|
Hi all,
I have not yet had to program anything requiring SSL, so can someone please advise. I am developing three sites that are subsidiaries of each other and all have there own domains, not sub domains of one site.
If admin logs in to one site to content manage or user logs into one site to view account, can they then go to one of the other 2 sites and still be logged in, or is there an issue?
Can a single sign-on work across multiple top level domains? (i have never tried this either)
Also can I get a certificate that will cover 3 different domains? All the ones I have seen are wildcard, being mulitple subdomains of a domain on one server.
I have looked into partially securing an application using SSL and it looks cumbersome, is the overhead of securing the entire site noticeable?
The information being stored is personal information like a user profile, no credit card information will be handled at all.
Personal information can be quite sensitive, so should I bother with SSL or not?
what is the standard?
All the 3 domains will be on the one server.
A user's account in this instance has the same 'core attributes' then each of the other 2 domains adds more information and functionality to the core account information.
Regards,
g00fy
|
|
|
|
|
Hi all,
I have a database that is in a DMZ. To be able to access the DB easily I was planning to create a web service that does all the DB access so that it can be used via a WinForm app over the internet.
My intention was to pass a SQLCommand to the WebService but apparently this is not Serializable so it doesn't work. I wanted to pass the SQLCommand to avoid having to put all the business knowledge in the webservice and to make it as dynamic as possible.
What is the best practice for such a problem?
All help is welcome !
Greetz,
Gette
|
|
|
|
|
Geert Verhoeven wrote: What is the best practice for such a problem?
Certainly not passing, essentially, raw SQL Queries. You might as well just expose your SQL Server on the internet if you are going to do that - Not wize in my opinion.
In my database there are stored procedures, these procedures are the only way into the database - I have shut off access to the tables directly to all but sysadmins and db_owners. The only way is via the stored procedure. The stored procedures know the business rules so they can veto anything daft that comes in that would potentially damage the database (either accidentally, or as part of a malicious attack).
I would suggest that the datbase should have some business inteligence in order that it can protect itself.
|
|
|
|
|
I agree partially with Colin. Allowing raw sql from the internet is effectively granting hackers full control to your database. But accessing data for your application through a narrow set of specially secured stored procedures isn't any better. I consider this a false sense of security.
Enforcing security in your application by applying additional security requirements does not make your application secure. If anything, it's worse because the surface of your application is wider. Any mistake in security requirements and the hackers are in. There are stored-procedures that can execute command-line scripts, register linked databases with external IP addresses -- how do you convince your boss / client that you've hardened everything? Your application should be secure by design.
The best practice is to expose your data as a service or "end-point". While you could use stored-procedures to access your data, but it means that the client application has to know these values. This might be a valid approach if you only have to worry about a single client such as web-application, but if you have a win-form application, third party, console script or any other service-oriented application then this isn't very portable. Ideally, your client-application shouldn't have any details about where the data comes from.
This level of transparency is especially true for winforms applications. If you suddenly need to version or replace parts of your database you run the risk of compatibility problems with your client-applications, forcing you to redeploy a new version. If you don't control who installs your application, this means you have to version this complexity indefiniately! Ideally, if the client has no knowledge of the back-end implementation, you should be able to swap out or replace your back-end systems (ie, move from a database to a xml file) without breaking that dependency on the client side.
Fundamentally, from a best-practice perspective, I see there are two approaches to exposing this data.
1) A "command" strategy. You create a single service that acts as a gateway into your database. You don't pass stored-procedures, you pass an object which represents a command. This still requires that your clients know the names or types of commands to execute, but it creates that transparency of the back-end that you need.
2) Data Access Layer as a Service. Create wrappers around all your stored-procedures to represent their line of business data functions. For example, a ProductGateway class would perform all product related database functions. If your application has additional security or session requirements, create wrappers around those classes to act as application functionality, such as a ProductManager, which speaks to the ProductGateway on your behalf.
|
|
|
|
|
stupiddumbguy wrote: I agree partially with Colin. Allowing raw sql from the internet is effectively granting hackers full control to your database. But accessing data for your application through a narrow set of specially secured stored procedures isn't any better. I consider this a false sense of security.
I never once said this was the be-all-and-end-all of SQL Security. It is only one part of defence against attack, and it was was a single part that was in context with the original question asked. I, perhaps, did not explain that the access to the stored procedures were through the web service. The web serive, as you explained can "act as a gateway into your database.".
stupiddumbguy wrote: Enforcing security in your application by applying additional security requirements does not make your application secure. If anything, it's worse because the surface of your application is wider.
Either I am missing something or I am misinterpreting what you are saying here. How does locking off access to tables, and views, widen the attack surface of the application?
|
|
|
|
|
Colin, you're absolutely right. This is only one of many different steps Geert should take to ensure he is able to expose his data as a web service without giving away the keys to the castle. I think what Geert was asking was to find the shortest route to expose the data, and your method is the most direct.
Perhaps I misunderstood your comment, but to clarify, I'm going to assume the worst so that I can illustrate two different approaches and their impact on security.
The first (what I assumed you meant), was to create a very generic web-service that allows Geert to call any stored-procedure of his willing. While there is some benefit that this is generic code that could be used in many different ways, this is also the biggest downfall of this approach. By allowing any stored procedure to be executed you can't predict which stored procedures will be executed. That's a pretty big hole which requires you to lock down every object in your database. My point was, that if you need to do this in order to make your application secure, then by design, this is not a secure design. We as modern application designers should strive to write secure code and not be dependant on the infrastructure configuration to save us.
The second approach (my recommendation) was to abstract the details of the stored procedure away from the client application. Under this design, the web-service exposes some general input parameters but its implementation does the stored-procedure logic for you. This has a smaller security surface because you're not exposing the database directly to the caller.
|
|
|
|
|
Why not use business objects at the webservices like DeKlarit (although you need to buy it), but some sort of ORM at the webservice, this will de-couple the database from the webservices to start with, then transfer datasets to and from the webservice. when you want something from the server call a function on the dataadapter interface (interfaces only required on client) let the web service fill the dataset then bind it at the client.
viola
g00fy
|
|
|
|
|
Disable save as and print button of ie
kunal b padia
|
|
|
|
|
Why would you want to do that?
What irritates me is the half-assed attempts to disable things in the browser. For example, my company's intranet does not allow me to right-click on things. However I can press the context-menu button on the keyboard for the exact same effect.
|
|
|
|
|
here here
it is almost as annoying as all that popup crap getting around.
g00fy
|
|
|
|
|
In ASP.NET 1.1. I am having a template checkbox column in a dynamically created datagrid. Inorder to maintain the viewstate, i initialize the datagrid in Page_Init itself and modify the datagrid through Ajax Function. The Ajax function will modify the enabled property of checkboxes. After AJAX method is invoked, in next Postback, i'm able to get the checked property of checkbox from Viewstate but not able to get the enabled property from viewstate. But if i don't perform Ajax Modification, in postback i'm able to get both enabled and checked property.
Kindly provide any idea regarding why enabled property is not in viewstate after using AJAX Function
Maha
|
|
|
|
|
I need a good host supporting ASP.NET 2.0 and MySQL 5.
Now, it's a jungle out there, and I'm afraid of choosing something crappy, hence me asking for your advice/recommendation. I'd much rather pay more for better quality.
So, what do you say?
|
|
|
|
|
Hi!
I have hosted my web site at www.discountasp.net. I strongly suggest you to check the web site because they have outstanding services in affordable prices. I have had no problem with them at all.
JUNEYT
|
|
|
|
|
|
hello folks,this is basically my first question. help me out
i have created a system running clock in javascript
and am able to display the value on the page by the document property...
by calling a function in loop...
can u tell me how to display this value in the textbox...the code is
Ish Kumar Kapila
|
|
|
|
|
Hi!
Because you haven't defined a name for the input box. Just define a name such as name="box1" and then use the ID with document.form.box1.value statement in the function.
|
|
|
|
|
sorry buddy it did not worked... see the new code
<!--
<html>
<head>
<script>
function time()
{
var d=new Date()
var h=d.getHours()
var m=d.getMinutes()
var s=d.getSeconds()
var ms=d.getMilliseconds()
var w=document.getElementById('txt').innerHTML=h+":"+m+":"+s+":"+ms //check it
t=setTimeout('time()',50)
document.form.tb1.value=w // check it
}
</script>
</head>
<body onload="time()" >
<div id="txt"></div>
<input type="text" id="tb1" >
</body>
</html>
//-->
help me guys...
Ish Kumar Kapila
|
|
|
|
|
If you define a form object it can work out. After tag define a form object
|
|
|
|
|
Still nothing happened buddy. is the problem so complex to solve..
plz try again ... thanx for the effort
<!--
<html>
<head>
<script type="text/javascript">
function time()
{
var d=new Date()
var h=d.getHours()
var m=d.getMinutes()
var s=d.getSeconds()
var ms=d.getMilliseconds()
document.getElementById('txt').innerHTML=h+":"+m+":"+s+":"+ms
t=setTimeout('time()',50)
document.tb1.value=t
}
</script>
</head>
<body onload="time()" >
<FORM name="form" method="POST"></FORM>
<div id="txt"></div>
<input type="text" id="tb1" ></input>
</body>
</html>
-->
try something new
Ish Kumar Kapila
|
|
|
|
|
Hi!
I just fixed the code for you. There were a few mistakes. Copy and paste the whole code below in to a page and then load the page. I have checked it and it is working...
<title>New Page 1
function time()
{
var d=new Date()
var h=d.getHours()
var m=d.getMinutes()
var s=d.getSeconds()
var ms=d.getMilliseconds()
document.getElementById('txt').innerHTML=h+":"+m+":"+s+":"+ms
t=setTimeout('time()',50)
document.form.tbox.value=t
}
|
|
|
|
|
how can i enable debugging in web service?
my client cannot access the service if i create it in the wwwroot\folder\service... however it can access it wwwroot\service like this can i get a logical reason for this
B U
|
|
|
|
|
Hi, i have an aspx page containing 7 user controls now i have 5 actors in my app , against each user i have certain function defined, now based on these function i have to either make a control's visibility true/false or enable/disable a control and the roles and the function corresponding to them r defined in an xml file.
i am not able to figure out how to go about it any help/suggestion are welcome
|
|
|
|
|
This is a snippet from my page:
I need some javascript that can check if the id query string is in the
action attribute, and if it is, remove it so the form element will look
like this:
Thanks.
/\ |_ E X E GG
|
|
|
|
|
You can use a regular expression like /(\?|&)id=(.*?)(&|$)/ to check for the attribute and remove it.
---
b { font-weight: normal; }
|
|
|
|
|
COM Error Number: -2147467259 (0x80004005)
Line Number: 97
Column Number: -1
Brief Description: Method '~' of object '~' failed
Can any one explain me what could be the possible reasons.
This code is generated when asp application is run, a call to specific file is causing the problem. a dll is also used in these pages,
when this application is run by below 5 hits its running fine. but when the load increased to 10 the error is generated
|
|
|
|