(web app) reading from registery in web??
I'm working on a project...it's C#/WEB app...not a windows app. It's an ecommerce app and when user wants to check out, they enter a credit card number. Code goes thru a section that's looking for a registery on the user's machine. But this is a web app..you cant create registery on people's machine..that would be a security risk if an app allows a client browser to read/write to registry (is this correct?)
This is the line of code. I dont think a web app should be doing this...how can we create this registry entry on people's machine using web??
This is the line of code. I dont think a web app should be doing this...how can we create this registry entry on people's machine using web??
private static byte[] GetKeyFromRegistry()
{
byte[] key = new byte[0];
using (RegistryKey reg = Registry.LocalMachine.OpenSubKey(_keyRegistryPath, false))
{
if (reg != null)
{
key = (byte[])reg.GetValue(_keyRegistryName, key);
}
}
return key;
}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well you would 1st have to create a dB schema if you have not yet done so... here is a simplistic example tutorial on how to create a schema and some code on how to access/validate...
http://www.smoothjazzy.com
I would expand the dB to include more fields to hold encrypted information that you may want to store...
If you check out my archived solutions I have one that gives source code for using C# to encrypt/decrypt data.
http://www.smoothjazzy.com
I would expand the dB to include more fields to hold encrypted information that you may want to store...
If you check out my archived solutions I have one that gives source code for using C# to encrypt/decrypt data.
ASKER
let me look at your link but since "running on the SERVER, not the CLIENT"... and we're hosting the web app here ...then it's ok to create this registry entry on our server? yes? Then that code would be ok to access our registry. We'lljust create it manually and have the code read the registry on our server...That's how the classic ASP version of this app works now ( i checked with the ex-developers)...
You need to make sure that the page that prompts for the credit card information is HTTPS. You can then store the card number, expiration date, and holder information in encrypted db fields. You should generate encryption keys on the server using .Net framework STRONG encryption. Don't use home-grown or weak encryption schemes. Do NOT store the security code from the credit card (the 3 or 4 digit number). It is illegal to store that anywhere.
If you think I'm trying to scare you, you are right. Credit card data is serious business and the card companies are going after business that don't follow the rules. If you aren't doing this right, you risk fines and liability for any identity theft. The correct procedures are too involved to go into here. Please contact us from the link in my earlier post for help.
You can find snippets here and there, but that's just hacking. Get a professional that know's what he/she is doing.
If you think I'm trying to scare you, you are right. Credit card data is serious business and the card companies are going after business that don't follow the rules. If you aren't doing this right, you risk fines and liability for any identity theft. The correct procedures are too involved to go into here. Please contact us from the link in my earlier post for help.
You can find snippets here and there, but that's just hacking. Get a professional that know's what he/she is doing.
Your ASP.Net process is probably not privledged enough to access the registry on the server. If it is, that is a huge security risk. If someone hacks your site, then the elevated privileges of the server process will allow them to totally take over the server. You should not be storing anything in the registry - period. There is no acceptable best practice for that.
The question here is not about wether or not the method works, by why it is even there. Where is it being called from? What data is being stored in the registry. The application should be changed to store the information in a database or even a flat file.
The question here is not about wether or not the method works, by why it is even there. Where is it being called from? What data is being stored in the registry. The application should be changed to store the information in a database or even a flat file.
ASKER
the code was written by a group of developers from a consulting firm. We're just trying to test it on my server here. I think the issue with the code is it's looking for a registry and it's not finding it. They havent created that registry entry on our server..Otherwise, i see routines for encryption/decryption of credit card info in the code..
let me create that entry and see if this works...
let me create that entry and see if this works...
ASKER
just saw your other msg... let me first make sure the code works as it is..then i can look into using a database...
Farzadw - see my last comment about accessing the registry. Have you paid them yet? They should never access the registry. Application configuration should be in web.config or machine.config, never the registry. That's .Net 101 stuff.
ASKER
I know web app's info shouldnt be in registry. At my last job, that's what my manager wanted to do and i said no. I've seen it done in windows app but not in a web app..
I'm new to this app..trying to figure out the bugs and what's going on for now..
I'm new to this app..trying to figure out the bugs and what's going on for now..
ASKER
This is credit card processing section of the code. Do you have an example of what you're describing...to save in DB, encrypt, etc?