I was wondering if it is even possible to interact with other websites using my own.
Here is the scenario:
Lets say I have a Lockerz account, which is a place where you do daily tasks to earn points. Once a month you can redeem those points to get prizes such as an ipod, macbook, or other items. I know that sounds rediculous, but stay with me.
For someone to gain membership to this website they must be invited by a member. So I get your email address then log in to my account, then send you an invite from there.
What I want to do is create a website where a user enters their email into a textbox and presses a submit button. From there the program, behind the scenes, sends my login information, and the users email address to lockerz and sends the invite. All without ever leaving my site.
I have worked with ASP.NET with VB codebehind for a while now, so I understand the basics of that. I am just wondering if what i want to do is even possible. If so, can someone redirect me to a tutorial or guide of some kind that will give me a basic knowledge on this.
Thanks
You'll have to work down at the HTTP level, sending POST and GET requests.
Fortunately, .NET has the WebRequest and WebClient classes to help you.
WebClient would probably be your best starting point... But I would hang on a second.
Websites like this tend to employ some pretty intense fraud-protection. Banning, blocking or at least ignoring actions when multiple accounts use one IP, or otherwise do things in a predictable pattern.
WebClient isn't going to load up the JavaScript either so you might you can't access required parts of the page.
Either way, you don't need to do this on your webserver - I'd start off by writing it initial connect code locally as a simple script. It'll make testing it a lot faster.
Related
How to restrict the page by accessing only one user at a time. Using asp.net can i use global.asax, is there any other way to restrict, if one user accessing the page, another user not able to access that page. we have to give message that one user is accessing the page. is it possible. can you help me or give some reference.
Although there are probably many better ways of dealing with this sort of problem, I'm going to assume that you do actually need this.
What I would do:
Make your application so that when the page is loaded(when it isn't "locked"), it logs to a database that the page was loaded and "lock" it. In the actual page, I'd have some kind of AJAX to constantly poll the web server every 5-15 seconds to tell your application the user is still on the page. And then make it so that the page becomes unlocked after 5-15 seconds from the time saved to the database by the last AJAX call.
Again, I really suspect that there is a better way around an issue like this, but this is a direct answer to your question
Based on this:
yeah sure, jupaol, it is depend on accounts, in my web application, one report has to approve only one user, but the approve authority having two users. if both of them accessing the same page and approve at a time, it will big mess. here i an not using database.
The problem is related with concurrency, there are several ways to face an issue like this, for example the easiest one is to use optimistic concurrency. Even when you are not using a database for this, you can emulate it.
You should be storing the result of the approvers somewhere, in order to mark the report as approved, with this in mind you should be able to do something like this:
Before render the page get the latest report status
If the report has not been approved, render normally
If the report was approved seconds before, render it in read-only mode reporting who approved it (or similar approach)
Add a validation to your ChangeStatus method, in this method do the following:
Get the latest status of the current report
If the report is still not validated, then block the thread (you could use a Mutex or similar) and mark the report as validate it
If the report was already validate it, raise a domain exception and handle it in your page correctly (perhaps render the page in read-only mode explaining that the report was already validate it)
If you want a more responsive application, (RIA), you might want to consider the following approaches:
Perhaps this would be the worst approach but it's still an option, you could keep a log tracking when a user request your page, then in subsequent requests check if the log is still valid, if it is not, then redirect to another page indicating the page is in use, otherwise allow access to the page. I believe this is an error-prone approach because you would be relying on this simple validation in order to prevent an inconsistency in your system, besides you would have the polling problem described in the following approach
Using AJAX to poll data from a service checking if the report has been approved. Perhaps this is the easiest way to accomplish this but it is not recommended it, because you would be polling your server constantly, and eventually you would have scalability problems
You could use Comet to get notified to the browser (client) whenever a server event has occurred, in this case when your report has been approved. The problem with this approach is that you have to keep an opened connection with the server in order to get notified.
The last approach and the most recommended these days is to use Web Sockets, this is the technology used in StackOverflow to get notifications in real time.
We have a security problem here and we really need your help and inputs. We have a website with a backend system where admins can login and update the frontend. Our good friends tried to hack into the backend using SQL injection onto our login page and they succeeded and could create a users with admin access. The website is written in ASP.NET in C#.
We are thinking to remove the login page from public IP or add 2 layers protection ( IIS ip restriction and IP access list by program).
How can we do this in IIS and in the program? Please help since I am new to all these security things.
We distribute this website on a web garden consists of 3 servers so they share local/private ips of xx.xxx.x.x
How do I implement this in my code to grand access to just a list of IPs or a group of IPs?
Thanks so much in advance,
Simplecode
Just to go a little further down this rabbit hole.
First, sanitize your inputs and use parameterized queries. Just fix your code. This is the most important thing you should be working on right now.
Second, moving the login page doesn't fix the problem. If there are other pages within your site that are accessible, then I'm sure you have other sql injection issues. See #1 above.
Third, I bet you are exposed to all manner of other things like XSS. Take a little bit and learn what they are. Then spend some time retraining yourself to code in a defensive way. A hint: validate EVERYTHING. If you expect a number, only accept a number. If you expect a short string, don't allow javascript to be embedded in it.
One mantra to keep in mind is to only trust the browser, the users, and even the system admins as far as you absolutely have to. Which is to say build your site in such a way that you don't have to trust them at all.
Most companies have no idea what threats they are faced with. A hint: external threats or only part of it. Internal threats are usually far worse. I say this simply because you are asking a question which attempts to paste over exactly one part of the problem and ignores everything else.
I recently spoke with a company that claimed they had security down pat. Prior to the meeting I went to their website and noticed that they had a document id in all of their URLs. The id was a simple int. In a few minutes of spare time I wrote an app that started at doc id 1 and iterated until the server stopped giving data. There was a fair number of documents I should never have been able to see. Being a good samaritan, I told them about this.
The point of that tale is that sql injection, xss, etc isn't everything. Security through obscurity is another fail entirely.
I build ASP.NET websites (hosted under IIS 6 usually, often with SQL Server backends and forms authentication).
Clients sometimes ask if I can check whether there are people currently browsing (and/or whether there are users currently logged in to) their website at a given moment, usually so the can safely do a deployment (they want a hotfix, for example).
I know the web is basically stateless so I can't be sure whether someone has closed the browser window, but I imagine there'd be some count of not-yet-timed-out sessions or something, and surely logged-in-users...
Is there a standard and/or easy way to check this?
Jakob's answer is correct but does rely on installing and configuring the Membership features.
A crude but simple way of tracking users online would be to store a counter in the Application object. This counter could be incremented/decremented upon their sessions starting and ending. There's an example of this on the MSDN website:
Session-State Events (MSDN Library)
Because the default Session Timeout is 20 minutes the accuracy of this method isn't guaranteed (but then that applies to any web application due to the stateless and disconnected nature of HTTP).
I know this is a pretty old question, but I figured I'd chime in. Why not use Google Analytics and view their real time dashboard? It will require minor code modifications (i.e. a single script import) and will do everything you're looking for...
You may be looking for the Membership.GetNumberOfUsersOnline method, although I'm not sure how reliable it is.
Sessions, suggested by other users, are a basic way of doing things, but are not too reliable. They can also work well in some circumstances, but not in others.
For example, if users are downloading large files or watching videos or listening to the podcasts, they may stay on the same page for hours (unless the requests to the binary data are tracked by ASP.NET too), but are still using your website.
Thus, my suggestion is to use the server logs to detect if the website is currently used by many people. It gives you the ability to:
See what sort of requests are done. It's quite easy to detect humans and crawlers, and with some experience, it's also possible to see if the human is currently doing something critical (such as writing a comment on a website, editing a document, or typing her credit card number and ordering something) or not (such as browsing).
See who is doing those requests. For example, if Google is crawling your website, it is a very bad idea to go offline, unless the search rating doesn't matter for you. On the other hand, if a bot is trying for two hours to crack your website by doing requests to different pages, you can go offline for sure.
Note: if a website has some critical areas (for example, writing this long answer, I would be angry if Stack Overflow goes offline in a few seconds just before I submit my answer), you can also send regular AJAX requests to the server while the user stays on the page. Of course, you must be careful when implementing such feature, and take in account that it will increase the bandwidth used, and will not work if the user has JavaScript disabled).
You can run command netstat and see how many active connection exist to your website ports.
Default port for http is *:80.
Default port for https is *:443.
I am using DotNetOpenAuth in my ASP.Net Website. I have modified it to work with Facebook Connect as well, using the same methods and database structures. Now I have come across a problem.
I have added a Facebook Connect button to a login page. From that HTML button, I have to somehow pull information from the Facebook Connect connection and pass it into a method to authenticate the user. The way I am currently doing this is by:
Calling a Javascript Function on the onlogin function of the FBML/HTML Facebook Connect button.
The javascript function calls a Web service to login, which it does correctly.
The web service calls my data access layer to login.
And here is the problem: FormsAuthentication.SetAuthCookie is set at the data access layer. The Cookie is beyond the scope of the user's page and therefore is not set in the browser.
This means that the user is authenticated, but the user's browser is never notified.
So, I need to figure out if this is a bad way of doing what I need or if there is a better way to accomplish what I need. I am just not sure and have been trying to find answers for hours. Any help you have would be great.
Yes, it sounds like you are having a design crisis brought on by trying to do too much at one time/in one place.
If you break this operation up in to two calls from the client you will find your options opening up quite a bit. It might take some more work but ultimately the code will be less complex. <-- a good thing.
And in my opinion, the first clue pointing to a crisis of design would be when I said to myself "Self, having an authentication method buried two calls deep in my DAL is not working the way I would like...." lol.... I am joking and serious same time.
Good luck.
we have some application that this is vital to prevent users from opening multiple tabs/windows per session on the website ?
Edit:
The reason is that those pages communicate with flash and we cannot know on server side whether the user has two windows open or not.
Of course you can suggest to make those changes in application design so it will use Flash Media Server as "token generator" but we cannot allow ourselves to change the infrastructure without good reason because it can take months
This is a bad idea - you are restricting how the user expects their browser to behave.
Don't do it.
The only way I could think of to reliably do such would be to have a session that kept track of a token which was updated each time a page was requested - links on the served page would all include the token, and when a page was loaded using that token, a new token would be generated (in essence, only allowing any page's links to be valid for a single use). However, this would break things like the Back button and whatnot, and thus isn't a very good solution.
What is so important that you have this requirement in the first place? Is there any way you could re-think your interface so as to avoid such?
If limiting the user to 1 interface at a time is vital to the app, you should consider writing it as a desktop application instead of a web application.