Archive
Archive for August, 2008
Programming Best Practices Part 2
August 31, 2008
Leave a comment
I think you should first read the "Programming Best Practices Part 1" article I posted before, especially the Security Related Best Practices part.
Here I mention some more on Security Related Best Practices for web applications
1. Avoid using Cookies for sensitive stuff :-
. Avoid storing sensitive data in cookies, coz they are accessible, can be re-edited or even used for impersonation!! Cookies are easily accessible at
Drive Letter\Documents and Settings \ User Name \ Cookies
Drive Letter\Documents and Settings \ User Name \ Cookies
Have a look at that folder and you will get impressed by all the stuff stored!!
2- View State Variables:-
Some developers rely on passing some sensitive information as view state variables. This info can be easily seen by viewing the HTML code of the loaded web page.
<input type="hidden" name="_whateverIWannaHide" value="This value can be easily seen">
Sensitive stuff is never hidden in the HTML code.
3- Query Strings:-
Avoid passing sensitive parameters in the URL like http://www.mysite.com?uid=123
This is a bad security practice.
You should better rely on tokens and tickets, or some other authentication stuff like the .Net passport, or use sharepoint servers or so to manage authentication for your user profiles.
4- Session State Time :-
Edit your web.config file.
If you are coding for sensitive applications like online banking or so, I recommend making the session state time shorter. I believe that the default 20 minutes is tooo long.
If you are coding for sensitive applications like online banking or so, I recommend making the session state time shorter. I believe that the default 20 minutes is tooo long.
This is done by changing the timeout value
The default is : timeout="20"
The default is : timeout="20"
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;user id=sa;password="
cookieless="false" timeout="20" />
sqlConnectionString="data source=127.0.0.1;user id=sa;password="
cookieless="false" timeout="20" />
Make it 10 or whatever you think is never more than the time the user needs.
This is useful, to force a user log in.
Imagine this scenario ..
Sometimes, especially in public computers, if a user forgets to sign-out and somebody else uses this computer later. The new user can log to his account from the history if the session didn’t timeout yet.
Making the session timeout short saves your users’ sensitive stuff and forces anybody else to sign in again.
Making the session timeout short saves your users’ sensitive stuff and forces anybody else to sign in again.
I ‘ll wait for your comments and feedback .
Technorati Tags: Programming developer Best Practices Code Enahancement CMMI
Categories: Developer
I ‘m Back :)
August 18, 2008
Leave a comment
Dear All ….
Sorry for being away all that long time.
At last I ‘m graduated 🙂 . No more far aways for the exams.
Wishing you all the best.
Waiting for your comments to go blogging more and more.
Bye all ….
Categories: General Speaking
Tamer Maher 