I am currently making an asp.net web application that can work in Eve Online in-game browser. This app is connected to a database so I wanted to encrypt the web.config file so that the password and username do not end up being in clear text.
I used this method to do so:
http://www.codedigest.com/Articles/ASPNET/242_Tips_for_Deploying_ASPNet_Application_in_Production.aspx
It works very well but there is a big problem. While the app runs in normal browsers such as IE or chrome, when I try to run in in-game browser I get an error. I made custom errors off for a bit and checked out where the error happens. The error seems to be directing the encryption tag in web.config. But since I cant reproduce this in any other browser I cant find a solution.
Then I try to run the app without encrypting the web.config file and it ran perfectly even in the in-game browser.
I contacted the developers about this issue and posted on their forums but I couldnt get an answer yet.
Also the app has to work in in-game browser because I can get various information with headers about client through in-game browser which I use as inputs in my app.
So my question here is since the database I use does not have any vital information(not even e-mails) just username and password for simple authentication, can I get away with not encrypting the web.config file?
Thanks.
Related
I have very strange problem. I use ZfcUser as authentication module. I made a lot of projects on lot of different environments using ZF3 and ZfcUser module. I have nevere experienced such kind of problem which I will explain bellow. In my current project I cant login into system on production server. I succesfuly log from local env, or other test environments.
I try to investigate whats going on. I went to login page on production, entered my credentials and system redirects me to home page. No errors, no warnings... notihnig. But I was not logged in. I check the identity from the framework (identity()) - it was null. I thought that may be it is server issue with the php sessions. I checked the sessions on server. It appears that the problem was not there.
The framework succesfully stored the data it needs in sessions. I found the Zend_Auth key, the identity key and the value for logged user. It seems that with php sessions everything is OK.
I am powerless and cant even think about what is going on here and where is the problem. No errors are thrown. I trace the execution of code on local and production environment. Everything is same. The frameworks seems to work properly. But the IDENTITY is allways null
Found the problem.
So, the site was runing under a subdomain. Let say sub.domain.tld. This site is different from main domain which is domain.tld. In the programm code, the favicon of application was requested form the domain.tld not from the sub.domain.tld.
As a result when you hit the http://sub.domain.tld the browser stores two PHPSESSID cookies. One under sub.domain and another under domain.tld which couses Chrome to messed up
Interesting is that, Firefox and IE didnt messed with the sessions and the site was working porperly. I dont say that Crhome is guilty. Obviously the programm code was cousing the problem. But Chrome recognize that one domain is sub domain of the other
Thats why, when I was trying to run project on different environments as local setup or different domain e.g. test.different-domain.tld, ther were again two PHPSESSID cookies set, but in this time Chrome didnt messed up with the sessions becouse test.different-domain.tld is not recognized as subdomain of domain.tld
Very small and silly mistake, but cousing big problems
We have a site on asp.net framework 2 (dashCommerce cms)
Month ago we noticed an error — one guy couldnt loggin from chrome on his own laptop. System didnt display any error messages, just redirected on main page in unauthorized state.
We couldnt reproduce the same issue on our computers in the same browser (btw it was chrome)
and decided that it had been connected with some undefinded local issue of that guy's laptop.
But then, i got the same issue on my computer. I couldnt login in the system in chrome. Other browsers worked excellent. And we could see the problem only on my computer. We tested the site on 5 different computers with exactly the same chrome version, and everybody could login excepting me.
It looked like asp.net authorized me successful (because if i entered wrong password i got a message about it) but chrome didnt accept cookies.
At this moment, i have that problem on my two computers, and i cant login using Chrome, IE and Opera. Only FF can login with no issues.
But other guys can easily login using such browser from them own computers.
We've been already spent almost two week puzzling our heads what the hell is going on. Nothing helps.
I noticed:
1. Even if i cant login, nevetheless the browser keeps the session — i can add few items in shopping cart and it wont be deleted. I can try to login, then check out the shopping cart and would see those added items.
If i change coockieless attribute to «Uri» then authorization worka fine, i can login using all sort of browsers, but in this case the site has terrible links, we cant allow it.
It makes me think that the problem is connected with a session but i cannt understand why i can login from another computer (the same browser, the same Windows7)
Does anybody has any ideas???
Could be related to page caching. You are logged in but receive a cached (not logged in) version of a page.
Try turning kernel mode caching off as a start.
And like Gregory said - capture your requests and see how it works. Pay special attention to set-cookie http headers.
forgot about this question.
We solved the problem: removed standard asp.net auth form and developed common form with manual processing of authorization.
I'm developing a web application in Visual Studio 2010 on Win 7, and now seem to have a new error that has just popped up. When I try to access the site which uses Windows Authentication, in Firefox, I get a 403 error, with no subcodes. Up until this poijnt, it has been working this way just fine. Firefox prompts me for my credentials, and I enter them and then I get the 403 error. No problems with it in IE, just Firefox.
I've checked the network-trusted-ntlm-automatic key in Firefox and deleted my session cookie, but still no luck. The problem seems to be limited only to Firefox.
If I set the app to be Anon access, it works with no problems, but the app needs to be Windows Auth.
I attempted Local IIS, but there wasn't an option for Windows Auth for the app on my local IIS, so that kind of removed that option for the time being.
Any ideas out there for how to get this working correctly again? I'll take answers that get me the Windows Auth option in my local IIS as well, because that would also fix the problem for me.
Check to make sure directory browsing is not enabled for the site. Also, make sure your default documents are setup so when you go to: http://www.yoursite.com/ (notice the slash at the end of the url) a default document is loaded. I have seen in some cases where IIS thinks you want to browse the directory rather than load a page. See if you still get the 403 error by going to a specific page.
I'm running windows 7, 64bit with IIS 6.1.
To turn on Windows Authentication, go to Control Panel -> Administrative tools and select IIS Manager.
In the left panel, expand Sites, Default Web Site, and select your Virtual Directory. You should see Asp.Net in the top panel and IIS in the middle. The first icon under the IIS section is Authentication, double click this. You can then disable annon and enable windows by selecting from the drop down list and clicking Enable / Disable from the actions on the right side of the page.
Hope this helps.
After some digging I finally found the answer, but it wasn't where I expected it.
I was digging through Event Viewer trying to figure out why I kept getting Account Lockout messages when trying to load the site with Firefox and did some searching came across an article that specified how to add multiple servers to the Firefox network.automatic-ntlm-auth.trusted-uris key in about:config.
I had specified:
http://host1; http://host2
and instead should have separated with commas
http://host1, http://host2
I changed it to commas and reloaded and it is now working correctly with the Windows Authentication in Firefox.
Hopefully someone else finds this particular fix useful. Small typo, big headache.
I'm developing an ASP.NET 4 webforms app on my Windows 7 PC. I'm running VS2010 and IIS7.5.
I have a weird problem where after a few page loads (anywhere from 1 to 20ish) I get NO response from IIS. I can't even hit a breakpoint in Application BeginRequest, I just get nothing. But, if I delete all cookies from the browser for the development domain, the website will load perfectly again for a few more requests.
This happens in all browsers I have installed (IE9, Firefox, Chrome, Safari, Opera).
However, if I deploy the app to our hosted server, all works fine.
Anyone had this issue before?
Many thanks for any help you can provide.
After the comments I add for reference here an answer.
This is an issue when you place too large cookie to the browser and browser can not handle them.
The reason that is play here, not play there maybe because of the data that you have type on it and save on cookies.
You can search for cookie limits on the internet and for different browsers. For ie for example http://support.microsoft.com/kb/306070
Try to keep the cookie size as low as you can.
From antmx
For reference, here is what I changed in web.config to fix this problem.
<roleManager cacheRolesInCookie="false" />
Note, though, that now a user's roles will be read from the database each time they're needed, which could cause a performance issue. (I am not think that there is any performance issue and is more secure this way)
When using Visual Studio's built in web server, every time I make a page request the standard login box pops up and asks for credentials. It doesn't work if I actually put in my credentials, so I just have to hit cancel 5 times so it will go away.
When I run the application through IIS (locally or on test server) it works just fine (no login box comes up).
Anyone know how to fix this or have any idea what might be causing it?
I assume you mean JavaScript alert box-looking login dialog, right? This dialog pops up when you make a request to a portion of website where anonymous access is disabled from IIS. It is different from ASP.NET authentication.
Do you have some portion of web site protected? Or are you making any HTTP request to external sites, like images and etc?
If your page looks ok after hitting cancel multiple times, it must be one of those HTTP request to protected file like images, css, js or whatever.
I'd look in Fiddler or Firebug to see if any request is failed when you hit cancel in that login dialog.
I'd also try clearing cache/authenticated session on the page that runs on IIS to see if it actually shows you that login dialog.
I had this same issue. However, my solution was different and the issue seemed different as well.
I had been working on a ASP.NET 2.0 web application, using VS 2008. Everything was working fine with the built-in IIS server. I hadn't opened this project for about a week and then when I chose "View in browser" in VS, I was prompted for my windows login creds. This project never did this before, so I was a bit baffled. I checked all the web.config settings and everything seemed fine. My project settings seemed correct as well. I decided to test the project by opening this same project in VS on a separate dev box on my network using a network path. I again chose "View in browser" and it worked fine. No logon prompt.
This told me that the issue wasn't with the actual web project itself, rather my dev environment. I checked all my browser settings as suggested above, and they were correct. I then compared my project settings while I had the same project (same physical files) opened in both dev boxes. I noticed a difference...
Under the Start Option in the Property Pages, the Web Server was set to use the Default Web server in both cases. However, on the box that was asking for my creds, the NTLM Authentication checkbox was selected. I unselected this and it resolved the issue.
I'm not sure how this was possible since I was opening the same project files, and would assume the project settings would be exactly the same. And the fact it was working fine a week ago really perplexed me. I chalked it up to an issue with VS 2008 on the box with the issue. I hope this helps anyone else that may be running into this issue.
This was because localhost was not in my trusted sites so it wouldn't do automatic NTLM authentication... I'm not sure why it was that way, but it was... adding localhost to the list fixed it.
In your project, there should be a vwd.webinfo file.
The following lines control authentication when debugging (in IISExpress). Set as follows to avoid all dialogs.
<VisualWebDeveloper>
<iisExpressSettings anonymousAuthentication="enabled" windowsAuthentication="disabled" useClassicPipelineMode="false"/>
</VisualWebDeveloper>
If windowsAuthentication="enabled" you may still get a dialog, even if anonymousAuthentication="enabled" :-)