Regenerating SessionID in ASP.NET

Creating New ASP.NET_SessionId & Attaching Old ASP.NET_SessionId Values to New ASP.NET_SessionId

public void RegenerateSessionId()

{
System.Web.SessionState.SessionIDManager manager = new System.Web.SessionState.SessionIDManager();
string oldId = manager.GetSessionID(System.Web.HttpContext.Current);

string newId = manager.CreateSessionID(System.Web.HttpContext.Current);

bool isAdd = false, isRedir = false;
manager.SaveSessionID(System.Web.HttpContext.Current, newId, out isRedir, out isAdd);

HttpApplication ctx = (HttpApplication)HttpContext.ApplicationInstance;
HttpModuleCollection mods = ctx.Modules;
System.Web.SessionState.SessionStateModule ssm = (SessionStateModule)mods.Get(“Session”);
System.Reflection.FieldInfo[] fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
SessionStateStoreProviderBase store = null;
System.Reflection.FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null;
foreach (System.Reflection.FieldInfo field in fields)
{
if (field.Name.Equals(“_store”)) store = (SessionStateStoreProviderBase)field.GetValue(ssm);
if (field.Name.Equals(“_rqId”)) rqIdField = field;
if (field.Name.Equals(“_rqLockId”)) rqLockIdField = field;
if (field.Name.Equals(“_rqSessionStateNotFound”)) rqStateNotFoundField = field;
}
object lockId = rqLockIdField.GetValue(ssm);
if ((lockId != null) && (oldId != null)) store.ReleaseItemExclusive(System.Web.HttpContext.Current, oldId, lockId);
rqStateNotFoundField.SetValue(ssm, true);
rqIdField.SetValue(ssm, newId);
}

Advertisements

Encryption and Decryption in C# – Data Encryption Standard (DES) Algorithm

In cryptography, Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. It requires some secret information to transform the plain text to cipher text; it is usually referred as key.

Decryption is the process of converting encrypted data back into its original form, so it can be understood

There are many modern cryptographic methods used for encryption and decryption and it is classified in to two classes of key based algorithms.

1.     Symmetric Algorithm 

a.    Same key is used for both Encryption and Decryption. The key will be kept as secret.

b.     Symmetric Ciphers is divided into Stream and Block Ciphers.

i.      Stream Ciphers – It encrypts a single bit of plain text at a time.

ii.      Block Ciphers –    It takes number of bits and encrypts them as a single unit.

2.       Asymmetric Algorithm

a.       Different key is used for Encryption and Decryption. It is also called as public Key algorithm.

b.      Encryption key is public and the Decryption key will be kept as secret.

c.       By using this asymmetric algorithm, anyone can encrypt the message by using encryption key but the message can be decrypted only by using decryption key.

3.       Hybrid Encryption – Symmetric and Asymmetric algorithm are used together and it is called as Hybrid Encryption.

Algorithm Requirements:

1.       The Key will be kept secret and should be Random.

2.       It should not be possible to find the key even if the plain text and Cipher text are known.

 Types of Symmetric Encryption Algorithm:

1.       Data Encryption Standard (DES)

2.       Triple DES (3DES)

3.       Advanced Encryption Standard (AES)

Below is the example for encryption and decryption in C# using Triple DES algorithm.

using System.IO;
using System.Security;
using System.Security.Cryptography;
Public class Program
{
static void Main(string[] args)
{
var text = “This is Plain Text”;

var encryptedText = CryptoGraphyExample.EncryptPlainTextToCipherText(text);
var decryptedText = CryptoGraphyExample.DecryptCipherTextToPlainText(encryptedText);

Console.WriteLine(“Passed Text = ” + text);
Console.WriteLine(“EncryptedText = ” + encryptedText);
Console.WriteLine(“DecryptedText = ” + decryptedText);

Console.ReadLine();
}
}

public class CryptoGraphyExample
{
/// <summary>
/// This security key should be very complex and Random for encrypting the text. This playing vital role in encrypting the text.
/// </summary>
private const string _securityKey = “MyComplexPrivateKey”;

/// <summary>
/// This method is used to convert the plain text to Encrypted/Un-Readable Text format.
/// </summary>
/// <param name=”PlainText”>Plain Text to Encrypt before transferring over the network.</param>
/// <returns>Cipher Text</returns>
public static string EncryptPlainTextToCipherText(string PlainText)
{
//Getting the bytes of Input String.
byte[] toEncryptedArray = UTF8Encoding.UTF8.GetBytes(PlainText);

MD5CryptoServiceProvider objMD5CryptoService = new MD5CryptoServiceProvider();

//Gettting the bytes from the Security Key and Passing it to compute the Corresponding Hash Value.
byte[] securityKeyArray = objMD5CryptoService.ComputeHash(UTF8Encoding.UTF8.GetBytes(_securityKey));

//De-allocatinng the memory after doing the Job.
objMD5CryptoService.Clear();

var objTripleDESCryptoService = new TripleDESCryptoServiceProvider();

//Assigning the Security key to the TripleDES Service Provider.
objTripleDESCryptoService.Key = securityKeyArray;

//Mode of the Crypto service is Electronic Code Book.
objTripleDESCryptoService.Mode = CipherMode.ECB;

//Padding Mode is PKCS7 if there is any extra byte is added.
objTripleDESCryptoService.Padding = PaddingMode.PKCS7;

var objCrytpoTransform = objTripleDESCryptoService.CreateEncryptor();

//Transform the bytes array to resultArray
byte[] resultArray = objCrytpoTransform.TransformFinalBlock(toEncryptedArray, 0, toEncryptedArray.Length);

//Releasing the Memory Occupied by TripleDES Service Provider for Encryption.
objTripleDESCryptoService.Clear();

//Convert and return the encrypted data/byte into string format.
return Convert.ToBase64String(resultArray, 0, resultArray.Length);
}

/// <summary>
/// This method is used to convert the Cipher/Encypted text to Plain Text.
/// </summary>
/// <param name=”CipherText”>Encrypted Text</param>
/// <returns>Plain/Decrypted Text</returns>
public static string DecryptCipherTextToPlainText(string CipherText)
{
byte[] toEncryptArray = Convert.FromBase64String(CipherText);

MD5CryptoServiceProvider objMD5CryptoService = new MD5CryptoServiceProvider();

//Gettting the bytes from the Security Key and Passing it to compute the Corresponding Hash Value.
byte[] securityKeyArray = objMD5CryptoService.ComputeHash(UTF8Encoding.UTF8.GetBytes(_securityKey));

//De-allocatinng the memory after doing the Job.
objMD5CryptoService.Clear();

var objTripleDESCryptoService = new TripleDESCryptoServiceProvider();

//Assigning the Security key to the TripleDES Service Provider.
objTripleDESCryptoService.Key = securityKeyArray;

//Mode of the Crypto service is Electronic Code Book.
objTripleDESCryptoService.Mode = CipherMode.ECB;

//Padding Mode is PKCS7 if there is any extra byte is added.
objTripleDESCryptoService.Padding = PaddingMode.PKCS7;

var objCrytpoTransform = objTripleDESCryptoService.CreateDecryptor();

//Transform the bytes array to resultArray
byte[] resultArray = objCrytpoTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);

//Releasing the Memory Occupied by TripleDES Service Provider for Decryption.
objTripleDESCryptoService.Clear();

//Convert and return the decrypted data/byte into string format.
return UTF8Encoding.UTF8.GetString(resultArray);
}
}

Secure Sockets Layer (SSL): How It Works

An SSL certificate keeps you and your customers safe by protecting the information that’s flowing to and from your website. It encrypts names, addresses, passwords, account and credit card numbers and more so hackers and other online criminals can’t read them.

WHERE WOULD I USE AN SSL CERTIFICATE?

The short answer to this question is that you would use an SSL Certificate anywhere that you wish to transmit information securely.

Here are some examples:

Securing communication between your web site and your customer’s Internet browser.

Securing internal communications on your corporate intranet.

Securing email communications sent to and from your network (or private email address).

Securing information between servers (both internal and external).

Securing information sent and received via mobile devices.

What Happens When a Web Browser Connects to a Secure Web Site

sslEncryption Protects Data During Transmission

Web servers and Web browsers rely on the Secure Sockets Layer (SSL) protocol to create a uniquely encrypted channel for private communications over the public Internet. Each SSL Certificate consists of a public key and a private key. The public key is used to encrypt information and the private key is used to decipher it. When a Web browser points to a secured domain, a level of encryption is established based on the type of SSL Certificate as well as the client Web browser, operating system and host server’s capabilities. That is why SSL Certificates feature a range of encryption levels such as “up to 256-bit”.

Strong encryption, at 128 bits, can calculate 288 times as many combinations as 40-bit encryption. That’s over a trillion times a trillion times stronger. At current computing speeds, a hacker with the time, tools, and motivation to attack using brute force would require a trillion years to break into a session protected by an SGC-enabled certificate. To enable strong encryption for the most site visitors, choose an SSL Certificate that enables at least 128-bit encryption for 99.9% of Web site visitors.

 Credentials Establish Identity Online

Credentials for establishing identity are common: a driver’s license, a passport, a company badge. SSL Certificates are credentials for the online world, uniquely issued to a specific domain and Web server and authenticated by the SSL Certificate provider. When a browser connects to a server, the server sends the identification information to the browser. To view a Web sites’ credentials:

  • Click the closed padlock in a browser window

  • Click the trust mark (such as the Trust Seal)

  • Look in the green address bar*

 Only SSL Certificates with EV trigger high-security Web browsers to display your organization’s name in a green address bar.