Wednesday, June 25, 2014

Encrypting & Decrypting web.config

Encrypting & Decrypting  web.config

We can encrypt each section of the web.config using the encryption provided by aspnet_regiis.exe.


<!-- Encrypt Connection String -->
C:\WebPortal>aspnet_regiis.exe -pef connectionStrings c:\WebPortal-prov "RsaProtectedConfigurationProvider"
Encrypting configuration section...
Succeeded!
Here the -pe switch specifies the configuration section "connectionStrings" to encrypt.

C:\WebPortal>aspnet_regiis.exe -pdf connectionStrings c:\WebPortal
Decrypting configuration section...
Succeeded!
Here the -pef switch specifies the configuration section to encrypt and allows you to supply the physical directory path for your configuration file.




<!-- Encrypt AppSettings -->
C:\WebPortal>aspnet_regiis.exe -pef appSettings c:\WebPortal-prov "RsaProtectedConfigurationProvider"
Encrypting configuration section...
Succeeded!
Here the -prov switch specifies the provider name.

C:\WebPortal>aspnet_regiis.exe -pdf appSettings c:\WebPortal
Decrypting configuration section...
Succeeded!
at No comments:
Labels: , , , , , ,

Session Hijacking Prevention


 Is it possible to steal a cookie and authenticate as an administrator?

Yes it is possible, if the Forms Auth cookie is not encrypted, someone could hack our cookie to give themselves elevated privileges or if SSL is set to not required, copy some other person's cookie.
Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed.
 However, there are steps we can take to mitigate these risks:
On the system.web/authentication/forms element:
  1. requireSSL=true. This requires that the cookie only be transmitted over SSL
  2. slidingExpiration=false. When true, an expired ticket can be reactivated.
  3. cookieless=false. Do not use cookieless sessions in an environment where are you trying to enforce security.
  4. enableCrossAppRedirects=false. When false, processing of cookies across apps is not allowed.
  5. protection=all. Encrypts and hashes the Forms Auth cookie using the machine key specified in the machine.config or web.config. This feature would stop someone from hacking their own cookie as this setting tells the system to generate a signature of the cookie and on each authentication request, compare the signature with the passed cookie.
Note: If you so wanted, you could add a small bit of protection by putting some sort of authentication information in Session such as a hash of the user’s username (Never put the username in plain text or their password). This would require the attacker to steal both the Session cookie and the Forms Auth cookie.
Currently in portal cookie expiration is 1 year for users who have checked “Save Your User Name on This Computer” this has to be set to shorter period.

Links referred are below:

at No comments:
Labels: , , , , , ,

Generic Methods

Generics in C#

Generic in C# means common to or applicable to an entire class. As most of the developers think Generic is to define type-safe data structures without committing to actual data types, but is it the only reason why Generics are for?The answer is BIG NO.

In this article we will focus on what other important aspect can be achieved in our daily programming by using Generic. We will see how to use Generic and avoid method overloading.

The below program shows the use of method overloading to display content of int, double & char array.

using System;
class OverloadedMethods
{
static void Main(string[] args)
{
  // create arrays of int, double and char
  int[] intArray = { 1, 2, 3, 4, 5, 6 };
  double[] doubleArray = { 1.1, 2.2, 3.3, 4.4, 5.5, 6.6, 7.7 };
  char[] charArray = { 'H', 'E', 'L', 'L', 'O' };

  Console.WriteLine("Array intArray contains:");
  DisplayArray(intArray); // pass an int array argument
  Console.WriteLine("Array doubleArray contains:");
  DisplayArray(doubleArray); // pass a double array argument
  Console.WriteLine("Array charArray contains:");
  DisplayArray(charArray); // pass a char array argument
} // end Main
// output int array
static void DisplayArray(int[] inputArray)
{
  foreach (int element in inputArray)
      Console.Write(element + " ");
  Console.WriteLine("\n");
} // end method DisplayArray
// output double array
static void DisplayArray(double[] inputArray)
{
  foreach (double element in inputArray)
      Console.Write(element + " ");
  Console.WriteLine("\n");
} // end method DisplayArray
// output char array
static void DisplayArray(char[] inputArray)
{
  foreach (char element in inputArray)
      Console.Write(element + " ");
  Console.WriteLine("\n");
} // end method DisplayArray
} // end class OverloadedMethods


When we run the program output would be following:



For Array intArray contains:
1 2 3 4 5 6

For Array doubleArray contains:21.1, 22.2, 23.3, 24.4, 25.5



For Array charArray contains:
H E L L O





This
 looks pretty simple, but did you notice we had to write the same logic 
thrice for int, double and char. What if we had do write similar 
processing for all the data types, it would have taken hundred's of 
line.



To
 overcome this from C# 2.0 Generic methods have been introduced. If we 
have similar operation to be performed by several overloaded methods we 
can write a single generic method declaration that can be called at 
different times with arguments of different types. Based on the types of
 the arguments passed to the generic method, the compiler handles each 
method call appropriately. All generic method declarations have a type 
parameter list delimited by angle brackets (<> in this example) 
that follows the method's name. 





Below we see the same code written using Generic method.





using System;
using System.Collections.Generic;

class MethodGeneric
{
    static void Main(string[] args)
    {
        // create arrays of int, double and char
        int[] intArray = { 1, 2, 3, 4, 5, 6 };
        double[] doubleArray = { 21.1, 22.2, 23.3,24.4, 25.5};
        char[] charArray = { 'H', 'E', 'L', 'L', 'O'};

        Console.WriteLine("Array intArray contains:");
        PrintArray(intArray); // pass an int array argument
        Console.WriteLine("Array doubleArray contains:");
        PrintArray(doubleArray); // pass a double array argument
        Console.WriteLine("Array charArray contains:");
        PrintArray(charArray); // pass a char array argument
    } // end Main

    // output array of all types
    static void PrintArray<T>(ref T inputArray)
    {
        foreach (var element in inputArray)
            Console.Write(element + " ");
        Console.WriteLine("\n");
    } // end method PrintArray


} // end class MethodGeneric






This
 program has the same output as the previous one, but we reduced the 
number of lines in the program. A generic method’s body is declared like
 that of any other method. Just like type declarations, method 
declarations can be generic i.e., parameterized by one or more type 
parameters. A type parameter is an identifier that is used in place of 
actual type names. The type parameters can be used to declare the return
 type, the parameter types and the local variable types in a generic 
method declaration. The type parameters act as placeholders for the 
types of the arguments passed to the generic method.












at





No comments:
  


















Labels:
,
,
,

















        

      









Subscribe to:
Posts (Atom)









Generative AI: Paving the way for Performance-Driven Enterprise Architecture



  Generative AI is not just reshaping the technological frontier; it's rapidly becoming an essential tool in optimizing enterprise archi...