1-888-365-2779
+1-888-365-2779
Try Now
More in this section

security

10 posts, 0 answered
  1. Mike
    Mike avatar
    221 posts
    Registered:
    19 Aug 2008
    17 Oct 2008
    Link to this post
    Is there anything built into SiteFinity in regards to security and encryption. Specifically viewstate encryption..

    Nugs
  2. Joe
    Joe avatar
    138 posts
    Registered:
    24 Sep 2012
    17 Oct 2008
    Link to this post
    Hi Duncan,

    Thanks for contacting us.

    Sitefinity can encrypt viewstate in the same way as a regular ASP.NET application can, so you simply have to add a ViewState encrytpion property to your Web.config file. For more info on this feature, please read this article. Feel free to contact us if you have any additional questions.

    Sincerely yours,
    Joe
    the Telerik team

    Check out Telerik Trainer, the state of the art learning tool for Telerik products.
  3. Mike
    Mike avatar
    221 posts
    Registered:
    19 Aug 2008
    17 Oct 2008
    Link to this post
    Thanks Joe, this is very helpful and what i need!

    Nugs
  4. Mike
    Mike avatar
    221 posts
    Registered:
    19 Aug 2008
    17 Oct 2008
    Link to this post
    Joe,

    I just wanted to confirm with you that this would be the correct implementation of this encryption... I want all properties of my Custom Control to be stored in ViewState and want viewstate to be encrypted if the control is present.

    Please let me know if this will do the trick:

        protected override void OnInit(EventArgs e) 
        { 
            base.OnInit(e); 
            if (Page != null
            { 
                Page.RegisterRequiresViewStateEncryption(); 
            } 
        } 
     
        protected override void SaveViewState() 
        { 
            if (Page != null
            { 
                if (Page.ViewStateEncryptionMode == ViewStateEncryptionMode.Never) 
                { 
                    throw new Exception("ViewStateEncryptionMode.Never not allowed when using this control."); 
                } 
            } 
        } 
     
        public virtual bool TestBool 
        { 
            get 
            { 
                object obj = this.ViewState["TestBool"]; 
                if (obj != null
                { 
                    return Convert.ToBoolean(obj); 
                } 
                return false
            } 
            set 
            { 
                this.ViewState["TestBool"] = value; 
            } 
        } 


    Additionally do you know of any way to check if viewstate is encrypted?? Or do i just need to take the word of Microsoft? :)

    And lastly, if i create a control like this and have a property for the user to set, add this control to a page in SiteFinity... Is there any way that this property value (before being placed in viewstate) can be accessed a malitious user? I am dealing with highly sensitive web service authentication data...

    Thanks,

    Nugs
  5. Gabe Sumner
    Gabe Sumner avatar
    440 posts
    Registered:
    09 Sep 2007
    17 Oct 2008
    Link to this post
    I don't have a good Internet connection right now, so I can't confirm this, but I found a Firefox add-on that is supposed to do Viewstate Decoding:

    https://addons.mozilla.org/en-US/firefox/addon/7167

    You could use this to inspect what Sitefinity is doing on the demo pages:

    http://demo.sitefinity.com/Home.aspx

    I doubt this encryption is being done by default though.  I believe you could turn this on though using the "web.config" techinique described on this page:

    http://teera.seriyagroup.com/blog/index.php/2008/06/28/securing-your-viewstate-1-viewstate-encryption/

    Sorry, I wish I could confirm all of this, but hopefully the links above will help.

    Gabe Sumner

  6. Gabe Sumner
    Gabe Sumner avatar
    440 posts
    Registered:
    09 Sep 2007
    17 Oct 2008
    Link to this post
    Wow, I left my computer while composing my reply, returned, finished my reply, clicked submit and there are 3 other replies.

    Looks like I'm late to the party...   :)

    Gabe Sumner

  7. Mike
    Mike avatar
    221 posts
    Registered:
    19 Aug 2008
    17 Oct 2008
    Link to this post
    Thanks Gage, I will try this FF addon.

    Nugs
  8. Mike
    Mike avatar
    221 posts
    Registered:
    19 Aug 2008
    17 Oct 2008
    Link to this post
    One last question of SiteFintiy security. Does SiteFinity encrypt the sensitive config sections for the web config, like the connection string to the database or is this something we must do?

    Nugs
  9. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    20 Oct 2008
    Link to this post
    Hello Nugs,

    Sitefinity does not encrypt any part of web.config file. It is not a standard practice to crypt parts of this file, that is why we do not do it also. This file of course could not be downloaded so it is just a question of server security here. If you prefer you can implement such a feature, but we have never tested or tried to do something like this before.

    Greetings,
    Georgi
    the Telerik team

    Check out Telerik Trainer, the state of the art learning tool for Telerik products.
  10. Mike
    Mike avatar
    221 posts
    Registered:
    19 Aug 2008
    20 Oct 2008
    Link to this post
    That is rather different response than i was expecting. .Net has built in mechanisms for just such things... It is entirely possible (although rather difficult) to retrieve a web.config file from a server. Config section encryption was put in place for just such a scenario, specifically for protecting database connection strings in the web.config...

    http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx

    .Net handles this encryption and decryption... I was just wondering if these sensitive sections where encrypted programmatically by SiteFinity. Since they are not i will run
    aspnet_regiis.exe on these sensitive section of the web.config.

    Thanks,

    Nugs
Register for webinar
10 posts, 0 answered