At the minute unfortunately no. My brief at the moment is to recreate the existing functionality. They don't want the users to log back in and find the site behaving differently. It is not good, I know. [EMAIL PROTECTED]
> Date: Thu, 3 Jan 2008 10:49:27 -0600> From: [EMAIL PROTECTED]> Subject: Re: > [ADVANCED-DOTNET] non authenticated security> To: > ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> > Do you have an option to use email > address as a user name?> > -----Original Message-----> From: Discussion of > advanced .NET topics.> [mailto:[EMAIL PROTECTED] On Behalf Of Paul Cowan> > Sent: Thursday, January 03, 2008 10:40 AM> To: > ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> Subject: Re: [ADVANCED-DOTNET] non > authenticated security> > I really do agree with you but the thing is the > data from the feeds that> I am importing via SSIS is not clean data.Sometimes > all I have is an> email address. I would have to comprimise the quality of > the users data> in order to create a user.> > The original database would be > funny if I was not dealing with it.No> foreign keys and pipe delimited fields > that are the one-to-many> relationships.Unreal.> [EMAIL PROTECTED]> > > > > > Date: Thu, 3 Jan 2008 11:16:14 -0500> From:> [EMAIL PROTECTED]> Subject: Re:> > [ADVANCED-DOTNET] non authenticated security> To:> > ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> > I would suggest storing only a> hash > of the PIN/password, but if you take> server compromise out of the> picture > it doesn't make it any more secure.> > It's "secure" but it> could be more > secure. Some things that would make it> more secure:> mandate passwords of at > least 8 characters and include three> types of> characters (like lower-case, > upper case, and punctuation), don't> accept> passwords with real words in > them, mandate the password change> every x> days, etc.> > I would certainly > suggest making them full-fledged users,> with different> permissions.> > On > Thu, 3 Jan 2008 16:09:11 +0000, Paul> Cowan <[EMAIL PROTECTED]> wrote:> > >At > present, it is stored as plain> text in the database.> >> >At the very least, > I should encrypt it I> guess.> >> >I was thinking of creating the user when I > am importing the> contacts via> an SSIS import and then getting the user to > change their> password on first> login.> >> >But the records are not in great > shape.>> >> >[EMAIL PROTECTED]> >> >> >> >> Date: Thu, 3 Jan 2008 10:52:54> > -0500> From:> [EMAIL PROTECTED]>> Subject: Re:> [ADVANCED-DOTNET] non > authenticated security> To:> ADVANCED-> [EMAIL PROTECTED]> > Is this PIN > stored in a> database somewhere,> or do they have to re-enter it> after it> > "expires"?> > On Thu, 3 Jan 2008> 15:54:03 +0000, Paul Cowan> <[EMAIL > PROTECTED]> wrote:> > >Hi all,I am> migrating an ASP app. to an> ASP.NET and > have spotted a> potential security> hole.> >Most of the app.> I am securing > with Forms authentication but as> stands> they have> another requirement > where by users who are just contacts> who> exist in> the system without a > username or password can access> certain> parts of> the site which are > sensitive. They have been entered in> the> system by> importing an excel or > SAP feed. They have not been created> via> the> system and as such do not > have usernames or passwords.> >The way> things> stand at the minute, the user > gets redirected to a page> where they>> create a 4 digit pin number which > allows them to access the> system via>> another page.> >This seems terrible > to me.> >Can anyone think of a> better> way of handling this situation?> > >Cheers>> >[EMAIL PROTECTED]>>> > >_________________________________________________________________>> >Telly> > addicts unite!> >http://www.searchgamesbox.com/tvtown.shtml>>> > >===================================> >This list is hosted by>> > DevelopMentor(r) http://www.develop.com> >> >View archives and manage> your> > subscription(s) at> http://discuss.develop.com> >>> > ===================================> This list is hosted by> > DevelopMentor(r)> http://www.develop.com> > View archives and manage> your > subscription(s) at> http://discuss.develop.com>> > >_________________________________________________________________>> >Fancy > some celeb spotting?> >https://www.celebmashup.com>> > >===================================> >This list is hosted by> > DevelopMentor(r) http://www.develop.com> >> >View archives and manage> your > subscription(s) at> http://discuss.develop.com> >> > ===================================> This list is hosted by> DevelopMentor(r) > http://www.develop.com> > View archives and manage your> subscription(s) at > http://discuss.develop.com> > _________________________________________________________________> Fancy some > celeb spotting? > https://www.celebmashup.com> > ===================================> This list is hosted by DevelopMentor(r) > http://www.develop.com> > View archives and manage your subscription(s) at> > http://discuss.develop.com> > ===================================> This list > is hosted by DevelopMentorĀ® http://www.develop.com> > View archives and > manage your subscription(s) at http://discuss.develop.com _________________________________________________________________ Telly addicts unite! http://www.searchgamesbox.com/tvtown.shtml =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
