I am currently using HttpContext.Session.SetString() to store some data accross webpages. Is this method safe to store sensitive data such as page access limitation data and etc ? Or is there a much safer method that I can securely store this data?
The best way to do this in asp.net core is using .NET Identity module.
Related
we have two projects in asp.net web form and asp.net core. we are planned to integrate these with session(in one domain).
my search showed in .net core only method for outproc are sql server and Redis. It seems not to be supported state server in .net core. is that right?
we were tested sql server session state but donot work right, asp.net core save session data in table with name SQLState but in asp.net save session data ASPStateTempSessions. thus session cannot be share between them.
have everybody a full sample for share Session object between ASP.NET (4.6 or higher) and ASP.NET CORE?
There's more to this than just the store. You're correct that ASP.NET Core does not support State Server (at least out of the box), so you will likely need to move to something like SQL Server or Redis, regardless.
However, the bigger issue is encryption/decryption. ASP.NET and ASP.NET Core employ entirely different methods of cryptography. ASP.NET uses a "machine key", where as ASP.NET Core use data protection providers and a key ring. Even assuming a shared session store, unless you get them speaking in the same language here, you won't be able to decrypt what was set by one from the other.
In that regard, though, you might be out of luck. ASP.NET MVC 5 supports OWIN and the data protection infrastructure in ASP.NET Core is OWIN compatible, so if you set up your ASP.NET app to utilize data protection providers and you share the same session store, key ring store, and application name, then they can view each other's cookies. However, I don't think Web Forms participates in this, even if you embed them in an MVC 5 app. As such, there's probably no way to share the session store between the two. Still, you can give it a go, I suppose. The worst that can happen is that it won't work, and you're right back where you are now. The ASP.NET Core docs cover how to set everything up.
I don't know if it's possible. ASP Web Form and ASP Net Core have different architecture.
Alternatively, if you want to have shared resources between projects, you could create web service for both.
For example. If you want to have Cross-Domain and Cross-Platform Single-sign-on, you could do this scenario:
All of the projects would need to authenticate to www.sso.com to check the login between apps.
We need Authenticate web service to check the shared authentication. And we could share other data for all authenticated users.
Here is a detailed explanation and sample project:
https://www.codeproject.com/Articles/114484/Single-Sign-On-SSO-for-cross-domain-ASP-NET-appl-2
I have two applications, one in asp.net and the other in asp.net core. I want to share a common database, as well as the same login. Ie, a user can register via asp.net application, and then their identity will be shared with asp.net core application.
Is this possible? I notice that each have their own identity models, and I am looking for a way of sharing this, ie. some documentation to resolve this.
Looking for:
- Is this possible?
- Documentation and more information on implementation (how to)
I am resolving by use of Identity Server, which both applications will hook into. Will just take a bit of re-jigging.
I am writing a new web site and am looking at Asp.Net Identity 2.0. Out of the box, it uses Entity Framework for all of its data access. For the rest of the site, we were creating middleware web services for data access. Our original plan for security sake was that the web servers would talk to middleware and middleware would talk to the database via Entity Framework. We had planned on blocking via firewall database access from the web server.
I see that I can create a custom provider for Identity 2.0 and it in turn could use middleware for it's data access.
Here are my questions:
Is it more secure to not allow the web servers to have direct database access?
If it is more secure, why would Microsoft not build it that way out of the box
If you were starting from scratch like we are, would you recommend using entity framework or writing a custom provider that goes through our middleware layer?
Thanks.
1.) It can be secure. I don't see it as a security issue but coupling issue. What if you want to upgrade or change from Entity Framework in the future? What if you want to change from Identity 2.0? What if you want to upgrade one but you can't because the other doesn't support it yet.
2.) Microsoft wanted to promote it products first and foremost. For simplicity sake if your ok with Entity Framework and Identity 2.0 and don't mind how coupled they are it could be perfectly fine solution.
3.) How much time/effort can you afford to spend on the custom provider? It might not be worth the effort to create your own provider.
Asp.NET Identity out-of-the-box is actually Asp.Net Identity on Entity Framework. It generates a database, connection string, the model files, the controllers and a context class for you, which you can redirect to your own database for it to generate the Identity tables within. Everything is very secure, and they've taken care of a lot of the authentication/password hashing for you. I wouldn't say it is worth it to create your own provider, but you can also create your own provider within Identity if you want. Identity 2.0 is great. Very easy to add custom table properties, etc.
I want to create a Rich Internet Application in Silverlight. One of the requirements is that the back-end of the application should work with different database providers (SQLServer, PostgreSQL, Oracle).
I'm planning to use Entity Data Model to represent database objects and Domain Services to expose these objects to the client.
The problem is that I don't have a clue if the same data model can be used with different database providers and how sophisticated that would be to change the provider without recreating all the model.
I want the application to be reusable on different environments, so that i can import the same database schema to any existing database, change the provider in the ASP.NET web application and that's it.
Is it doable? Or maybe there are other ways to achieve similar functionality? Thanks in advance for any suggestions.
I would like advising you to look through existing Entity Framework Best Practices
We are using ASP.Net Membership provider for user management module in our WPF based application. It seems to be working fine. But now we want to localize our WPF application, and don't know how to do that with respect to the data stored as part of Membership Provider. Is Localization supported by Membership Provider ? Is so, any input on this would be of great help.
Regards,
Smitha
That depends on what sort of data do you store in with the provider that needs to be localized and how you tie it to the UI.
For pre-determined values you can use resources, and then pull out the required string from a resource.
For user-generated stuff (such as usernames and other stuff like that) I don't think you want to localize that.