I included BotDetect Captcha in my login page but the captcha control is not loading. I tried a simple page based on examples but still captcha is not working/loading
Here are the config lines : webconfig
Your help is highly needed and appreciated
You can try reCAPTCHA which have provision to run on local
"If you would like to use "localhost" for development, you must add it to the list of domains."
Even though it allows to run on local server but can only work if you access localhost using 127.0.0.1 rather than localhost.
Here is the reCAPTCHA .link for reference
Related
This is not a question that I'm asking, but an answer that I'm giving for to a problem that had been plaqueing me for a few days.
We were tasked to build a simple static ASP.Net application with a sign-in to access the site. We decided to go with Forms Authentication for this, and the site itself only contains about a dozen pages. We were asked to use Veracode to address any security flaws, and kept coming up against a security threat around the Response.Redirect. Veracode kept saying that we needed to evaluate against a whitelist of domains and try to button up this security flaw, but we found a simple solution for this with built in Forms Authentication.
For this solution, there are 2 things that you need.
First, the web.config. On your tag, make sure that you have the following attribute:
<forms enableCrossAppRedirects="false" ></forms>
This makes sure that any redirect link that is returned through the query string is a local redirect only. It will not allow for any links outside of your site to be resolved.
Next, in the code behind of your login page, You will only need the following line of code:
FormsAuthentication.RedirectFromLoginPage(username, false, "/");
This ensures that the redirect follows the rules that are setup in the web.config, and also sets the cookie for you.
Pre-compile your application again in Visual Studio, or use the plugin to upload and scan from there, and be amazed as it passes the validation.
I have a very basic Single Sign On app built on VS 2015 using MVC and Web Forms. It is supposed to be a simple proof of concept and is based on some code found here and here which are essentially the same things. I've finally gotten it all converted to use .Net 4.5 but when running it on my local server it throws a 404 with no debug information.
The 404 itself wasn't initially a surprise as I was supposed to be able to change the url to one of the secure pages (for instance /WebSecApp1) which would redirect me back to the signon page but no matter what I put as the url I get the 404.
I've also tried changing the urls in the code so that they contain the port numbers for the localhost but that doesn't work either.
It was suggested to me that the RouteConfig.cs could be the culprit but I don't see how that could be since I'm calling a single page with no parameters.
I know this is kind of lite on details but does anyone have any suggestions?
Yes this looks like a routing issue as you also thought it to be. Routing is essential for web api too .Pls see https://www.asp.net/web-api/overview/web-api-routing-and-actions/routing-and-action-selection. Does your api request look like this
GET http://localhost:34701/api/products/1?version=1.5&details=1
You do have to mention the port in the request.
While the routing that Arathy mentioned above was partially to blame, the real problem turned out to be relatively simple. In my case simply selecting Properties->Web for each of offending pages and setting "Override application root URL" to checked fixed the whole problem.
I am working with provider hosted app using MVC with JQuery and have a requirement to show Provider Hosted App in an iframe in a SharePoint page to make it look like it is integrated in SharePoint. This application contains a report viewer(version 10.0.0.0) which is showing 'Asp.net session has expired or could not be found' when viewed in IE10 or higher. This app in a SharePoint page works fine when viewed in any other browser(Chrome, Mozilla) but not in IE.
Observations:
When the application is running directly in the Browser i.e.without using iframe, it is working fine.
When the Sharepoint page is viewed after opening the application directly in the browser i.e. in different tab, it works without any error.
But when viewed opening browser for the first time and no instances of the application are opened directly in the browser, it shows the error:
'Asp.net session has expired or could not be found'
Things already tried:
Increasing timeout for iframe as well as application in web.config file.
Setting report Viewer's KeepSessionAlive and AsyncRendering to false as well as true.
Reporting server timeout and all configurations.
Using sessionMode to InProc, SQLServer.
setting cookieeLess to true.
None of these are working for my scenario and I am struggling with this for a week. It seems like some registering problem at the first time and when the application is directly opened it gets registered and works. Any help will be highly appreciated.
P.S.: I have registered the report viewer in web.config file.
Thanks.
So guys finally i fixed my own issue. Thanks to the hint provided by mwwallace8 in the comments.
Problem: IE doesn't allow us to store third party session data in the form of cookies. This is because it gives lower level of trust to iframe pages, thus no session data for iframe will be stored in cookies. So when we submit the form and make a post call the server doesn't receive any session data in the request and thinks that it is the first request. This process generates a new Session ID and sends it back in the response. When the response comes back, the Session ID in the response and the is the new one and it thinks that the previous session expired.This generates the above problem.
Unlike when we open the application directly in the new tab, it takes it like first party and stores its session data in the form of cookies.
Because of this once we open the app in new tab directly, everything was working flawlessly.
Solution: IE needs P3P headers(Platform for Privacy Preference Project) to authenticate the session running in the iframe. This header will tell about what is the intent of the iframe session and what kind of data it will take from browser cookies. It is kind of swiping the Access card before entering in an IT company. So the question is how to generate this P3P header? The answer is here: Go to web.config file and add this code in Configuration tag
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="p3p" value="CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT""/>
</customHeaders>
</httpProtocol>
</system.webServer>
This will create a header certificate i.e. P3P header certificate which will authenticate the iframe session data to get stored in the browser cookies.
To know what these value actually means, go to This Link. You will find a whole lot of information about P3P headers in here.
Hope this might help someone.
Cheers..
I created a new website in IIS called wbsite1. Then I added an application to website1 wich is a website called website2. The problem appeared when we tried to access links in website2. The browser always refers to the root url and redirect so we were trying to change all the urls in website2. For example, if we have a url in website2 like :
<a href='http://localhost:2030/website2/cms/default.aspx...'
and we click on that link the browser redirect us to :
http://localhost:2030/website1/default.aspx
Why am I getting this behavior? And what is the best workaround to integrate two websites without trying to mess with every link in the website? Thank you very much.
We are facing troubles when I try to access a page in the child application it redirects to the default page of the main application and gives the error:
Session state is not available in this context.
I found the solution for my question and it's this :
unfortunately i have to "rewrite" all our links in my code.
so i created a function which will automatically add prefix to external links,
and store base link for other site it configuration.
I did such project with success. thank u for all your replies
i found another solution also and it's using a web proxy but i can't use it in my scenario
I am using SqlMembershipProvider with asp.net and it works fine until I try to use iframes or frames.
When I login without them, I have no issues but if I wrap our website from our customer's site, and try to login, it just flashes and comes back to the original site with all the fields cleared.
I can duplicate this easily with our site on IE 8 and 9 but I have no issues with firefox or chrome.
Is there another way of accomplishing this or getting around it?
====== EDIT ======
Our clients are calling our 'portal' from their website and would like to integrate our portal into it seamlessly as if it is part of their site.
We thought we could accomplish this with an iframe wrapping our portal from their site but I am not having any luck with it working with the login, from what I have read it's a cross domain cookie problem(?).
Hope this helps clarify things some...
You can use FormsAuthentication.SetAuthCookie, and pass the initial credentials in the URL in encrypted way,
This question will strongly help you in internet explorer, other broesers ar OK,
Cookie blocked/not saved in IFRAME in Internet Explorer
I have tested with Chrome, Firefox, Opera (Will give a warning first time), it is working perfectly, no problem, but with IE, you need to see the question that I have provided.
Internet Explorer won't send cookies through IFRAMES unless you specify a P3P header.
The easiest way of doing this, is indicating a custom HTTP header in your Web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="P3P" value='CP="CAO PSA OUR"'/>
This way you do not have to mess in your code with this stuff.
This HTTP header is called Compact P3P, and it should do the trick because I have been in the same situation than you before.
I am afraid that maybe the Safari browser it is a little bit trickier, since Safari won't send the cookies unless the user interacts with the IFRAME content as seen here: Iframe, cross-domain cookies, p3p policy, and safari with error: A required anti-forgery token was not supplied or was invalid . What would probably be not a big problem in your case.
Cheers.
If it's an option to install a subdomain in the DNS and add host headers to IIS, you could try to circumvent cross-domain security by setting up the subdomain to point at your site.
[top] example.com # customerIP => [iframe] portal.example.com # yourIP
Make sure the domains are shared by putting this JavaScript in your code:
document.domain = "example.com"