Passing a database value to a front-end querystring - asp.net

This may be a simple question, but I'm trying to call a a value from table in my back-end SQL Server database and pass it through a querystring in the URL. For example:
I'm building a mobile web site that registers a mobile device to an account on the sign up page. After the database entry is created, I want the to get the generated deviceId from the database and pass it to a querystring in the URL such as: http://www.mobilewebsite.com?dId=22
Is this easily possible, or is it even the best solution for what I'm trying to accomplish?

Wouldn't something more unique to the device be more appropriate? Such as it's ESN?
Why not generate a GUID on the device and simply submit that. That way, no round trip to the database is required.

Related

How to make secure ajax call using asp.net?

I am new to ajax, In my website, I am calling Ajax, it will pass parameter and it will retrieve records from database based on parameter.
But I can see the complete url link on Inspect Element's network tab like below
Employee.aspx?userid=45
I check this stack overflow link. I didn't get clear idea about it.
In some website they mention we can you Token,Authenticate the user,use cookies. But I don't understand how to use those things on my ajax code
The answer for this is not fixed it based on which approach you follow. The stack overflow link you provided pointing out the same thing about the link issue which you have right now. Any ways following are some possible approaches you can follow in order to prevent your URL visibility to end users
1. Make use of unique keys/alias/ids
In order to prevent your table's primary key to be directly revealed to the end user from the devtools you can have a user key column in your user table which have some random 4-6 digit unique code per user so to identify each of them and use these keys to communicate through URL or service calls instead of primary key itself. Same can be applied to any tables. Some people prefer username alias used in the URLs like employee name "John Marshal" can have URL like Employee.aspx?username=john-marshal
2. Token based on authentication or Cookies
This is where some learning is required. The basic idea behind it is the service which is called based on the URL will only be served to the authentic user which have the token or the cookie already present at the user's end. So in that way the call won't reveal any data it will simply return "403 Forbidden" or "401 Unauthorized" HTTP responses. And such URL will only exist on the pages which are accessible by authentic user. It means until and unless the user is logged in they can't get data from such URLs.
Still there are many ways to achieve this but these are all approaches which can be considered; you totally can't secure the requested URL its the approach which can.
Hope it helps

ASP.Net Core 2(.1.2) - Save user data without having to trust the client

I'm currently working with ASP.Net Core 2.1.2 and I can't find a solution for my problem.
Currently I'm building a controlpanel together with Angular 5.
The data for a user is stored in a MySQL database.
To have access to the controlpanel you have to login - and the server will load some data. Important is the admin-level (1-?) - some actions are only allowed for admins with atleast a level.
For the authentication I'm using JWTBearer, which gets sent by the client at every HTTP action as header. But in some methods I also want to check the admin-level.
Now where can I store data for the client, like his admin-level?
Is it safe to save it with a Claim? But then wouldn't it be possible for the client to modify it clientside and send a "custom" header?
I also tried to put the data in a dictionary and use the (HttpContext.)User (of type ClaimsPrinciple) as the key, but that won't work because User is always different at every Request.
Is there any safe way to store the data for a User?
You can safely store your admin-level information in a Claim, unless you're worried that someone can read it. It's not possible to modify a Claim in JWT, because its value is signed by key which only you should know and after the modification this token will be invalid. Read this article to get more information about JWT

Simple temporary authentication without a username or password

I need to add some authorization/authentication logic to an existing web form. Essentially, a user will enter their email address, then I check that email address against an existing database, and if it exists I send an email to that address containing an activation link to the web application. Once the user clicks that link, I want their client to be considered "authorized" for a short amount of time (like their browser session, for instance). They can then access certain pages until their authentication expires.
This would be extremely easy to do using custom ASP.NET forms authentication, but after doing some research there seems to be many more options today in terms of authorization/authentication. Things like ASP.NET Identity 2, Katana/OWIN, and more, it is getting to be quite overwhelming.
I'm looking for suggestions on the simplest way to currently implement something like this in an MVC4 application. I should be able to upgrade the application to MVC5 if necessary.
This is essentially the same process most password resets use, so you can pretty much approach it the same way:
Create a table to track these "authentications". You pretty much just need a column for the token, a column for a datetime, a column for a boolean. The datetime can either track the creation date and time of the token, which you'd then use in your code to calculate if it's too old based on your desired time frame, or you can track the expire date and time of the token and then simply check in your code if that expire date has passed or not. The boolean would track whether the email address has been confirmed, via having followed the link with token in the email you send out.
In your initial form, you collect the email address and combine this with a salt and one-way encryption to produce a token. You send the email with a link that includes that token. Save the token and the appropriate datetime value in your table.
On the page the user goes to after clicking the link, you use the token from the URL to lookup the matching row in your table, check the date value, and set the boolean to true for confirmed. Then, store the token in Session.
On each subsequent request, check 1) there's a token in Session and 2) that that token is still valid (lookup it up in the database and check the datetime and confirmed status). If the token doesn't exist or is no longer good, delete the row, remove the token from Session, and redirect the user to the original email address collection form. Otherwise, allow the user to view whatever content is there.
The simplest way, is to have a database table for the users, and do checking for user authentication and if it's use FormsAuthentication.RedirectFromLoginPage, The identity framework gives you more options for security and encryption also for group and role management.
http://msdn.microsoft.com/en-us/library/ka5ffkce(v=vs.110).aspx

Prevent Password being sent over HTTP GET

I have come across a strange requirement during Security Review where I have to prevent username and password is being sent over HTTP GET in asp.net web forms.
Scenario is like this.
We have simple asp.net login form with user name, password and Submit button(POST method). During security review, the security tester changes the Form method to GET using some proxy tool(Burp Suite),then the user name and password is sent over as query string.
GET /Login.aspx?_LASTFOCUS=&_EVENTTARGET=&_EVENTARGUMENT=&_VIEWSTATE=''&_SCROLLPOSITIONX=0&_SCROLLPOSITIONY=0&__EVENTVALIDATION=%2FwEWCgKm973fCgKOieLQt9kH6PhK0wq%2FpfP8pXG%2FF&%24txtUser=abc#abc.com&txtPassword=1233&%24btnLogin=Login
As per the security testing team the GET (form method changed to GET using proxy tool) method should not pass the user password in query string.(as per my understanding GET will always pass value as query string even if it is password field)
An easy way to acheive what you need is to speficy server side to only look at the posted values server side and ignore the query string items, for example by using
Request.Form["foo"]
Instead of
Request["foo"]
Or
Request.QueryString["foo"]
There is no security reason for this, really you just want to be using SSL.

posting data using sql query

I'm implementing a SMS verification system. this system is provided by a third party company. it can be done by using both GET and POST. that both works perfectly.
Using get:
http://srviceprovider.com/sms.aspx?text=SomeText&To=ReceiverPhoneNumber&from=SenderPhoneNumber&username=MyUserName&Password=MyPassword
that is simply giving out my credentials
and the second way the provider show in its example is:
Post using:
Response.Write();
this looks better than the first one. but still one can access the username and password. I was wondering if there is a way to post data from server (not client side) and may be using sql queries.
Use SSL communication. Google it.
You should not be sending or even storing plain passwords in your database. It must be encrypted everwhere using some encryption algotithm like SHA. For eg. Password abc will be encrypted and saved as 123. Password can be encrypted at the client side itself and then sent to the server. Even if anyone sees the password value (123) in the string or in the database table he would not be able to use it in the password box because the encrypted value of 123 will be something else like xyz.
Read more about SHA algorithms and you will yourself get to know everything.
Cheers and all the best !
As per my understanding you wish to post to a webserver but not from your client side. You can make use of WebRequest class (at server side) to post data to the 3rd party's web server. Futher if you wish to make the entire process aynchronous you can make use of Win Services/WCF Services to post data on some web server. Here you will first just update the fields/flags in the db tables using queries fired from the client side. Next your win/wcf service will pick those records from the tables, form the required query and finally will POST it on some web server. For more information on WebRequest class you can go through this link.

Resources