473,320 Members | 1,859 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

How to secure web application???

Hi,



Imagine the following: I want to secure an intranet web site (with all users having windows domain accounts) in a way that only users of the domain should be allowed to log in. I therefore set

<authentication mode="Windows" />

in the web.config. This point done :-)

I now want users to prevent starting anywhere in the application (by modifying the URL) but instead let them all start on a defined page (let it be default.aspx if you want). How can I do this?

I now want to connect to a SQL Server 2000. I would like to use ONE (for connection pooling) defined domain account for accessing SQL Server with integrated security. How can this be done? I don't want to use the ASPNET user as I imagine using different users for different applications. Does anybody know how this can be done?

How do you like this approach? What else would you recommend for making the application MORE secure? Installing a certificate using SSL for communication is what I'd expect but what other ideas do you have?



Thank you a lot in advance!!
Best regards

Daniel Walzenbach

P.S. If you need to contact me simply remove ".NOSPAM" from my email address.

Nov 17 '05 #1
4 1085
For everybody else interessted in this toppic get a grip on the following msdn articles:
http://msdn.microsoft.com/msdnmag/issues/02/04/ASPSec/
http://msdn.microsoft.com/msdnmag/is...2/default.aspx

"Daniel Walzenbach" <da**********************@freudenberg.de> schrieb im Newsbeitrag news:eV**************@TK2MSFTNGP09.phx.gbl...
Hi,



Imagine the following: I want to secure an intranet web site (with all users having windows domain accounts) in a way that only users of the domain should be allowed to log in. I therefore set

<authentication mode="Windows" />

in the web.config. This point done :-)

I now want users to prevent starting anywhere in the application (by modifying the URL) but instead let them all start on a defined page (let it be default.aspx if you want). How can I do this?

I now want to connect to a SQL Server 2000. I would like to use ONE (for connection pooling) defined domain account for accessing SQL Server with integrated security. How can this be done? I don't want to use the ASPNET user as I imagine using different users for different applications. Does anybody know how this can be done?

How do you like this approach? What else would you recommend for making the application MORE secure? Installing a certificate using SSL for communication is what I'd expect but what other ideas do you have?



Thank you a lot in advance!!
Best regards

Daniel Walzenbach

P.S. If you need to contact me simply remove ".NOSPAM" from my email address.

Nov 17 '05 #2
On Sun, 2 Nov 2003 00:21:49 +0100, "Daniel Walzenbach"
<da**********************@freudenberg.de> wrotC:

I now want users to prevent starting anywhere in the application (by modifying the URL) but instead let them all start on a defined page (let it be default.aspx if you want). How can I do this?


You would add an entry to the global.asax file in the SessionStart
event. Check the current page, if it is not the page you want it to be
redirect them to the proper page.

Mike
Nov 17 '05 #3
Hi Daniel,

Since you want all user start from a particualr web form, it sounds like
Form authentication in ASP.NET. You take a look at following article to see
if it is you want:

HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
Using C# .NET
http://support.microsoft.com/default...;EN-US;Q301240

Regarding the problem connecting to SQL server with a particualr account, I
think you may consider impersonate in ASP.NET. ALl request to the web form
will be impersonate to a particualr windows account:

INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/default...;EN-US;Q306158

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Nov 17 '05 #4
Thanks to both of you . I'll give it a try as soon as I can.

Cheers
Daniel
"MSFT" <lu******@online.microsoft.com> schrieb im Newsbeitrag
news:jZ*************@cpmsftngxa06.phx.gbl...
Hi Daniel,

Since you want all user start from a particualr web form, it sounds like
Form authentication in ASP.NET. You take a look at following article to see if it is you want:

HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by Using C# .NET
http://support.microsoft.com/default...;EN-US;Q301240

Regarding the problem connecting to SQL server with a particualr account, I think you may consider impersonate in ASP.NET. ALl request to the web form
will be impersonate to a particualr windows account:

INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/default...;EN-US;Q306158

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Nov 17 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms...
7
by: Seth | last post by:
I have noticed that the id of my session object changes when I switch from a non-secure to a secure connection. What I'm trying to do: I have a cookie that is built on the non-secure side of...
1
by: Iulian Ionescu | last post by:
I have a page (http://www.something.com/) and a secure page (https://secure.something.com) and the secure.something.com points to http://www.something.com/secure/ All works ok, but, when I...
5
by: A.M | last post by:
Hi, My ASP.NET application uses SSL on IIS6. up on visiting some pages, IE 6 shows this security alert: This page contains both secure and non secure items. Do you want to display non-secure...
3
by: Bill | last post by:
I'm running a C#.Net application that is using the HttpWebRequest to upload an xml file to a https site with FIPS complicancy turned on. On the "GetRequestStream()" method I get: "The underlying...
5
by: Joe | last post by:
I have an application which runs in a non-secure environment. I also have an application that runs in a secure environment (both on the same machine). Is there any way to share the session data for...
7
by: Robert Seacord | last post by:
The CERT/CC has just deployed a new web site dedicated to developing secure coding standards for the C programming language, C++, and eventually other programming language. We have already...
0
by: amitvps | last post by:
Secure Socket Layer is very important and useful for any web application but it brings some problems too with itself. Handling navigation between secure and non-secure pages is one of the cumbersome...
6
by: =?Utf-8?B?Q3JhaWc=?= | last post by:
If I have an application that I send out to users, and the application interacts with the database (behind the scenes, no direct sql creation by the users)....do webservices make the app more...
1
by: Annonymous Coward | last post by:
I am writing an application which I will deploy to my clients. It is important for security, support, IP reasons etc, that the users are not able to access my databse schema (i.e. view/modify/run...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.