I'm developing a open source project. This project is getting bigger and may fail and crash as normal, so I tought of doing a crash sender to get the errors (if the user wants) via email.
But, since it's a open source project hosted in a easy to access site, I can't just hardcode the login and password of my software's email.
Do you guys have any better way to send crash reports (without having
a proper site, I'm using Codeplex) or a easy way to hide any password?
Instead of sending the email from the client program, create a web service (WCF or Web API) that it can call to send an email. Your web service will handle generating the email and will contain the login details for the email provider.
If you wanted to take the idea one step further, then your web service can hook into a database where you record various details about the crash (such as Windows Version #, relevant environment variables or registry settings etc). That'd give you an easy way to keep track of your crashes over time.
Related
I have scoured the web looking for bits and pieces of a more comprehensive solution. I have been unsuccessful in my efforts, so I send up a call for help.
The problem:
I have a .Net/C# WebApp that uses windows integrated authentication. The application is a custom form application that allows users to submit requests. These requests are then routed to supervisors and other parties that will review and approve the requests.
For audit purposes, I must have each supervisor "Sign" the form. The easy solution - use the active browser session information. A user clicks the "approve" button and that information is logged into the database (ID and date/time). But the auditors don't like this solution. They view it as insecure. They want a separate challenge for credentials where users are forced to enter an ID and password (and very soon present a token/PIN combo in lieu of ID/password).
To satisfy this in an infopath version of this form, I used CredUIPromptForCredentials. That code (although written in C#) does not directly port to the new custom WebApplication. I did some digging and uncovered a number of resources on the newer CredUIPromptForWindowsCredentials:
How to show Windows Login Dialog?
Show Authentication dialog in C# for windows Vista/7
How to show authentication dialog in C# .Net 3.5 SP1
Windows Security Custom login validation
This is really in the spirit of what I'm trying to accomplish. With very few modifications to the code in the articles above (and borrowing from some code in my old InfoPath form), I was able to get a working system of prompting and testing.
I would be happy to share the existing code if anyone is interested, but it is VERY similar (nearly verbatim) to the existing code referenced above. The only difference is a separate isAuthenticated method that actually tests the credentials by instantiating a DirectoryEntry object and passing that object to a DirectorySearcher object to test if the credentials worked.
But no so fast. This code, as I said, works, but ONLY when I run in debug mode in Visual Studios 2012. If I visit the site by entering the address and click the button to "sign" the form, the site spins and never shows the security dialog. It's almost as if (and this is just my guess) the IIS settings that allow windows authentication are preventing the applications request to prompt for credentials. This is not the case when I run the site through the debugger.
Once I get past that barrier, I have to actually do some further testing to see if this code will support authentication with a PKI card. I am guessing it will since CredUI passes the prompting to windows to handle.
So here are the questions:
1) What could possibly be preventing the windows security window from popping up when the method is called through the IIS server VS running in Debug (localhost)?
2) Does anyone have any experience with implementing CredUIPromptForWindowsCredentials to work with PKI?
2a) If so, does CredUIPromptForWindowsCredentials actually support PKI without any additional code (assuming that the windows workstations are configured with all of the hardware, drivers, and middleware)?
Thanks in advance for any insight you can lend.
Phil S.
Looking your problem and as an old Auditor, may I recommend an detour to satisfy your auditing team? PKI is not the most safe thing around...
1) Provide a normal LOGIN/PASSWORD form, without any special instruction or Credentials (that could be frauded or stolen "on the fly"). Preferable, utilize HTTPS in this page.
2) Once the guy inform the data, pass a 2-Factor Authentication using SMS (INstant Message). The cost is really irrelevant (see Twilio to get some idea). Obviously, each guy, beyond his login/password, must have his phone within database.
3) This way you can ensure that the Supervisor is really the guy who had approved/sign the page.
It´s the safer mode and, because of it, Facebook, Google Mail and others are utilizing this method.
Sorry, I know I not answered you as you need, but it´s safer than your proposal.
Good luck!
I have a program that opens a web browser control and just displays a web page from our server. They can't navigate around or anything.
The users are not allowed to know the credentials required to login, so after some googling on how to log into a server I found this:
http://user_name:password#URL
This is 'hard coded' into the web browsers code. -It works fine.
HOWEVER: Some smart ass managed to grab the credentials by using WireShark which tracks all the packets sent from your machine.
Is there a way I can encrypt this so the users cannot find out?
I've tried other things like using POST but with the way the page was setup, it was proving extremely difficult to get working. -(Its an SSRS Report Manager webpage)
I forgot to include a link to this question: How to encrypt/decrypt the url in C#
^I cannot use this answer as I myself am not allowed to change any of the server setup!
Sorry if this is an awful question, I've tried searching around for the past few days but can't find anything that works.
Perhaps you could work around your issue with a layer of indirection - for example, you could create a simple MVC website that doesn't require any authentication (or indeed, requires some authentication that you fully control) and it is this site that actually makes the request to the SSRS page.
That way you can have full control over how you send authentication, and you need never worry about someone ever getting access to the actual SSRS system. Now if your solution requires the webpage to be interactive then I'm not sure this will work for you, but if it's just a static report, it might be the way to go.
i.e. your flow from the app would be
User logs into your app (or use Windows credentials, etc)
User clicks to request the SSRS page
Your app makes an HTTP request to your MVC application
Your MVC application makes the "real" HTTP request to SSRS (eg via HttpClient, etc) and dumps the result back to the caller (for example,it could write the SSRS response via #HTML.Raw in an MVC View) The credentials for SSRS will therefore never be sent by your app, so you don't need to worry about that problem any more...
Just a thought.
Incidentally, you could take a look here for the various options that SSRS allows for authentication; you may find some method that suits (for e.g Custom authentication) - I know you mentioned you can't change anything on the server so I'm just including it for posterity.
I want to be able to capture a email that gets sent via outlook and initiated from a browser mailto link so that I can save a copy back to my web application.
I can get buy with c#, I am currently building a web application using c# but would ideally like it to be possible to do from a php application without needing to rely on a specific web browser.
So far it seems that my best option will be to build an add-in for outlook that can detect the relevant flag and save a copy of the email once sent back to the application via a webservice connection.
I don't have a great deal of experience dealing with Office add-ins and am interested to know if I can pass custom information through the mailto link and then read it using the add-in when new message is started.
I also seem to have an issue where I don't have access to certain information while the email is being composed and don't have a reliable way to match that particular in-composition email to the email that gets saved in outbox then moved to inbox.
I am working with Visual Studio 2010 and Office 2010 at the moment.
You can't do this normally because when you supply a mailto link you're actually requesting the default mail program on the user's computer to send the mail. Because you don't know (and shouldn't be willing to know) which program this is you have no control over the mail sent.
One solution would be to have a special page in you web application in which your user can compose it's email. After composing you could supply this format to the SMTP server for delivery and you could store it wherever in your webapp you like. The point here is that you want to stay in control and having a mailto link will send the control over sending an email to a different program.
I have an application that sends an email to a user so that they may access a web form. In the email there is just a link to the start page of this form. Currently, I have the value for the form location hardcoded. Once the app is deployed I know it is in inetpub/wwwroot/appName, which results in a URL of serverip:appPort/appName.
What is the C# to get the serverip:appPort portion of the URL that I need?
I think that server.mappath() might work, but for some reason I can't get to the method even though I have the necessary references.
Note: I will be deploying this application on several different servers and really just don't want to have to hardcode the IP every time I re-deploy.
Try
HttpContext.Current.Request.ServerVariables("HTTP_HOST"), this should give you the host name.
this link will show you how to get all the keys you (may) need to get the port and application (if you don't already have them).
http://msdn.microsoft.com/en-us/library/system.web.httprequest.servervariables.aspx
I’ve been asked to integrate a windows form application with SagePay to take payments directly from the application. The SagePay documentation talks about ASP.NET so I’m not sure whether this is possible. Has anyone integrated a WinForm application with SagePay before? Is it possible?
I know some payment processors have a connection option where the payment part is hosted on a form on their server. You could try embedding a web browser control into your app to display the payment page.
Usually there is another type of connection option where you can send your information via HttpWebRequest, but I'm not sure that this would work as it requires SSL. Since you are running your app as a desktop client, I'm not sure what you would have available.
I am not sure this is possible given that sagepay needs to redirect users to Mastercard securecode or Verified by Visa, I think they would need to redirect to the bank which then redirects back to a supplied URL. I would think this needs to be within a browser environment.
You can post to urls and get back a response via .net objects and parse the results to display on a form.
You can also ask SagePay to create a Vendor account with 3d secure switched off. This allows you to take payments in house in your winforms app without the customers password however most card vendors if you bypass 3d secure will not protect you if someone calls and uses a card fraudulently.
However it can definitely be done.
You can normally post to secure servers from non secure pages so again this isn't usually an issue.