2

I am a complete beginner with asp.net mvc and frankly with coding too. I am creating my first MVC application. I set a the asp.net identity system and it is working just fine. I have some action methods in my controllers where i want the logged in Users to provide a serial key (14 Alpha Numeric Letters) in order to be authorized for carrying some tasks. I've read tons of articles on custom AuthorizeAttribute but instead of making a solution I am making it more difficult as it should be.

These serial keys should be saved somewhere on the application maybe on the back end database. the user that wants to access a specific action method should provide a serial key. The whole scenario is like licensing a software or antivirus. Any realistic example or a specific tutorial on this will help too much.

Thanks

2 Answers2

0

You could save the serial keys as Session variables. This will however mean that a user will have to provide the serial key for each action each time the session times out. Creating a separate database table to save serial keys for a user id that can be checked against the validated user is probably a better bet.

Wendel Fabian Chinsamy
  • 46
  • 4
  • It would definitely help if you give a realistic example, thank you –  Apr 25 '16 at 18:35
0

As asked by OP for example of hashing I will expand on topic. First thought that comes to mind when we are speaking of web security is Hashing. What is hashing? Hashing is one way data encoding. For example you have a password, how would you secure it? You Hash it and store it in your database. When user tries to login second time you have his password hashed and stored in database. Now he enters a password, you hash it and look if it does match in database.

For your particular case:

  • You would want to have an access to the storage which would contain hashed serial-key values.
  • When user inputs some serial-key you hash it using same method (as used to hash serial-key).
  • Look for match in your storage for value provided by user. If there is a match user has inserted correct serial-key.

Example of hashing with salt: 

static byte[] GenerateSaltedHash(byte[] plainText, byte[] salt)
{
  HashAlgorithm algorithm = new SHA256Managed();

  byte[] plainTextWithSaltBytes = 
  new byte[plainText.Length + salt.Length];

  for (int i = 0; i < plainText.Length; i++)
  {
   plainTextWithSaltBytes[i] = plainText[i];
  }
  for (int i = 0; i < salt.Length; i++)
  {
  plainTextWithSaltBytes[plainText.Length + i] = salt[i];
  }

  return algorithm.ComputeHash(plainTextWithSaltBytes);            
}

For Hashing data from MSDN, SO. Article about hashing.

.NET hashing class for multiple times.

Unfortunately, there is a lot to software security. You will have to do your research before being somewhat secure when it comes to web applications.

Community
  • 1
  • 1
Karolis Kajenas
  • 1,523
  • 1
  • 15
  • 23
  • Okay but did you noticed that i want it to be saved first in the database then provide it to the users ? can i do it –  Apr 25 '16 at 19:10
  • Well you should have some additional application to import your hashed serial-keys into DB, somewhat an admin tool for your web app. Please elaborate if I am missing the point. – Karolis Kajenas Apr 25 '16 at 19:14
  • What i want to achieve is something like i buy an Avira antivirus the seller will give me a DVD plus a card on which the serial number is written. when i install the software asks me for the serial and when i enter the serial if it is fine and a valid key so my software will be licensed else will give me an error. –  Apr 25 '16 at 19:24
  • can i achieve something like that with hashing? –  Apr 25 '16 at 19:24
  • 1
    Well this is exactly what my described scenario would do. Since I am not a web developer I am not aware of other possibly available options thus this might not be the best case solver. But what I see now, yes it would work. – Karolis Kajenas Apr 25 '16 at 19:29
  • @NaserDostdar If you have any concerns please let me know. There is a lot to do and my post barely covers it. As questions is quiet broad. – Karolis Kajenas Apr 25 '16 at 19:53