Blog Archives

From Troy Hunt – The beginners guide to breaking website security…

This post should motivate some people to be more security minded.  I know I am not perfect but I did not realize all of the capabilities that are shown in this post.  Mainly the ability for it to use the name of one of your trusted networks.

Encrypt That ViewState!

Something that is probably over looked from time to time unless you are just always that secure is encrypting your ViewState.  While SSL may prevent some things you will may want to make it a bit harder for an end user to see the information stored in ViewState.

Luckily this is very simple.  You can set it in the @Page directive (<%@ Page Language=”C#” ViewStateEncryptionMode=”Always” %>) or in the web.config file (<pages viewStateEncryptionMode=”Always” />).

Of course, like many things .NET there are many ways to do this depending on your specific situation.  For that amount of detail you should read the ViewState Overview.

Web.Config & URL Authorization

If you are making the change to IIS 7 and you use your web.config file to control access there are a couple things you need to know.

This is known as URL Authorization and has changed a little from the older versions of IIS.  In the past we could just make sure the site was set to integrated authentication and then set our web.config authentication mode with authroization allow/deny settings and be happy.

I have been learning the hard way there is a bit of a change for those using IIS7 or better.  To explain it best I will simply use a couple links to the information I have found.

Security Authorization

ASP.NET Authorization