Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
So Im looking at having a contact form on my website where a person can type a message and send it, with the mesage going to my inbox.
But every time I see them online Ill see this:
System.Net.NetworkCredential("yourEmail#gmail.com", "YourPassword");
Why do I need to provide my password? When you send someone a regular email, you dont need THEIR password.
I also have security concerns. Ok, it's in a .cs file, but still, I dont like seeing my password in plain text there.
Also, what about if its for a big company? Does ebay have their password in plain text? It's something I doubt. How do other people do it?
You absolutely don't want the users password.
But for your contact form to be able to send a mail it needs to be send by a valid email client. Say for example you want to use the gmail server for your mail, you need to provide your credentials for it.
As for the second part of your question, please don't store these plain text in code. You can easily acces those from app.config / web.config
(for example see: Embed credentials for webclient in C# Console Application app.config?)
This is because you have your own SMTP relay and your own credentials.
So when setting up the mailer on your side, you need to specify a reply to email address.
Below is a working example of how do it
var m = new MailMessage { Subject = txtSubject.Text, IsBodyHtml = true, Body = emailOpeningLine + txtMessage.Text };
try
{
m.To.Add(new MailAddress("to");
m.From = new MailAddress("senders email address");
m.ReplyToList.Add("senders email address");
foreach (var attachment in Attactments)
{
m.Attachments.Add(new Attachment(attachment));
}
client.Send(m);
m.To.Clear();
m.Attachments.Clear();
}
catch (SmtpException esException)
{
}
catch (Exception ex)
{
}
Re your other questions, you can keep the passwords in a database, but remember to encrypt them.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
Improve this question
I have this scenario:
Add a product but block adding for 1 minute for other users. After 1 min they can normally add one.
Adding a product it is not blocked for the user itself who added it
but for others.
I have this and it is working like a charm:
public async Task<JsonResult> AddProducts(string citaId, string paciente, string medico, string modalidad)
{
var usuario = System.Web.HttpContext.Current.User.Identity.GetUserName();
if (Session["User"] != null)
{
if(Session["User"].ToString() != usuario)
{
var med = await _context.MEDICOS.FindAsync(medico);
var objetoerrr1 = new
{
type = "error",
message = $"you cannot add a product, WAIT 1 MIN."
};
return Json(objetoerrr1, JsonRequestBehavior.AllowGet);
}
}
... the rest of the code for adding a product
// create a session
Session["User"] = usuario;
Session.Timeout = 1;
But my problem is that it is not working when using different browsers or PCs and It is like session is empty in different devices.
Well I have never worked with sessions in ASP NET MVC5 before so when I heard this requeriment, sessions came to my mind so I used them.
How can I achieve such thing? Should I use database to store the session or something? Or should not I be using sessions for this approach?
You should save the sessions into database, not only for this, also for security reasons. And give that session an unique identifier (and save it inside the cookie and retrieve and check it everytime) in order to know login timestamp, logout timestamp, prevent cookie-copy between browsers, prevent cookie-copy after log out, prevent browser-copy, duplicated sessions, if roles changes meanwhile the user is logged in, etc.
Of course there are a lot of ways to do this without database, but this is my answer. I use only database for this because I save user logins into database, as their roles.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I need to implement event on email body i.e when i am sending mail using SmtpClient and after sending mail when user click anywhere in email body need to redirect to another page .
Please Help me.
For this you have to do few things:
Construct your mail body as html tags, enclose all contents inside an anchor tag with href points to the site to be redirected to.
set IsBodyHtml property of the MailMessage object to true
Send the mail
Try something like this:
string mailBodyHtml = "<a href='https://YourSiteName.com'> enclose the whole content here </a>
MailMessage mail = new MailMessage("fromAddress", "toAddress", "subject here", mailBodyHtml);
mail.IsBodyHtml = true;
SmtpClient client = new SmtpClient("localhost");
client.Send(mail);
My team and I have a very specific and frustrating issue. We have an MVC4 web application that many people utilized within a company (no external exposure). Some of our processes generate emails to other employees with links back to the application.
For example, there may be some activity that one employee sees and wants to attend. They can can an email to the other employee saying they would like to attend.
In these emails, we put an anchor tag in with the link back to our application and some query string stuff to help direct it to the right page.
All of that works wonderfully. Now, the problem is, we want the link (from the email) to load in an existing window with the application, if it exists. Normally, I believe, this would be done with setting the target attribute in the anchor tag, but that doesn't work, it just opens in a new tab.
This is what the anchor tag source from the email looks like (i've changed some text so that it hides company related info):
Please <a target="appMain" href='http://domain/app/controller.aspx/view?
keyname=querystringparam1¶ms={"prop1":val,"prop2":va;}'>
click here</a> to approve and go to app
this is our smtp function to send the mail:
public void SendMail(EmailContent emailContent, string mailConfigurationPath)
{
var toRecipients = string.Join(",", emailContent.ToList);
var mailMessage = new MailMessage(emailContent.From, toRecipients)
{
IsBodyHtml = emailContent.IsBodyHtml,
Body = emailContent.Body,
Subject = emailContent.Subject
};
var smtpClient = new SmtpClient
{
DeliveryMethod = SmtpDeliveryMethod.SpecifiedPickupDirectory,
PickupDirectoryLocation = mailConfigurationPath
};
smtpClient.Send(mailMessage);
}
Is what I'm trying to achieve even possible? It seems pretty straight forward, maybe I'm just going about it the wrong way. Would love some help or even some "crazy" ideas.
This is not possible, because it creates a vulnerability in the email program itself...
http://thenextweb.com/insider/2013/01/07/yahoo-mail-users-hit-by-widespread-hacking-xss-exploit-seemingly-to-blame/
Also, it goes against all the normal user interface guidelines for email programs. Users don't expect an email to transform into an app. They are very familiar with clicking on links in emails though, so you wouldn't want that action to do something weird.
I am creating a free program that has a support request page. This will send me an email and a log file so I can see what is going on.
I have created the email class, but like any email program/class it will require a username, password, email address, etc.
Now, once I put this out, I know that, with the right programs, you can view the code behind on .Net, which I really thing is completely absurd.
Anyhow, I don't want this information out there because it's a support email address and is sensitive information.
What is the best way for me to send an email but not include my sensitive information for all the nosy people out there or hide it so they cannot get to it?
Here is an example of the code I'm referring to:
var emailSettings = new EmailSettings();
emailSettings.Body = richTextBox_Message.Text;
emailSettings.BodyIsHtml = false;
emailSettings.EmailServerEnableSsl = true;
emailSettings.EmailServerPassword = "";
emailSettings.EmailServerPort = 25;
emailSettings.EmailServerUsername = "";
emailSettings.EmailSmtpServer = "";
emailSettings.FromEmailAddress = new MailAddress(textBox_EmailAddress.Text);
emailSettings.Subject = comboBox_TypeOfRequest.Text;
Scary stuff in there :D
Just to clarify, this is a free app so I cannot afford a program to hide the code. :(
It's not safe to use this method to send error reports. Consider using a .php file on a web server to send yourself errors, or some other method.
PHP Email Tutorial
But if you really want to, I believe you might be able to use System.Security.Cryptography to protect your data, I'm not 100% sure on that though, so correct me if I'm wrong.
http://msdn.microsoft.com/en-us/library/system.security.cryptography(v=vs.110).aspx
Say I've got a method in c# MVC to send email with ajax, like:
public class mailController : Controller {
SmtpClient mailserver = new SmtpClient("smtp.foo.com");
public string send(string from, string to, string subject = "", string body = "", string cc = "", string bcc = "") {
MailMessage message = new MailMessage(from, to, subject, body);
if (cc.Length > 0) {
message.CC.Add(cc);
}
if (bcc.Length > 0) {
message.Bcc.Add(bcc);
}
mailserver.Send(message);
return "MessageSent";
}
}
Is there anything I can do to make this more secure? I mean, as it stands anyone can type the relevant info into their address bar. http://www.foo.com/mail/send?from=etc If I want to use this for form submission, I can't password protect it, or I'd have to use that in the javascript, which is easy to find. I considered setting a cookie and using that as authentication, but that only goes so far. Is there a standard procedure for protecting ajax methods?
You need to validate on the server that the parameters are what you want them to be.
You need to implement a secure session token, to prevent unauthorized users (those without valid sessions) from being able to send an email. This is basically no different than any other cross site request forgery (CSRF) attack vector. If you need any additional information just Google 'CSRF protection ASP.NET`' or similar to get some more concrete examples of how to do this.
Your requirements sound mutually exclusive.
If you do want to leave it public, but you don't want it abused, then maybe you could provide some sort of throttle where you only allow x number of requests from a specific IP address.
You can also use mailto: in an HTMLform to prompt the client to send the email.
As a start you can always store the IP that accessed your controller, if same IP is trying to send mail in specific frequency that you define you can deside to block it ot whatever...
at second you can generate a random number in your mailing page that will be send to the controller -> this will allow you to verify that the mail is sent from your site and not from third party