Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / Windows Forms / WinForm General / August 2006

Tip: Looking for answers? Try searching our database.

How to Https locally?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Stanley Omega - 03 Aug 2006 12:06 GMT
Hello,

I use the web browser control to display some html reports in a winforms
application. The problem is this kills security because anyone can read the
reports just by accessing the file system.
The reports are generated dynamically at runtime in memory and then saved to
the file system and then the local url is passed to the web browser control
for rendering.

I want to implement the same scenario as Https whereby the user can generate
the report view it, print it etc, but once they leave the page the contents
of the page are rendered useless.
I cannot use Window explorer to pull out cached files of my most recent
visit to my bank. These appear to be terminated once i leave the site. This
is the behavior i want for reports generated by my application.

Any ideas on how to do this please?

Thanks

Stano
Reply to this Message
Steve Alpert - 03 Aug 2006 17:51 GMT
> Hello,
>
[quoted text clipped - 11 lines]
> visit to my bank. These appear to be terminated once i leave the site. This
> is the behavior i want for reports generated by my application.

I don't think this has anything to do with https.  What kind of caching
discipline are you setting (if any) in the html header.  Turn off caching.

/steveA

Signature

Steve Alpert
my email fgrir.nycreg @ tr.pbz is encrypted with ROT13 (www.rot13.org) and spaces

Reply to this Message
Stanley Omega - 04 Aug 2006 03:17 GMT
I don't think this has anything to do with https.  What kind of caching
> discipline are you setting (if any) in the html header.  Turn off caching.
>
> /steveA

Hi Steve,

None. I dont think it has anything to do with https either because my
understanding is that this is encryption across the wire and in my case
there is no wire.
I hope it demonstrates the capability i want however. If someone snoops
through a file system they cannot (easily) access my bank details just
because i surfed there with my browser.

Whereas currently with my app they can easily just pull up the temp files i
use to build the html report page. I can of course delete these post viewing
but i'd rather they
were never openly exposed to the filesystem to begin with. Note im using
xhtml to provide a much richer layout in my reports than i can achieve with
say Crystal.
So (too anyone) else whose may be about to suggest i use Crystal, thanks but
no thanks. The trap being using my own encryption will break the ability of
the webbrowser
control to act as the report viewer.

Perhaps i need to be thinking a little more about ntfs? But even then an
admin of a given computer does not and should not neccessarily have access
to certain business data.
Hence my need to provide protection over and above the filesystem whilst
delivering rich report layout features and ensuring my costs are kept to a
minimum.

Im sure there is a really simple, albeit elusive answer to all of this.

Thanks

stano
Reply to this Message
Marcus - 08 Aug 2006 22:33 GMT
> Whereas currently with my app they can easily just pull up the temp files
> i use to build the html report page. I can of course delete these post
> viewing but i'd rather they
> were never openly exposed to the filesystem to begin with.

There's probably a way that you can manipulate the document of the browser
by directly inserting your html code into the document element of it (think
innerHTML in dhtml). I did this in Framework 1.1, although the web browser
control wasn't available yet, so it wasn't as convenient. I later gave it
up, because it caused problem with running scripts on the page for security
reasons, but you didn't mention needing to do that anyway.

Let me know if you figure it out, because I'm not sure which members to use
myself...

Good luck,
Marcus
Reply to this Message
Andy - 09 Aug 2006 21:11 GMT
If you're writing to the file system, there's nothing you can do to
stop the user from getting the file.  Even your bank details are stored
on the file system could be read before they are deleted.  A user could
even undelete them possibly.

The only method would be to take the html and directly feed it to the
browser control.  (Technically even that that's not totally secure; a
user may be able to read the memory from the control, or it may be
written out the page file, which could be read as well).  Of course
whether or not this is a problem depends on how paraniod you are about
a user getting the data.

FWIW, can't they just save the html source to get the data anyway?

Andy

> I don't think this has anything to do with https.  What kind of caching
> > discipline are you setting (if any) in the html header.  Turn off caching.
[quoted text clipped - 33 lines]
>
> stano
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.