Small width layout Medium width layout Maximum width layout Small text Medium text Large text
     Search
Downloads Downloads Directory Directory Forums Forums Forge Forge Blogs Blogs        Marketplace Marketplace Careers Program Careers
Community › Forums Register  |  

Maximum ASP
  Need Help?  
Professional technical support for DotNetNuke is available from DotNetNuke Corporation.
 


  Ads  
Aspose - The .NET & Java component publisher
 


  Sponsors  

Meet Our Sponsors

.: CounterSoft :.
telerik
ExactTarget email software solutions
Merak Mail Server
WebSecureStores -- ASP.NET & DotNetNuke Hosting Solutions
FCKeditor Project
 


DotNetNuke Forums
 
  Forum  General DotNetN...  Chat About It!  DotNetNuke Security
Previous Previous
 
Next Next
New Post 2/11/2008 3:56 PM
User is offline Ferry Mulyono
39 posts
10th Ranked


DotNetNuke Security 

Hi all,

Currently I'm negotiating with a client; I'm proposing a system that's accessibly by public from the Internet, and basically they're concern with the security of their data. Anyone knows in detail how security mechanism in DNN works? I mean, I know they used ASP.NET Provider and all, but I'm more interested in the logic implemented in those provider (encryption algorithm, etc).

Thanks

Ferry Mulyono
DotNetNuke Skins
 
New Post 2/11/2008 4:08 PM
User is offline cathal connolly
2638 posts
www.cathal.co.uk
5th Ranked










Re: DotNetNuke Security 

If you take a look in your web.config for the AspNetSqlMembershipProvider node you'll see the comment block that describes the available options, and the declaration that sets them. By default we use triple-des encryption. All password encryptions also automatic set a SALT value to protect against dictionary based attacks. In additioin you require passwords of at least 7 characters, but you can change this to higher values and also include a mandatory number of non-alphanumeric characters. Once logged in a forms authentication cookie is created and encrypted to ensure it's non-tamperable.

Cathal
 
New Post 2/11/2008 5:15 PM
User is offline Ferry Mulyono
39 posts
10th Ranked


Re: DotNetNuke Security 

Hi cathal,

I was just reading one of your article regarding the security analysis on DNN, and it's very useful. Thanks for the very quick and explanatory reply, it answers all my questions. But I do have one more question, regarding the article you published. In that article, you mentioned that "Dotnetnuke has a built in function under the host menu that will accept al Password Encryption Key, and will encrypt the user details in the database. ". I was wondering if this is true? I'm using DNN 4.8.0 now, and I can't seem to find such option. Can you help me find it?

Thanks a lot =)

Ferry Mulyono
DotNetNuke Skins
 
New Post 2/11/2008 7:13 PM
User is offline Sanjay Mehrotra
506 posts
www.acuitisolutions.com
8th Ranked




Re: DotNetNuke Security 

Ferry - that was an old option from the 2x days of DNN. With the newer (3x and 4x versions), there is a machinekey that is set in your web.config which it uses to hash the passwords. It becomes crucial to carry this key around (from version to version) otherwise your users would not be able to log in. 
The first time you setup a dnn site, it will set the machine keys for you which would then be used when people log into their accounts on dnn...

 

Sanjay

 

AcuitiDP - Oracle Data Provider for DotNetNuke
 
New Post 2/11/2008 7:24 PM
User is offline Ferry Mulyono
39 posts
10th Ranked


Re: DotNetNuke Security 

If I'm not mistaken, those machine keys are used only to encrypt the password of the whole portal right? I was wondering, if it's possible to encrypt the whole profile (names, address, etc) of registered users automatically?

Ferry Mulyono
DotNetNuke Skins
 
 Page 1 of 212Next 
Previous Previous
 
Next Next
  Forum  General DotNetN...  Chat About It!  DotNetNuke Security
 


Forum Policy

These Discussion Forums are dedicated to the discussion of the DotNetNuke Web Application Framework.

For the benefit of the community and to protect the integrity of the project, please observe the following posting guidelines:

1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DotNetNuke.
2. Discussion or promotion of DotNetNuke product releases under a different brand name are strictly prohibited.
3. No Flaming or Trolling.
4. No Profanity, Racism, or Prejudice.
5. Site Moderators have the final word on approving/removing a thread or post or comment.
6. English language posting only, please.
 


IHostASP.NET Provides the Ideal DNN Hosting
We will help you with the installation, configuration, and troubleshooting of your DNN portal, no task is too big or small for us. Unlike other companies we are not just providing a reliable hosting service, but we are also focused on providing the best DotNetNuke hosting service on the internet.
www.ihostasp.net 		$7.16/mo - Powerful DotNetNuke / DNN Hosting
Powerful DotNetNuke / DNN Hosting on Windows 2008 and 2003 servers, starting at under $8/mo with FREE SQL 2008 on certain plans and FREE SQL 2005 on all plans with FREE Installation and expert support.
www.re-invent.com 		ASP.NET Web Hosting for $3.95
3 Month FREE ASP.NET Hosting! FREE Setup! DNN Support! FREE Domain Name! FREE Components! Host multiple websites on 1 plan! 30 Days Money Back Guarantee!
www.dailyrazor.com

DotNetNuke Corporation   Terms Of Use  Privacy Statement
DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation
Hosted by MaximumASP