just was reading a article on web API with HMAC authentication from this url http://www.piotrwalat.net/hmac-authentication-in-asp-net-web-api/
if possible some one briefly discuss what is HMAC authentication and How this type of authentication works for web api ?
what i understood from their article that client will have a secret key and when client will request web api service then they will send hash of secret key along with request and web service will compare the hash and if match then it allow to call action ?
if i understood correctly then i have some question. suppose if am sending hash of a secret key to web api then how web api know what key client have ? because if web api has to generate hash of secret key what client used for comparing at service end then web api has to know which client is sending data.
there is change of Replay attack for HMAC authentication for web api
the article raise some points which is not clear to me to prevent the chance of Replay attack for HMAC authentication for web api.
the points are
Imagine a malicious third party intercepts a valid (properly authenticated) HTTP request coming from a legitimate client
(eg. using a sniffer). Such a message can be stored and resent to our server at any time enabling attacker to repeat operations
performed previously by authenticated users. Please note that new messages still cannot be created as the attacker does not
know the secret nor has a way of retrieving it from intercepted data.
1) requests with different Date header values will have different signatures, thus attacker will not be able to modify the timestamp
we will generate hash based on secret key then how date comes to scene ? this points is not clear to me.
2) we introduce a requirement that no http request can be older than X (eg. 5) minutes - if for any reason the message is
delayed for more than that it will have to be resent with a refreshed timestamp.
point two is not clear. what this area try to mean delayed for more than that it will have to be resent with a refreshed timestamp.
I wrote an application in asp net (3.5).
From an .aspx page should be interfaced a script in asp.
I meant that the aspx page after viewing waits X seconds and then using HTTPRequest and POST call the asp page.
In the aspx page I inserted a timer that delays the execution of the asp page X seconds.
When I use firefox working properly, while chrome is in the loop, that is the status bar see that continually draws the current page without stopping, ending only when I close the course page.
Searching the net I saw that chrome and safari have some incompatibility.
Where did I go wrong ?
What can be done to solve this problem, taking into account that I can not replace the ASP page with an .aspx, because it uses COM objects that do not know the features?
We have the requirement to invoke a Microsoft Outlook Meeting request from an Intranet web page without having the following (well known) message:
An ActiveX control on this page might be unsafe to interact with other parts of this page. Do you want to allow this interaction?
We want to use the standard installed (client side) Microsoft outlook libraries for that.
We do not want to relax the Local intranet Zone in IE by means of the standard resolution method of enabling the “Initialize and script ActiveX controls not marked as safe for scripting” Setting.
This is a simplified version of the code, the message is invoked by the highlighted portion
//Reference to Outlook.Application var theApp;
var theApp = new ActiveXObject("Outlook.Application"); // -- this is where we get the errorvar objNS = theApp.GetNameSpace('MAPI');
var theMeeting = theApp.CreateItem(1); // value 0 = MailItem, 1 = meeting
theMeeting.Subject = "Will this time suit you?";
theMeeting.Location = "Your Office";
theMeeting.Start = "01/01/2017 10:00:00"
theMeeting.End = "01/01/2017 11:00:00"
theMeeting.ReminderMinutesBeforeStart = 15; // Number of minutes before the event for the reminder
theMeeting.BusyStatus = 1; // Makes it appear bold in the calendar
theMeeting.AllDayEvent = false;
theMeeting.BusyStatus = 1;
We have tried to mark it safe in the registry as safe for scripting (7DD95801-9882-11CF-9FA9-00AA006C42C4) and safe for initializing from persistent data (7DD95802-9882-11CF-9FA9-00AA006C42C4).
This is the registry setting we used (the one is the standard GUID for outlook, the other is the GUIDwe get when we add a reference to mso.dll in a VS.net windows form Application
Hello, our company website is getting hit hard from malicious bots. I wish to propose a solution which involves changes to our web.config file. The trick is that I wish for the general search engine traffic to continue; I'm just interested in preventing the malicious bots.
This is an example of what I'm seeing online:
The author seems to be restricting all search engines. Is this correct? If so, does anyone have an alternative that will allow for general search engine traffic to visit but restrict specific malicious bots? (I'd prefer to edit the web.config, since I don't believe that malicious bots care about the robots.txt file.)
I experimented with that years ago writing a program called bot catcher or something, the program is located in my profile in articles submitted.
Over the years, the bots just change their names over and over and it becomes a circular task that chews up so much time.
I guess to anwser your question, no I have not used the web config or knew that method existed. I'm just saying that manual operation of adding bots to that config is time consuming.
IMHO, the best solution is to just block an entire country using something like a Sonic Wall.
You can create automated programs that will detect and block by IP Address, but the bot activity will detect the block and notify it's master of it; then the master will put your website on a army of machines starting in Russia, then China and so forth. If you keep blocking those, then the army grows till it wraps around the world and it's 24/7.
So after 4 years of experimenting, I finally just broke down and bought a $2K Dell NSA 2600 Sonicwall and purchased a 3 year contract to filter out bad stuff; works like a champ now and they do all the work.
Now I can focus on just writing better more efficient code to keep user data safe.
We have a complex application developed in asp.net web forms and ajax. the Application is very heavy and contains many complex functions. Lengthy (Header/details) forms, Complicated Gridviews and all supported with ajax controls.
the application has been enhanced for the last 10 years to keep it with the latest tehnology and trends.
we are planning to do major enhancement to the application - converting it to HTML5 and jquery/bootstrap
the developers advising to re-develop the application in MVC because it is fully support jquery/callback and bootstrap
I am not sure if we can go to in this direction or not. the current application is event based. most of the events are handled in the server side. for example we have a form with many sections being displayed or hidden based on a selection from multiple dropdowns. for that we are using asp.net panel with visible property.
and we have other screens with gridviews loading huge data (more than 50,0000 rows) and we used the gridview built-in paging and sorting. beside we also have nested grids (Expand/Collapse) for each row of the parent grid
I am not sure if all of these functionalities can be achieved by MVC/Bootstrap.
However you can't really "convert" such an app as you have from a server-side methodology to a client-side one. I think you can maybe re-engineer some things such as, for example, ditching datagrid paging and instead use jQuery to call web methods to return the data as pages and then update the DOM directly. These things are no less possible in webforms than MVC.
The way I see it you can only add these types of enhancements and introduce these techniques a bit at a time, or you can commit to full rewrite the app and take the opportunity to improve it in many areas as I'm sure the app would benefit from this. If you do commit to do that then moving to MVC at the same time would be a good thing to do, but it will involve a complete re-write and there will be a steep learning curve for your team.
The main difference between ASP.NET Forms and MVC (except the strict separation of concerns), is where is your code-behind, if any...
The main concerns you have to look for:
1. Time - MVC is not RAD!!!
2. Separation. While in ASP.NET Forms you could bend the rules and mix layers MVC will break under same conditions, and for that the design/develop cycle must be more precise and time consuming...
3. Knowledge of client side technologies... MVC gives you grate control over the final output of rendering, but it can be a burden as you HAVE TO take care for almost every details for your own...
4. OO? Not really. MVC views can not inherit the same way web forms do, so all the idea of master pages and inheritance must be redesigned...
To make it clear - there is no actually anything will stop you from porting your application, but it will be a big challenge and you and your team will have to learn a lot of new things and ways of doing them...
On a personal note: We are in the middle of a similar process. We are merging an ASP.NET Forms and a Win Forms application into a new - modern web application. We are talking about thousands of pages in the final project...
Our final solution is to write our own framework, that enables developing the same way we used to do with Web Forms, but translates old style code to MVC like... So we actually mixing ASP.NET Forms and MVC in a way that still enables RAD development with full OO, but take advantages of the MVC (modern) based development...
Skipper: We'll fix it. Alex: Fix it? How you gonna fix this? Skipper: Grit, spit and a whole lotta duct tape.
I'm currently porting my web forms app to MVC at the moment. Started last Jan 20, 2016 and plan to deploy it next Mar 2017. My web app was written in VB, so I had to convert to c# as well.
Best call or decision I ever made. I can't wait to deploy the new app and run it. I thought about all the cool stuff I had already had ending up throwing in the trash and writing even better stuff to replace it.
So now I have the whole setup, EF6, automatic migrations, node.js, bower, gulp, bootstrap, fontawesome; with automatic css, js, image compression on every build, and package updates. I can validate a form off a model or just in JQuery. I save 3 hours now every time I publish a change.
It took me 6 months to really learn all of the above, but now I'm jamming fast creating very functional single page apps and so forth with very reusable code. Once you past the learn curve, your reusable code propels you forward at a very fast rate. I's say I'm 8X faster now than Web Forms.
Those complex headers your asking about, you can write an Attribute "OnActionExecuting" class, that will do your header work, and add the name to the top of the controller Action to run it every time that action is called. I have a bunch of these now, one I use for shopping and checkout for security and to replace the Identity module.
Ajax work is a breeze; for I have an Ajax controller that does nothing but ajax calls, returning a JsonResult; just pure json back.
I don't know about the gridview, but suppose you can write something from scratch, it's just HTML. But HTML5 and Bootstrap has stuff that can replace it.
IMO; wish I would of made the move years ago.
Go for it!
Hello, I have a web page that is using similar code to a second page that works perfectly. Both pages have listviews. Immediately following the listviews I have datapagers.
Page 1 (the working page), has a listview, and a datapager. I have three fields for this datapager. To simplify things, the first field looks like:
<asp:NextPreviousPagerField ShowFirstPageButton="False" ShowNextPageButton="False" />
It works as expected.
Page 2 also has a listview. I have a datapager. If I leave out any fields for this datapager, the web page renders. (I just don't see any pagination control.)
Here is where I attempt to just add a single field to the datapager:
<asp:NextPreviousPagerField ShowFirstPageButton="False" ShowNextPageButton="False" />
Doing this generates what I consider to be a bizarre, crazy error:
Control 'DataPager_ctl00_ctl00' of type 'LinkButton' must be placed inside a form tag with runat=server
Huh? Why would trying to add even one field to this datapager give me this error? The code for the listviews and datapagers for both web pages are nearly identical. Where both datapagers are defined I am using the runat="server" directive. The directive for the datapager that isn't working resembles this: