Securing Your Logins With ASP.Net MVC

Part 1 – Securing Your Logins With ASP.Net MVC (This post)
Part 2 – Securing Web.API Requests With JSON Web Tokens

An archetectural patterns that is becoming more popular is using ASP.Net MVC with a Web.API layer servicing the web front end via angular.js or similar technology. A kind of hybrid SPA with all the benefits that ASP.Net bring to the table.
This is a two part primer running through what I do to secure logins to MVC applications. In part two I will expand on this post to cover how to secure the Web.API layer utilizing the security built into ASP.Net.

If you ever go to a web site and you cannot remember your password, you will most likely have requested a password reminder. If you get sent your current password in plain text, then that is bad news. It means the website is storing passwords in plain text and if they get hacked then they will have access to those passwords, and knowing the fact that people have a tendency to use the same password on multiple sites then they could compromise multiple sites that you use. It is really important to salt and hash your passwords for storage in the database. By doing this, you can do a string comparison against the hash and not the actual password. Here I will go through the process in code.

As usual you will have a login screen asking for username (or email address) and password. I won’t go into the MVC/Razor side here, just the important code.

Take in the two form values

The LookupUser method on the SecurityService is where the magic happens

This method looks up the User from the database via a UserRepository and appends the salt to the password the user has provided. I explain what salts and hashes are a little later on, but for now know they are just a random string representation of a passkey. This combination of password and salt are then passed into the GetPasswordHashAndSalt method of the PasswordHash class.

The GetPasswordHashAndSalt method reads the string into a byte array and encrypts it using SHA256, then returns a string representation of it back to the calling method. This is then the hash of the salted password which should be equal to the value in the database. On line xx the repository does another database look-up to get the User that matches both the email address and hash value. OK, so how do we get those hashes and salts in the database in the first place? When a new user account is set up you need to generate a random salt like this:-

You then store the usual user details in the database along with the salt and the hashAndSalt values in place of the password. By generating a new salt each time an account is created you minimize the risk that a hacker will get the salt and regenerate the passwords from the hashAndSalt value.

Now back to the login POST method on the controller. Once the user has been authenticated in the system, you need to create a cookie for the ASP.Net forms authentication to work.

First create a ticket that stores information such as the user logged in.

Where LoggedInUser is the valid User object we got from the database earlier. To check for a valid ticket throughout the site, you can decorate each action method with [Authorize] filter attributes, or you could do the whole site and just have [AllowAnonymous] attributes on the login controller actions. To do this for the whole site firstly add a new AuthorizeAttribute to the FilterConfig.cs file inside App_Start like this:-

Then in the Application_AuthenticateRequest method to the global.asax.cs file add this:-

This method will check every request coming in to see if it has a valid FormsAuthentication ticket. If it doesn’t then it will redirect the user to the default location specified in the web.config file.

Posted in C#, CodeProject, MVC, Practices, Web

Run Visual Studio In Administrator Mode On Windows 8.1

There are some things you cannot do on a typical Windows 8.1 installation such as view a web site externally when running IIS Express. But also if you want to run full IIS on a Windows Pro 8.1 machine and have Visual Studio run your web application through it then you need to run Visual Studio with administrator privileges. In Windows 7 there is a compatibility tab in the program properties where you can specify this, but that is not available in Windows 8 or Windows 8.1 installations.

So find the location of the devenv.exe application file. This is usually somewhere like C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE.

 

vs_runas_admin_1

 

Right click it and instead of choosing properties, choose troubleshoot compatibility.

 

vs_runas_admin_2

Select Troubleshoot program for the options

 

vs_runas_admin_3

Then check the box for additional permissions (this usually means administrator privileges).

 

vs_runas_admin_4

Now test the program by running Visual Studio

 

vs_runas_admin_5

Once Visual Studio has opened, at the top it should specify that it is running as administrator

 

vs_runas_admin_6

Back to the wizard,  choose ‘Yes, save these settings for this program’

 

vs_runas_admin_7

It will do its thing and look for any other issues.

 

vs_runas_admin_8

You should see the next image when it has finished off.

 

vs_runas_admin_9

Simply close it and you should be OK with running IIS Express as well as a local installation of IIS.

 

Posted in Tooling, Windows 8

Import IIS Express Log Files to SQL Server

Unless using third party tools, management of IIS Express is pretty limited. For example it is not possible to log to a SQL Server database for later analysis. You can however import the current log files into SQL Server and here I will show you how I go about it.

Firstly you need to create the table in SQL Server, however I am going to initially use a temporary table:-

These are all the fields that the current version of IIS Express 8.0 uses. However before you import, you need to strip out all comment fields such as those beginning with # symbols. To do this download the Microsoft PrepLog tool; it is an old tool, but still useful for this purpose.  Then run the tool on a log file using PrepTool on the command line:-

Then finally, do a bulk insert to get it all into SQL Server

Now create a table to import the data to, the only difference here is the addition of an id column. I want an id column because I will be querying it from Entity Framework and for that you need a primary key.

Then use a SELECT query to get the data into the final table:-

Happy coding.

Posted in Tooling, Web

Export EDMX File to PDF

If you are working on a large project, you inevitably end up with a large edmx file if you are doing database first EF work. One tip I like to follow is to export it to a pd file so that I can look at it as a referrence while developing. To do this you firstly need to have a print driver installed that will create PDF files. A good one to chose is PDF Creator from pdfforge, however do a virus scan on this file as my AVG came up with a warning about AdLoad.OpenCandy adware program included in the installation.

Once PDF Creator is installed, open up your EDMX file in Visual Studio and go to File > Print

Chose PDFCreator as the printer and click the Properties button

export_edmx_1

Keep it as Portrait if you wish, then press the Advanced button

export_edmx_2

 

Choose ARCH E3 as the Paper Size. This is an architectural size and measures 27 x 39 inches (686 mm× 991 mm)

 

export_edmx_3

 

Come back out by clicking the OK buttons until you get to print the document. In the PDF Creator options screen, set the profile to High Quality; it will create a larger file, but will be much clearer when zooming in.

 

export_edmx_4

The simply save it.

Happy codeing

Posted in Entity Framework, Practices, Tooling