. It handles all of the provisioning and deployment for you in a completely automated way.

Load Balancer Integration

In addition to making it easy to provision/deploy servers and applications, the Web Farm Framework also includes load balancer integration. Specifically, the Web Farm Framework can integrate with an HTTP load balancer so that as web servers in the farm are updated with changes, they can be automatically pulled out of a load balancer rotation, updated, and then added back in. The Web Farm Framework can also optionally update the machines one at a time – so that you always have servers available to handle heavily load. This enables you to keep your site always available during updates – without you having to write any manual scripts to control or manage the update roll-out.

The current beta of the Web Farm Framework includes built-in support for the IIS Application Request Routing (ARR) service (which supports automatic load balancing of HTTP requests across multiple machines in a web-farm). The Web Farm Framework makes it really easy to integrate your web farm of servers with ARR for load-balancing, and includes the support to automatically pull a server out of rotation as it is being updated, and then have it added back into rotation once the update is done.

The final Web Farm Framework release will enable extensibility with other load-balancing technologies as well – enabling the same ability to automatically pull/inject servers from a load balancing rotation as they are updated.For more details you can visit Scott Gu's blog http://weblogs.asp.net/scottgu/archive/2010/09/08/introducing-the-microsoft-web-farm-framework.aspx














at





No comments:
  


















Labels:
,
,
,
,
,

























Generic Methods: Generic Method










Generic Methods: Generic Method: "   Generic in C#  means common to or applicable to an entire class. As m..."











at





No comments:
  










































UML: UML Intro UML stands for  Unified Modeling Languag...










































 UML INTRO







UML stands for Unified Modeling Language. UML is a graphical language for visualizing, specifying, constructing & documenting the artifacts of a software system. It is a standard language for designing and documenting a system in an object oriented manner. UML provides blue print for Business process, System functioning, programming language statements, Database schema & reusable components.

UML is used in all phases of software development from Requirement Specification to Acceptance Test and from Designing a solution to Deploying/ Packaging. Modeling has been around for years not only in software field but also in other fields like Civil, Mechanical, etc. we get a model ready & approved before starting the production. Modeling makes complex system to break up into simple and discrete pieces that be individually understood. If we ask ourselves have we been doing/ following modeling, most of us would say NO. But all of us do modeling, the flowchart that we draw is a model for your module isn't it.

Now we should see what are the advantages of modeling:


    

  1. Readability: Representing the whole architecture in flowcharts, class diagrams, state diagrams, ER diagrams, etc. makes our project more readable. Especially when we have programmer's changing job, handover becomes easier.
    2. 

  2. Re-usability: Once the system is readable and broken down to pieces, it becomes easier to identify redundant and similar modules. Thus increasing re-usability. We can decide of reusable components to be used across the application.Why shall we adopt UML?
    3. 




Well different languages have different ways of coding and syntax's. In order to bring all languages under one roof UML comes into picture. As the term comes in UNIFIED, it unifies all different languages in one roof so people who are working on some other platforms can understand that.

There was an interesting question put up “Does UML fit in Agile/Scrum environment?” during a UML session presented by myself & one of my colleague at our office CastleRock, Kolkata.
Well the answer is yes, UML is not a methodology dependent you can apply it to any of the software development process. If we have a blueprint of the whole architecture, whenever we are required to make changes or alter a section/ module we can very easily trace which all sections/ modules would get effected & at the same time you can figure out how much time it might take to finish the job.

You can checkout the list of UML tools at http://www.sereferences.com/uml-tools.php.

In the next post I will cover different UML diagrams.














at





No comments:
  


















Labels:
,
,
,

















        

      









Subscribe to:
Posts (Atom)









Generative AI: Paving the way for Performance-Driven Enterprise Architecture



  Generative AI is not just reshaping the technological frontier; it's rapidly becoming an essential tool in optimizing enterprise archi...