Re: how to make session secure? - ASP.NET Discussion Boards

Hi Anil Pal,

Thanks for replying. You mean to say that it is already secured. Is there any chance that when the username and passwords are passed from one page to another through session, they can be leaked or something like that.

cheers,
sneha

Hi thats correct, they are secure. Bcz session is on server side.

So u can use session to hold the Username and password.

Regards
Anil Pal

Hi,

I got it.Thanks for your assistance.
Looking forward for your suggestions in future.

cheers,
sneha

sneha Choudhary wrote:
. Is there any chance that when the username and passwords

Wondering why you are keeping password in session? Are you storing the password as plain text in DB?

Navaneeth

How to use google | Ask smart questions

Hi,

N a v a n e e t h wrote:
Are you storing the password as plain text in DB?

Yes It is stored as clear text. What should I do. Should I encrypt it.
Please suggest me..

cheers,
sneha

sneha Choudhary wrote:
Should I encrypt it

Hash it. Passwords stored as plain text is not secure. Better method is to hash the password and store the computed hash in database. When user enters password for authentication, has it and compare the hash with the value stored in DB. System.Security.Cryptography[^] got many classes to work with. Check SHA[^] implementation.

Smile | :)

Navaneeth

How to use google | Ask smart questions

Hi,

Thanks a lot. I will definitely do like that. My heartiest thanks to you.

cheers,
sneha

N a v a n e e t h wrote:
Hash it. Passwords stored as plain text is not secure. Better method is to hash the password and store the computed hash in database. When user enters password for authentication, has it and compare the hash with the value stored in DB. System.Security.Cryptography[^] got many classes to work with. Check SHA[^] implementation.

Hi,
As you suggested I did it but login is not working. I did like this.

protected void Button1_Click(object sender, EventArgs e)
{
    string pwd = Txtpassword.Text.Trim();
    string hashpwd = FormsAuthentication.HashPasswordForStoringInConfigFile(pwd, "SHA1");
    //SqlConnection con = new SqlConnection("Server=.; Database=eclsc; Trusted_Connection=yes");
    SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["newcon"].ConnectionString);
    SqlCommand cmd = new SqlCommand();
    cmd.Connection = con;
    cmd.CommandText = "Select userid,username,password,first_name from USERS where username=@username and password=@password";

    cmd.Parameters.Add("@username", SqlDbType.NVarChar, 50).Value = Txtusername.Text.Trim();
    cmd.Parameters.Add("@password", SqlDbType.NVarChar, 50).Value = hashpwd;

    try
    {
        cmd.Connection.Open();
        SqlDataReader rdr = cmd.ExecuteReader();
        while(rdr.Read())
        {
            //string x = (rdr["password"]).ToString();
            uid = (rdr["userid"]).ToString();
            fname = (rdr["first_name"]).ToString();
            uname = (rdr["username"]).ToString();
            Session["uname"] = uname;
            Session["userid"] = uid;
            if (uname != null)
            {
                //Change the Session called "Logged" value into "Yes"
                Session["Logged"] = "Yes";

                //Store the Username in one of the Sessions, so it can be used later
                Session["User"] = fname;

                //Redirect to the requested page
                //If there is no requested page, then it will be redirected to the Default.aspx WebForm
                Label6.Text = (Session["URL"]).ToString();
                Response.Redirect(Label6.Text);
            }
            else
            {

            }
        }
    }
    catch (SqlException se)
    {
        Lblmsg.Text = se.Message;
    }
    catch (Exception ee)
    {
        Lblmsg.Text = ee.Message;
    }
    finally
    {
        cmd.Connection.Close();
    }
}

PLease assist me..

cheers,
sneha

Is your server is local for application or remote. You can use sql encryption for encrypt the password while saving and decrypt same key of sql. (If server is local).

The way u r doing, i think is not good. Where is your key for encryption and decryption?

Regards
Anil Pal

anilpal wrote:
Is your server is local for application or remote.

Hi Anil Pal,

My server is local.I am little bit confused in that. Can I ask you few things.

1.When I used this hashed technique with a setting in web.config like
<sessionstate mode="InProc" cookieless="AutoDetect" regenerateexpiredsessionid="true" timeout="30">

It is working fine. But when I changed the cookieless="UseUri" It is not working.why?

2. Can you please tell me the pros and cons of using Sql encryption techniques and hased technique.

cheers,
sneha

Hi Senha,

Please have look for encryption and decryption from code behind:

http://www.codeproject.com/script/Forums/View.aspx?fid=12076&msg=2941892

have posted for querystring but u can use same for yr need.

Tommarrow i'll let know the pros and cons abt code and sql encryption.
Now i have to go home.

Regards
Anil Pal

Sorry above link is working ,pls go through below code

Follow the below steps: I am posting with small exmaple

A.Code in sender page of uery string
1.string strID = "A0123456789";
2. Response.Redirect("../Search/DocumentSearch.aspx?ID=" + Encrypt(strID));
3.public string Encrypt(string strValue)
{
string encryptedResult = String.Empty;

string passPhrase = "Pas5pr@se";
string saltValue = "s@1tValue";
string hashAlgorithm = "SHA1";
int passwordIterations = 2;
string initVector = "@1B2c3D4e5F6g7H8";
int keySize = 256;

byte[] initVectorBytes;
initVectorBytes = Encoding.ASCII.GetBytes(initVector);
byte[] saltValueBytes;
saltValueBytes = Encoding.ASCII.GetBytes(saltValue);
byte[] plainTextBytes;
plainTextBytes = Encoding.UTF8.GetBytes(strValue);
PasswordDeriveBytes password;
password = new PasswordDeriveBytes(passPhrase, saltValueBytes, hashAlgorithm, passwordIterations);
byte[] keyBytes;
keyBytes = password.GetBytes((keySize / 8));

RijndaelManaged symmetricKey;
symmetricKey = new RijndaelManaged();
symmetricKey.Mode = CipherMode.CBC;
ICryptoTransform encryptor;
encryptor = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes);

MemoryStream memoryStream;
memoryStream = new MemoryStream();

CryptoStream cryptoStream;
cryptoStream = new CryptoStream(memoryStream, encryptor, CryptoStreamMode.Write);

cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length);

cryptoStream.FlushFinalBlock();

byte[] cipherTextBytes;
cipherTextBytes = memoryStream.ToArray();

memoryStream.Close();
cryptoStream.Close();

string cipherText;
cipherText = Convert.ToBase64String(cipherTextBytes);

return cipherText;
}

B. Code in receiver page of querystring
1.string strID = Request.QueryString["ID"].ToString();
string plainValue= Decrypt(strID);
2. public string Decrypt(string encryptedResult)
{

string passPhrase = "Pas5pr@se";
string saltValue = "s@1tValue";
string hashAlgorithm = "SHA1";
int passwordIterations = 2;
string initVector = "@1B2c3D4e5F6g7H8";
int keySize = 256;

byte[] initVectorBytes;
initVectorBytes = Encoding.ASCII.GetBytes(initVector);
byte[] saltValueBytes;
saltValueBytes = Encoding.ASCII.GetBytes(saltValue);

byte[] cipherTextBytes = new byte[encryptedResult.Length] ;
cipherTextBytes = Convert.FromBase64String(encryptedResult);

PasswordDeriveBytes password;
password = new PasswordDeriveBytes(passPhrase, saltValueBytes, hashAlgorithm, passwordIterations);
byte[] keyBytes;
keyBytes = password.GetBytes((keySize / 8));

RijndaelManaged symmetricKey;
symmetricKey = new RijndaelManaged();
symmetricKey.Mode = CipherMode.CBC;
ICryptoTransform decryptor;
decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes);

MemoryStream memoryStream;
memoryStream = new MemoryStream(cipherTextBytes);

CryptoStream cryptoStream;
cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read);
byte[] plainTextBytes= new byte [encryptedResult.Length ] ;
//object plainTextBytes;
int decryptedByteCount;
decryptedByteCount = cryptoStream.Read(plainTextBytes, 0, plainTextBytes.Length);

memoryStream.Close();
cryptoStream.Close();
string plainText;
plainText = Encoding.UTF8.GetString(plainTextBytes, 0, decryptedByteCount);

return plainText;
}

Cheers!

Regards
Anil Pal

Hi Anil Pal,

anilpal wrote:
Tommarrow i'll let know the pros and cons abt code and sql encryption.
Now i have to go home.

Please tell me the benefits of using sql encryption over hashing the passwords in the database.

Actually in hashing there is no need of using the key in code.It is done automatically.

cheers,
sneha

N a v a n e e t h wrote:
Better method is to hash the password and store the computed hash in database.

Hi,

I hashed the passwords in the database.If I have this setting in web.config:

<sessionstate mode="InProc" cookieless="UseCookies" regenerateexpiredsessionid="true" timeout="30">

then only it is working. Whenever I change the cookieless="UseUri" it is not working.Please assist me.

cheers,
sneha

Hi all,

Can any one help me out How to run asp pages in .net application.. when i click a click in my aspx page it should redirect to .asp page..In my case what happening is when i click on the link in aspx page it is not giving any error message but IE progress bar dragging continuously and not opening the .asp page..

Please help me out..
Thanks in advance.

fttyhtrhyfytrytrysetyetytesystryrty

Hey, You simple need to create virtual directory for those ASP pages and then simply redirect on that.

Feel free to ask

Cheers!

Regards
Anil Pal

Hi anil,

i already created Virtual directory for this application.My asp.net pages are running properly, but only asp pages are not opening...

fttyhtrhyfytrytrysetyetytesystryrty

Hmm.. its seem that may be yr asp pages have problem. Can u try to excute asp pages from browser and test whether they are working fine or not.

Regards
Anil Pal

Hi friends,
I want to create drop down lists for all the rows of a gridview. But i dont want to use TemplateField because i want to give different id's for all drop downs. Can anybody help me please.

scarface

Hi friend,

Can u provide yr exact requirement, like why u need to give unique ID to all Dropdown list at server side. So that i can help u.

And what problem u have with TemplateField?

Regards
Anil Pal

Hi,
I am trying to create two sets of drop down lists in a gridview. If i change the index of the first drop down, the values of the corresponding drop down should change. I used event handler for the first drop down, but if i change the index of any one of the drop downs in the first set, all the values of second drop downs are getting changed.

scarface

Hi,

Now i understand yr problem. So the initialization of second set of dropdown list u can not stop, while changing of index of first set of drop down list.

So to maintain the state of the second dropdown set. First u need to take the state of all the dropdown list from second set and the again u need to set their state while changing the index of first one.

Now please let me know if you code for that or any query.

Regards
Anil Pal

Please have a look at my code:

<asp:GridView ID="grd" runat="server" OnRowDataBound="grd_RowDataBound">   
    
  
<Columns>    
  
  
<asp:TemplateField HeaderText="names">   
  
    
  
  
<ItemTemplate>  
  
    
  
  
<asp:DropDownList ID="name" runat="server" OnSelectedIndexChanged="onSelectChangeddl"></asp:DropDownList>  
  
    
  
</ItemTemplate>  
  
    
  
</asp:TemplateField>  
  
    
  
<asp:TemplateField HeaderText="age">   
  
    
  
<ItemTemplate>  
  
    
  
<asp:DropDownList ID="age" runat="server" AutoPostBack="true">   
  
    
  
</asp:DropDownList>  
  
    
  
  
</ItemTemplate>  
  
    
  
</asp:TemplateField>  
  
</Columns>  
  
    
  
</asp:GridView>

In c# code, i am trying to change the values of the second drop down list based on the value selected in the first. I am doing this as below:

foreach (GridViewRow row in grd.Rows)   
{   
DropDownList ddl1 = (DropDownList)row.FindControl("name");   
DropDownList ddl = (DropDownList)row.FindControl("age");   
  
  
if (ddl.SelectedValue.ToString() != "---Select---")   
  
{   
  
}   
  
else   
    
  
{   
  
ddl.Items.Clear();   
  
}   
  
    
  
SqlCommand SPComm = new SqlCommand("someStoredProcedure", myConn);   
  
SPComm.CommandType = CommandType.StoredProcedure;   
  
SqlParameter param = SPComm.Parameters.Add("@something", SqlDbType.NVarChar, 50);   
  
param.Value = something;   
  
dr = SPComm.ExecuteReader();  //dr is sqlDataReader   
  
int i = 0;   
  
while (dr.Read())   
  
{   
  
ddl.Items.Insert(i, dr.GetString(0));   
  
}   
  
dr.Close();   
  
ddl.Items.Insert(0, "---Select---");   
  
}

In the above code, all the values in the second drop down list are getting duplicated based on the selected index changed event handler of the first drop down list.

scarface

Hi,

I have gone through the your code.

int i = 0;
while (dr.Read())
{
ddl.Items.Insert(i, dr.GetString(0));

}
dr.Close();

In the above code where u increment the I . According to yr code there always i=0. Hence it replicate the value. Why u can not use Datatable or dataset. Howevere using of Collection of object is good choice.

Regards
Anil Pal

i have a task in which
have to rewrite url on post back
on grid view paging
url : ~/abc.aspx
on page index change
url: ~/abc.aspx/page1