|
Simple answer: don't.
You're adding a password to the site because you want to protect the user's data. You want to add client-side hashing of the user's password in case someone is intercepting the traffic between the client and the server. But if someone is intercepting the traffic, then they can just read the user's data as they request it. They can also hijack the user's session and authentication cookies, and perform whatever action they want on your site.
To properly protect the communication between the client and the server, you need to install an SSL certificate and ensure that your site is only accessible over HTTPS. (Depending on the nature of your site, you might be able to get away with a free certificate from StartSSL[^].)
Once your site is protected with SSL, you don't need to worry about hashing the password on the client-side.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
I have not been able to find an ASP.NET MVC implementation of DropTiles. (preferably MVC5).
|
|
|
|
|
It's an Open Source project that aims at MVVM. I doubt they're going to reimplement it just for another pattern.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
I implemented SSL on my web application.
below is my code through which i am getting login.
MD5CryptoServiceProvider md5Hasher = new MD5CryptoServiceProvider();
byte[] hashedDataBytes;
UTF8Encoding encoder = new UTF8Encoding();
hashedDataBytes = md5Hasher.ComputeHash(encoder.GetBytes(txtPassword.Text));
#endregion
SqlCommand com11 = new SqlCommand("For_Login", con);
com11.CommandType = CommandType.StoredProcedure;
com11.Parameters.AddWithValue("@User_Id", ddl.SelectedItem.Text);
com11.Parameters.AddWithValue("@Password", hashedDataBytes);
SqlDataAdapter sda = new SqlDataAdapter(com11);
DataTable dtcheck = new DataTable();
sda.Fill(dtcheck);
if (dtcheck.Rows.Count > 0)
{
// logged in
}
but when I run the application on server n start fiddler, it shows password in clear text
see the image below
<a href="http://www.freeimagehosting.net/"><img src="http://i.imgur.com/A7j8HC8.jpg" alt="Free Image Hosting"></a>
why this is happening? what to do?
|
|
|
|
|
Fiddler isn't showing the SQL-connection, but the posting of "login.aspx" and it's contents. You're hashing it later on.
Since the page is encrypted, one would not be able to see that without access to the certificate.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Ok fine Sir,
Now see my situation. My Web application's security audit is being done. I implemented everything like MD5, SSL etc.
But if my auditor use this fiddler (or may be another tool for testing, i don't know what they are using) and he/she can see the password in the fiddler what should I do/say? I am not getting the point.
If they always use fiddler or any other tool they can easily see the password. then what's the solution so that password between server and client should not be in clear text.
Is there any other methods doing this so that they cant see the password using any tool? or any other client side technique?
please suggest Sir... I am feeling helpless
|
|
|
|
|
demoninside9 wrote: But if my auditor use this fiddler One could explain the expert that it he/she is looking at a stream that is encrypted before it goes over the net.
demoninside9 wrote: Is there any other methods doing this so that they cant see the password using any tool? Yes, but if he/she is using the key to open the lock, then it is not a security risk. If there's another application client side with administrative priviliges, then you already lost and don't need the audit.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Hi !
After successfully inject .dll file into a target process, i' would like to run it but how can i do this !!
I' know how to do it into my application by adding the dllMain() function ...
But in the target process how can it be achived ??
I read many articles talking about windows Hook but i would like to understand the method !
Thnx
|
|
|
|
|
You're not going to get an answer to that question here. The pRobability of abuse of such a technique is high and were not going to be part to that.
That being said you can find the answer to that question on the web after a simple Google search. I leave it up to you to figure out what to search for.
|
|
|
|
|
|
Good afternoon, I wanted to share with you a problem I'm having, which you can not find a convincing answer.
What is the problem?
It is that database connections are many active and AWAITING COMMAND status SLEEPING, and every time I run a new query to the database, a new connection is added, I see this with sp_who2 from Management Studio.
What is the scenario?
An application of three layers (BUSINESS, DATA and PRESENTATION) which, because it is a client-server application, data is accessed by a Windows service that raises a
console application that instantiates a class that encapsulates access to data and records on the server so it can be accessed through Net Remotting.
Proper operation, can access data and execute everything correctly. At each attempt to access data, I end with Connection.close () method.
The problem is that despite using Connection.close () connections do not die and are all state SLEEPING, and there comes a time when you can no longer accumulate more
and SQL SERVER rejects the connection attempt, because limit was reached in the POOL.
Even if I close the main application, connections are maintained, but if I close the application that instantiates the object, all connections are closed.
Anyone has been in a similar situation? any suggestions?
|
|
|
|
|
Are you disposing the connection objects?
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Hello, thanks for answer. Yes i'm closing the connection every time I use it, in the finally block of try...catch
The results are the same.
|
|
|
|
|
No, not Closing. Are you calling Dispose on the connection objects?
Are you creating a new Connection object on every request, executing your query, and then Disposing the connection??
Or are you opening a connection at the start of your application and leaving it open the entire time your app is running?
|
|
|
|
|
Hi. I'm only calling connection close method, not disposing the object. I will try it and let you know if that works. Thanks.
|
|
|
|
|
Hi again, i've implemeted the Dispose method on the conection object and it's seems to be the solution, first close, then dispose.
I also made some changes, before the Windows Service starts a mini app than register the remote object in a tcp channel, now the Windows services does all the work, and no extra app is needed, so, the solution copuld be bay one of thos changes or a combination.
Anyway, thanks!
|
|
|
|
|
Juan Topo wrote: The results are the same. Ehr.. no, it ain't
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
You can take a help of system administrator for to access remotely
Sankarsan Parida
|
|
|
|
|
Hello. I'd like to learn C# and ASP.Net as a beginner with the aim to become a professional one day and hopefully start a career.
My question is do you recommend I use Visual Studio Online Basic or Visual Studio Express 2013? Or is there not much difference for a beginner like me?
My PC OS is Windows 7 64-bit
Best Regards, Adam.
|
|
|
|
|
I'd recommend the Express-version; Visual Studio really benefits from being a "rich client".
The biggest difference will be the architecture in the applications one writes; are you primarily interested in developing Web-applications, Windows-applications or targetting "devices"?
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Many thanks for the feedback. I'm interested in developing both Web-applications using ASP.Net and Windows-applications using C#.
|
|
|
|
|
I'd recommend focussing on one of the two; also, IIRC, only one of the Express versions can be installed at a time.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
|
adamhill9 wrote: this web page suggests both Express versions can be installed You're right, multiple sites suggest so. Good one
Some additional resources from Microsoft that might be handy;
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Great stuff, thanks for those links they will be a great place to start.
|
|
|
|