<2005 July>
SunMonTueWedThuFriSat
262728293012
3456789
10111213141516
17181920212223
24252627282930
31123456

On this page...

Search

Links

Member of...


ASP Insiders

MVP Visual Developer ASP/ASP.NET

Enter CodeZone

Blog Categories

Microsoft

Blogroll

Deutsche Resourcen

Management

Sign In
 

#  Monday, 25 July 2005

On Friday, it was my turn as speaker at the Community Bootcamp 2005 aka CBC05. One of the topics at hand was "The Provider Model", with a focus on Membership providers. Those are the ones most likely being extended / written from scratch, and we did an exercise in that very area: Extend the SqlMembershipProvider to audit successful and failed logins similar to *nix. The solution I present today is a streamlined solution programmed by Alexander Schoeppl, one of the attendees.

Step 1: Create the table

CREATE TABLE [dbo].[myLoginAuditing](
 [username] [varchar](255) NOT NULL,
 [numberofSuccessfulLogins] [int] NOT NULL,
 [numberofFailedLogins] [int] NOT NULL,
 [lastFailedLogin] [datetime] NOT NULL,
 [lastFailedLoginIP] [varchar](15) NOT NULL)

Step 2: Create the stored procedure

create procedure myLogUserVisit(
  @username as Varchar(255),
  @success as int,
  @lastfailedLoginIP as varchar(15))
as
   IF ( EXISTS ( SELECT username
                  FROM   dbo.myLoginAuditing
                  WHERE  username = @username ) )
    BEGIN
    if (@success = 1)
    Begin
      update myLoginAuditing set
numberofSuccessfulLogins = numberofSuccessfulLogins + 1
        where username = @username
    End
    else
    begin
      update myLoginAuditing set
numberofFailedLogins = numberofFailedLogins + 1,
                    lastFailedLogin = GetDate(),
                    lastfailedLoginIP = @lastFailedLoginIP
        where username = @username
    end
  END
  ELSE
  BEGIN
    if (@success = 1)
    Begin
      insert into myLoginAuditing (username, numberofSuccessfulLogins,
numberoffailedlogins, lastfailedlogin, lastfailedloginip)
values (@username, 1, 0, '01.01.1900', '')
    End
    else
    begin
      insert into myLoginAuditing (username, numberofSuccessfulLogins,
numberoffailedlogins, lastfailedlogin, lastfailedloginip)
values (@username, 0, 1, GetDate(), @lastfailedLoginIP)
    end   
  END

Alexander did a smart thing - he looked at the various aspnet* sp's.

Step 3: Write the Membership provider

The class skeleton looks like this:

public class MyMembershipProvider : SqlMembershipProvider
{
public override bool ValidateUser(string username, string password)
{
}

public override void Initialize(string name, System.Collections.Specialized.NameValueCollection config)
{
}

public override MembershipUser GetUser(string username, bool userIsOnline)
{
}
}

Initialize is the easy but essential part - we need the connection string name for later:

private string connectionStringName;

public override void Initialize(string name, System.Collections.Specialized.NameValueCollection config)
{
connectionStringName = config["connectionStringName"];
base.Initialize(name, config);
}

Now we can validate the user - well, the base class does that. We only do the auditing part:

public override bool ValidateUser(string username, string password)
{
HttpContext.Current.Trace.Write("ValidateUser:entry");

bool bSuccess = base.ValidateUser(username, password);

string connectionString = ConfigurationManager.ConnectionStrings[connectionStringName].ConnectionString;

SqlConnection conn = new SqlConnection(connectionString);
SqlCommand cmd = new SqlCommand("exec myLogUserVisit @username, @success, @IP", conn);

cmd.Parameters.AddWithValue("@username", username);
if (bSuccess)
  cmd.Parameters.AddWithValue("@success", 1);
else
  cmd.Parameters.AddWithValue("@success", 0);

cmd.Parameters.AddWithValue("@IP", HttpContext.Current.Request.UserHostAddress);

conn.Open();
cmd.ExecuteNonQuery();
conn.Close();

HttpContext.Current.Trace.Write("ValidateUser:exit");

return bSuccess;
}

Step 4: Set it up - web.config

  <appSettings/>
  <connectionStrings>
    <add name="MyNWind" connectionString="Data Source=cbc05vpc\cbc05;Initial Catalog=Northwind;User=sa;Password=P@ssw0rd"/>
  </connectionStrings>
 
  <system.web>
    <membership defaultProvider="SuperDuperMSProv">
      <providers>
        <clear/>
        <add name="SuperDuperMSProv" connectionStringName="MyNWind" type="MyMembershipProvider"/>
      </providers>
    </membership>

Step 5: View the auditing information - default.aspx.cs

The final "UI" looks like this:

The source code is rather simple:

protected void Page_Load(object sender, EventArgs e)
{
MyMembershipUser currentUser = (MyMembershipUser)Membership.GetUser();

Label1.Text = currentUser.FullName;
string lcConnection = ConfigurationManager.ConnectionStrings["MyNWind"].ConnectionString;

SqlConnection conn = new SqlConnection(lcConnection);

SqlCommand cmd = new SqlCommand("select * from myLoginAuditing where username=@username", conn);
cmd.Parameters.AddWithValue("@Username", currentUser.UserName);

conn.Open();

SqlDataReader reader = cmd.ExecuteReader();

GridView1.DataSource = reader;
GridView1.DataBind();

reader.Close();
conn.Close();
}

Done. By the way, did you notice something? Right! Alexander never fell into the trap of SQL Injection.

ExtendingMembershipProviderDemo.zip (5.64 KB)

Categories: 2 Ohhhh | ASP.NET | Community | Security
Monday, 25 July 2005 19:46:16 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Wednesday, 13 July 2005
Yet another security book is coming: The 19 Deadly Sins of Software Security. You can read about its contents on Michael Howard's blog here. I am not yet done with Protect Your Windows Network : From Perimeter to Data by Jesper Johansson and Steve Riley (great site, btw). I definitely do recommend this book to everyone interested in security!
Categories: Books | Security
Wednesday, 13 July 2005 08:16:30 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Tuesday, 12 July 2005
Order a couple of their security posters and place them at strategical locations in your company. Maybe someone should buy this poster for the UK MOD - they keep having their notebooks stolen.
Categories: Security
Tuesday, 12 July 2005 22:05:59 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 

Check out the article 10 Immutable Laws of Security on TechNet. A couple of those should get you thinking - I especially like #6.
Categories: Administration | Security
Tuesday, 12 July 2005 21:59:45 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Monday, 11 July 2005

Process Explorer is a really nifty tool, that comes in very handy when you want to take a deep dive into what's running on your machine, and what might be happening behind the scenes:

When you double-click on a .NET application, you get a tab dedicated to AppDomain and performance counter information:

Nice for a quick look around to see what that application is doing.

Categories: .NET | Cool Download
Monday, 11 July 2005 15:50:36 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 

Mark Russinovich (his blog is highly recommended) commented on that book during one of his TechEd Europe talks. The book is written (including) by the guy running rootkit.com, famous for the Hacker Defender rootkit for Windows. Looks like there's yet another book to be added to my backlog for reading this summer <g />.
Categories: Books | Security | this
Monday, 11 July 2005 15:01:12 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 

And it works just fine (here you can get one for yourself):

Categories: Smartphone and PocketPC | this
Monday, 11 July 2005 09:51:43 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



#  Friday, 08 July 2005
I'm sitting right now in that session. The speaker is just demoing yet another example which has a SQL Injection vulnerability! The killer: a script callback that uses the params unvetted to dynamically build a SQL string. MS definitely should vet the demos for security problems.
Categories: 2 Ohhhh | ASP.NET | Security | this
Friday, 08 July 2005 12:31:39 (W. Europe Daylight Time, UTC+02:00)  #    Comments [1]

 



#  Wednesday, 06 July 2005
Stefan Schackow (PM ASP.NET team) just demoed this cool little application here at the chalk & talk session @ TechEd in Amsterdam. The really interesting part is how to flow authentication information such as username and roles securely to the ASP application.
Wednesday, 06 July 2005 09:33:57 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 

Looking for great information about Internet Information Services? Then IISWebCastSeries.com is the place to go. Especially interesting should be the Webcast "Recycling IIS 6.0 Applications: The Good, the Bad, and the Ugly" (related blog entry).

Categories: Administration | IIS
Wednesday, 06 July 2005 08:36:40 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



© Copyright 2017 Christoph Wille

newtelligence dasBlog 2.3.9074.18820
Subscribe to this weblog's RSS feed with SharpReader, Radio Userland, NewsGator or any other aggregator listening on port 5335 by clicking this button.   RSS 2.0|Atom 1.0  Send mail to the author(s)

 
Don't contact us via this (fleischfalle@alphasierrapapa.com) email address.