I'm trying to figure out the membership module in asp.net.
Currently i have a site that i have programmed on my computer, i'm using the asp.net membership and regestering users through the asp.net configureation. So all the data is on my computer.
Now i want to install the web site and all the users in the membership table to a hosting server.
I know i have to get the membership tables to that server, whats the best way to move the site to the server so all will work ?
Do i have to run aspnet_regsql on the server itself to make all the tables.
Is it better to program the site on the server from the beginning so i dont have to move the whole lot.
Can i access the ASP.NET Configuration when the site is on a hosting server ?
The best way to do it would be to make a backup of your database on your development computer and then restore it onto the hosted computer as your database. Your hosting company should give you a way to do this. By doing it that way you will be copying over all of the tables, procedures, and any other DB objects created by aspnet_regsql and any users or login information you already created.
The one change you will need to make is in you web.config file. The web.config file should have the connection string you are using to connect your website to the database and that will need to change so that it connects to your database at your hosting company. Check with the FAQ of your host and they will probably tell you what the connection string should be.
If your host is different than that please post who you are hosting with and what type of plan you have so we have some idea of what to look at.
Your comment about sharing code is a completely different topic. I think I can send you in the right direction though. Check out http://github.com or https://www.mercurial-scm.org/. git and Mercurial are both distributed version control. That is the best way to share code for remote teams (even non-remote). Then you would just push your code from your source control to your site whenever you want to make updates.
Related
I am developing a desktop app in c# using "entity framework database first approach" that is required to be highly secured i.e. no one can access its database without login into that application and no one can extract the data directly using database file. The database have 20 table. Although I Tried to encrypt the database but when the application will start i will have to decrypt the database file in order to connect and leave it decrypted until user tries to exit the application.
No offence, I am a noob to sql server and I want to create a highly secured sql server database for my c# desktop application that can only be opened by that application only. I know that there are two authentication model by which you can connect to a sql server i.e. windows authentication and mixed authentication. But i don't want my database to be opened using windows authentication.
Is there a way by which only one user can open the database with password?
if you used SQL compact the database server is only really there for your app, which is probably the closest, however it doesnt stop people taking the file and putting it into SQL express/server
Similarly: embedding sql express may help but again the files are still there.. and ..
If SQL is in an instance yes, you may control it with a username/password but anyone with admin rights to the instance can get in it.
You also would need to consider how they would backup the data
Yes. You can easily handle this.
Go to Security >> Logins and then create an user with password. You can also give him access to a specific database. You can specify the Server Role section.
Description of my problem sounds somewhat complicated, what makes me think that my approach is flawed, so I will also appreciate any better idea.
Short description:
Given connection string to MSSQL 2008 DB and website name deployed on IIS6, I want to verify programatically whether website is able to connect to database.
Long description:
I have MSSQL Server database, let's call it portal_db.
I have an application deployed on IIS6, called portal. I can access it by url http://localhost/portal . In Web.config file I specified connection string to my database, which look like: "server=(local)\SQLEXPRESS;trusted_connection=yes;database=portal_db"
Web application is accessing database using System.Data.SqlClient.SqlConnection, without any wrappers, ORMs, mappings, anything.
Website is configured to run in appool PortalAppPool. It's using ApplicationPoolIdentity as a security context.
It is not possible to easily modify web application code (particularly the way it accesses database)
When my web application tries to connect to database it either succeeds or fails, depending on whether user IIS APPPOOL\PortalAppPool is configured in MSSQL database. That's a part which I understand, but when deploying my app I often forget to create new user/login in db for apppool virtual account. So what I want to do, is to verify from separate, standalone, console app (preferably written in C#, but not necessarily), whether my web application can access database, in following way:
Read connection string from Web.config
Read app pool identity settings (managed to do this by Directory Services API)
Impersonate identity with credentials defined on app pool (using impersonation class I found here: http://platinumdogs.me/2008/10/30/net-c-impersonation-with-network-credentials/ which uses ideas found in many other places, including MSDN)
Open SqlConnection with connection string read from Web.config
It boils down to following snippet:
using (new Impersonator("IIS APPPOOL\\PortalAppPool", "", ""))
{
SqlConnection conn = new SqlConnection(databaseConnectString);
conn.Open();
}
Everything works very well, when my app pool security context is set to any other value than AppPoolIdentity - specific user, local system, etc. When I change credentials passed to Impersonator to my user's name and password, I get desired result (exception when I have no login mapping in database, and everything is OK when I add one). But I just seem to not be able to impersonate IIS APPPOOLS\PortalAppPool virtual account - just have no idea what parameters should be passed to LogonUser - I would not be surprised if it would not be even possible. Maybe I am focused on impersonation approach too much (I am using it to access registry keys and services of other users and it works good), and maybe there is some better way.
If you have any other, better ideas, or need some more explanation to this problem, please let me know.
I don't think you can impersonate a virtual account (IIS service account). They are special service accounts setup mainly for IIS security. They are for local services only and cannot be attached to any domains. Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that provide the following features to simplify service administration:
No password management is required.
The ability to access the network with a computer identity in a domain environment.
You cannot "Log into" a virtual account, they are used by windows for security purposes:
Some light reading if you have time:
This gives a brief overview of MSAs and Virtual Accounts
The differences between MSAs and Virtual Accounts
The dirty details on each and how to manage them
To solve your original problem, you could build an app that could do the same logic but check the sql server if it has the correct users setup instead of simply trying to login with the account.
I've put my site online and I'm looking to add/change user membership. From Visual Studio, I can access the Website Administration Tool WSAT and it's great if you just want to add users manually. Is there a similar way to change users once the site is hosted on a remote server?
For the moment, I change the user information through the WSAT and re-FTP the mdf file; it's pretty painful. Let me know if there's a better way.
Thanks.
I believe there are only two options.
If you have control of the server
you can enable access to the WSAT on
the server.
Code up your own little management system.
Here's a link that covers both in a little more depth. That link also references the 4guysfromrolla.com tutorial which, while dated, is still relevant.
I'm building a webapp that needs to interact with a Access Database. The Access database is about 200 megs and I don't want to upload the entire thing...just the contents of one table. So far, I've used Microsoft.Office.Interop.Access in the past on a desktop app but when I tried this on a webapp there is some cryptic permission issues on the web server(I think) that need to be ferreted out.
As far as I understand it I can
1 - upload the entire database and select the data
2 - I can use interop and figure out the permission issues
is there a 3 or 4 option?
Thanks guys.
The location of the access file doesn't matter as long as it is accessible local or through the network and the NETWORK account of the webserver (if it is a Win2K3 or higher server otherwise it's the ASP.NET account) has access to that location.
So no need to download or upload anything.
Also... the fact that your back-end is dealing with an access database shouldn't be visible or be of any concern to the client...
OTOH if you are looking for a solution to "manage a database through a web interface", then maybe it's better to look at something like this... (It's for sql server, but migrating from access to sql server isn't that big an issue ;-)
If you want to code it yourself, i think this post can come in handy.
No need to interop, just use an OleDbConnection with the right connectionstring.
I don't know if i understood your problem but maybe you could upload the table data using a CSV file, then parse every line and use a SQL query to INSERT this data the Access database.
I have a situation that users access remote MySQL server in C# application.
Basically,
A user using C# application on his/her desktop ->>>> connects to remote ->>>>>>>> [ REMOTE ]
How do I securely hide database connection detail?
I have few ideas, but I don't think they are safe.
Encrypt database connection data into a file and store it within application directory.
prompt login page and let a human enter username/password, then transfer database connection data to user's computer.
No matter what you do if the credentials end up in the application in cleartext you are vulnerable.
Either implement a service layer in front of the database or if direct connections are essential try and come up with a scheme that allows a unique databse account for each user and then authorise them appropriately on the database.
Generally, it's better to ask the user for the credentials so that each account can be enabled or disabled by the administrator. Barring that, there are APIs for encrypting all or part of the configuration file. Here's a sample article:
http://www.codeproject.com/KB/dotnet/EncryptingTheAppConfig.aspx
I would suggest some form of session management based on user credentials. This can be accomplished in many ways.
For instance, you may accomplish this by simply wrapping your database access with a back-end system. Your desktop clients are oblivious to the database and interact solely with the back-end system. Unfortunately, implementing this level of indirection is not trivial if you have to do it from scratch but it will certainly make your application more robust and flexible. WCF services can help accomplish this.