...or is it safe to stick for example user data and passwords into the models?
The viewers can't see the MVC code as what they see is the generated HTML not the aspx pages or code behind.
However, it's never a good idea to store user data and passwords in the models. This should be stored in a database and the passwords should never be stored in plain text.
No, they can't see the MVC code but you still need to ensure that the site and server are secure whether the user credentials are stored in a database, the code, or in text files in a private store.
User's won't see your server-side code. So yes, it is safe to put secret stuff in your models. But I guess you would be better off storing information like that in a database?
The user can never see that is executing on the server unless you explicitly write it out through ie. the Html helper.
Related
As the title says, how would I go about doing this? I want to check a value stored in a file.
This is impossible and has nothing to do with ASP .NET. The browser is responsible for rendering the page to the client, and browsers, for obvious reasons (security), don't have access to the user's file system. The only thing a browser can do, is read cookies (essentially text files) sent to the user from the same domain the website belongs to.
HTML5 has a new feature called local storage but you still won't be able to access ANY file on the user's computer.
Using Javascript with ASP.Net applications can work quite well, I've done it for a couple of sites I've done. If you just want to run some code on the client when a checkbox is ticked for instance, try this...
replace the myFunction() portion out with whatever client side code you want to write.
If you unfamiliar with Javascript as a language, check this out... http://www.w3schools.com/js/default.asp
You can do that using ActiveX control or SilverLight
Some are saying it's not possible, and that is true for the Internet. However, I have done this before on an Intranet system. The server knew the users computer name and could access a local configuration file, no ActiveX, no Silverlight.
I have not found the same as or related to my question above.
If it is already asked, please let me know, I will delete mine.
I am learning asp.net mvc 2.
After downloading the rendered page, the visitors have a chance to manipulate the html contents ILLEGALLY and submit it back to the server. In MVC, how can I avoid this issue?
You cannot prevent anything on the user side. Therefore you must ensure that the server reacts correctly to manipulated input.
Note that the automatic model binding is tricky: both over- and under-posting can cause trouble.
This is an excellent post on that topic: http://bradwilson.typepad.com/blog/2010/01/input-validation-vs-model-validation-in-aspnet-mvc.html
Take all the efforts you can to validate the user input at the server. MVC offers the AntiForgeryToken which helps verify that the page being posted back is the correct page but as with any client-side verification, it's not foolproof.
You can't do anything about this.
Use the mantra "never trust anything from your users" and validate everything on server side.
Is there a way to share the session between ASP3 And ASP.NET?
Thanks
Despite all of Microsoft's best efforts to make ASP and ASP.NET coexist effortlessly, one area remains a stumbling block... session state. Fortunately the advantages of ASP.NET's upgraded session state management far outweigh the inconvenience of not being able to pass "Classic" session information to .NET. Unfortunately there is no simple solution; the most I can offer is an easy to implement workaround.
In trying to find a suitable resolution, I've come across two good options that are worth mentioning. The first involves parsing the session information out to hidden form fields on a "Classic" intermediate page and then submitting the page to a .NET intermediate page that loads the form fields into the session state. This is a good, simple solution, however it doesn't work both ways. In .NET you cannot specify the page that you submit to. Each page has to PostBack to itself.
The second option is probably closer to an actual solution than to a workaround. Billy Yuen at Microsoft has developed an effective solution. The code is elegant, the integration appears to be seamless, but I couldn't get it to work on my system (remember I said that there was no simple solution, not that there was no solution at all). If this solution works for you, great! You won't need my code and you'll be happily passing session information from "Classic" to .NET like it's going out of vogue, thanks for stopping by.
Ok, if you're still reading let me briefly describe the workaround I've created. It requires a database, but it is not important which type of database (though the code is written for SQL Server). When a page (source page) wants to redirect to another page (destination page) that uses a different version of ASP, it calls an intermediate page. The source intermediate page takes each session variable and adds it to the database along with a Globally Unique ID (GUID). Since "Classic" and .NET use different SessionID formats it is not possible to use SessionID, hence the use of a GUID. The source intermediate page then passes the GUID to the destination intermediate page through a Querystring variable. The destination intermediate page retrieves the session information from the database, cleans up after itself, and then redirects to the destination page. It's similar to the first workaround, but supports transferring state in both directions.
Code Usage
Installation
Run the SQL Query in "ASPSessionState.sql" on the database which will hold the temporary Session information.
Copy the .asp and .aspx.* (SessionTransfer.aspx and SessionTransfer.aspx.cs) files to a folder on your website.
Update connection object information in the "SessionTransfer.asp" and "SessionTransfer.aspx.cs" files. It is located in three places in each file (sorry about not consolidating the connection info).
Compile the aspx files.
The .asp and .aspx.* files must all reside in the same folder to work.
Usage
For use in a Hyperlink (Anchor Tag) or a Response.Redirect, set the destination URL to be one of the following:
From a ASP "Classic" page:
SessionTransfer.asp?dir=2aspx&url=<asp_dotnet_url>
From an ASP.NET page:
SessionTransfer.aspx?dir=2asp&url=<asp_classic_url>
The code will transfer the Session information and Redirect the user to the url specified by or .
Download
You can download the code from here: session_transfer.zip (4.6 KB).
Could take a look at NSession it allows sharing session state between Classic ASP and ASP.Net using State server. Pretty easy to setup just configure App to use State Server for session and register a couple of dll files.
Two web applications I'm working with are using the ASP.NET membership and each have areas for user information which use this Property name/value storage method in the database.
Here is an example:
PropertyNameValues
publicEmail:S:0:19:yahooIM:S:19:0:timezone:S:19:2:commonName:S:21:4:birthdate:S:25:81:signatureFormatted:S:106:0:gender:S:106:1:fontsize:S:107:1:signature:S:108:0:dateFormat:S:108:15:enableEmoticons:S:123:4:webLog:S:127:0:enablePostPreviewPopup:S:127:5:location:S:132:12:bio:S:144:0:webAddress:S:144:0:interests:S:144:0:icqIM:S:144:0:aolIM:S:144:0:language:S:144:5:occupation:S:149:0:msnIM:S:149:0:
PropertyValues
someemailhere#here.com-6Asia<?xml version="1.0" encoding="utf-16"?>
<dateTime>0001-01-01T00:00:00</dateTime>20ddd, MMM d yyyyTrueFalseTest Testing-US
I can see the jist of how it works, name values show at what length in the property value string to begin grabbing and when to end - but is there an existing function to split these apart into an array or something?
Thanks!
How this works depends on if you are using a "web site" or a "web application" project type. If you are using a regular asp.net web site project, you will have a dynamically generated Profile object you can use to fetch user properties from.
If your application is MVC or a Web Application Project though, you will have to make your own profile object. I recommend you grab the web profile builder. This tool creates the ProfileCommon object that is needed to get at the profile data.
In general, I personally have found through repeated exposure that the Profile provider system supplied in asp.net is quite dreadful for storing actual user information (the kind of stuff you are using it for). The profile provider mechanism is great for stuff like user preferences (stuff usually called personalization) such as "always show details" or "I prefer the green background". The reason is that the profile system only makes the profile data easily accessable within the request of the one user. If you have admin tools that need to read from multiple user's profiles, you will find that performance will quickly degenerate, and getting at the profile data is actually quite difficult.
For these reasons, I recommend that you consider not using the profile system for the kind of data you are storing there. You will be a lot better off rolling your own tables and objects to store and fetch this particular kind of info. But if you never need to access the data for more than one user at a time, the built-in profile stuff is alright.
It looks like you're referring to the ASP.NET Profile system.
Within the code-behind of an aspx page, just use Profile.publicEmail, Profile.yahooIM, etc. There's an automatically generated class that parses that out for you. See the linked article for more details.
i noticed that a forms authentication element has an option child element called Credentials.
MSDN Online explains what it is, here.
That said, i don't understand what it would be used for? So i can add in a username and password (either clear/md5/sha1) to the config file.. but how/when is it used?
Is that an example of hard-coding in a username/password to be used with forms auth, instead of having a database? If so, is there any code behind? What happens if you also have a database with users/passwords?
cheers :)
You're exactly right... hard-coded username/passwords. That's it in a nutshell. Only time I've actually used it is on a project where we wanted to work on some code that required authentication, but didn't have the real mechanism wired in. It's just a placeholder for real authentication so far as I'm concerned.
MSDN seems to agree, given the warning note at the top of the docs you link to. You can use it side-by-side with a DB, but why bother?