Search Results

Search found 10815 results on 433 pages for 'stored procedure'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 125/433 | < Previous Page | 121 122 123 124 125 126 127 128 129 130 131 132  | Next Page >

  • "must issue a starttls command first" when MSSQL emails via Microsoft Online

    - by David
    I have written a stored procedure in MSSQL Server 2008 R2 which sends emails when my Application logs errors. It works fine on servers at our office but when I ran it on our remote servers I got must issue a starttls command first So maybe there is a setting somewhere which is different between the two servers, and that's why it's working on one and not the other. How do I set the server so that it issues a "starttls commaned first"?

    Read the article

  • which is the recommended way to install sshd in cygwin on windows 7 enterprise

    - by anjanb
    What is the recommended procedure to install sshd on Windows 7 Enterprise ? I have already installed cygwin and openssh on this computer. i'm open to non-cygwin sshd as long as there won't be any compatibility issues with cygwin related programs. UPDATE I want setup/config information as well. Currently, I get an error if I try to connect to localhost. $ ssh localhost ssh: connect to host localhost port 22: Connection refused

    Read the article

  • What's the appropriate way to upgrade Apache in RHEL?

    - by jldugger
    The version of Apache shipped in RHEL 5.4 is very old. A feature I need only shipped recently. It seems Apache upstream only ships tarballs, and omits binary packages. Obviously I could build from source, but what's the canonical way to upgrade a single package like this? Is it common procedure to drop a newer tarball in the existing SPEC, or does someone already do all this with an eye towards RHEL?

    Read the article

  • Want to create an SQL function that removes table row duplicates [migrated]

    - by Hoser
    I'd be following the procedure outlined here (unless of course someone has a better way to do it), and I'm wondering if I could just have some help being pointed in the right direction on how to start. Basically I need help first on HOW to create functions, and general tips on making it adjustable for varying number of columns etc. This may be a very complicated task, as I have no previous experience making SQL functions, so please let me know if this is a difficult task for an SQL noobie working with MS SQL 2005.

    Read the article

  • CKEditor configuration options

    - by Unreason
    Looking for a way to disable a feature in CKEditor that messes with attributes height and width on my and converts them into inline styles. The version of CKEditor is 3.2 and I have access to config files. Along the same lines is there somewhere an overview (or procedure) for changing the way CKEditor produces html (I'd like to force it to do inline styles; except for images, plus some other changes) Thank you for taking the time to read this

    Read the article

  • route a word document

    - by Ravisha
    I heard about the routing feature available in micro soft products (word ,doc) .through which we can route a document in MS outlook.I have no idea how to initiate it.Can some one please tell me the procedure for the same

    Read the article

  • Configure startup order of websphere application withing EAR

    - by Lukasz L.
    Is it possible to define startup order of the WebSphere enterprise application within EAR (some of descriptor/binding files, META-INF or anywhere else)? The procedure described in IBM InfoCenter requires using AdminConsole, but I would prefer to set fixed order in the EAR to assert that our 2 EAR's will start in fixed order (one is requiring the other to start before). Unfortunatelly, I haven't found in Internet any way for setting startup order other then AdminConsole/wsadmin. I don't want to go into AdminConsole each time I redeploy the EAR.

    Read the article

  • Need to reformat SQL Cluster Disk. How do I recover my SQL installation?

    - by I.T. Support
    We need to reformat the SQL cluster disk in our SQL cluster. The drive contains the shared installation files for SQL as well as databases. My concern is how SQL/The Cluster will react to after we wipe the disk resource. Questions: Is there a defined procedure for this? How should we backup and restore the disk? After the reformat, how do we get the clustered SQL server back online? Thanks

    Read the article

  • Windows 7: The audio service is not running?

    - by oscilatingcretin
    Why isn't my audio service running? It's so random. Sometimes I am able to change my PC volumn, other times I am not. I've restarted the following services: Remote Procedure Call (RPC) Multimedia Class Scheduler Windows Audio Endpoint Builder I think I started noticing this after I went mucking around in msconfig looking for ways to improve PC performance. I know I shut off some services, but that was over 6 months ago today and I am finally getting tired of it happening.

    Read the article

  • Does anyone know of a program that can search database objects (i.e. StoredProcedures) for keywords?

    - by hcabnettek
    Hi All, Is there such a tool that would look through a group of stored procedures for source code keywords? A client has a lot of business logic coded into their database and I need to find where it is using certain strings of text? I.E. what procedure contains 'was applied to their balance', so I can refactor that out into business logic. Does anyone know of such a tool? perhaps something from Red-Gate? Thanks, ~ck in San Diego

    Read the article

  • How to add a font to the Cmd window choices in Windows 7 64-bit?

    - by Mark Ransom
    I tried following the procedure outlined in this previous answer and it doesn't work: http://superuser.com/a/5079/2366 Specifically I'm trying to add Lucida Sans Typewriter Regular to the choices of Consolas and Lucida Console that the Cmd window currently allows. Lucida Console is in registry key "0" and Consolas is in registry key "00", so I'm adding key "000" but it's not affecting the available choices in the Font tab under Properties, even after rebooting the system. P.S. I also tried adding Courier New to the choices and it shows up, but appears to select Italic instead.

    Read the article

  • How to find who deleted a line from a file in a SVN repository?

    - by Ivan Petrushev
    I work on a very large project (10000+ versions) and sometimes it happened that I need to know who of the other users deleted some line in a file. Is there a way to do that that? I can do svn blame with revision number to check if a line exists in that revision, then see in which revision the line is gone and see who commited that revision, but that procedure is lame with that large project. Is there a smarter way to do that?

    Read the article

  • When & how does logrotate run under Ubuntu 10.04?

    - by OoJoo
    Hello, I am new to sysadmining and have a few questions: Where and how is the logrotate procedure initaited by the system? What time of day are my "daily" rotated logfiles being rotated? Do the prerotate commands run for each log file matched in a *.log entry? Thank you

    Read the article

  • How do i Change a Dammage Disk in a Raid 5

    - by Egakagoc2xI
    Hi, I have a 4 drives Raid 5 Server, which one of them is dammage, all drivers are hot plugged. My Question is, I Want to replace the dammage with a new one, Do I have to shutdown the server or just change the hard drives with the server on a it'll rebuild the every or there is a procedure to follow? My Server is a HP. Regards.

    Read the article

  • vmdk to live cd - VMware vmxnet virtual NIC driver Kernel panic

    - by ronalchn
    Task I am trying to convert a virtual machine to a live CD. Specifically, the virtual machine I am trying to convert is the IOI 2013 Competition Environment. In this task, I am aided by a guide Converting a virtual disk image: VDI or VMDK to an ISO you can distribute. Symptoms However, after getting through all the instructions, the live CD causes a kernel panic on boot on bare metal. In particular, the screen shows: [0.737348] cdrom: Uniform CD-ROM driver Revision: 3.20 [0.737503] sr 3:0:0:0: >Attached scsi CD-ROM sr0 [0.737638] sr 3:0:0:0: >Attached scsi generic sg2 type 5 [0.737771] Freeing unused kernel memory: 756k freed [0.738093] Write protecting the kernel text: 5960k [0.738155] Write protecting the kernel read-only data: 2424k [0.738224] NX-protecting the kernel data: 4280k Loading, please wait... [0.752252] udevd[100]: starting version 175 [0.768708] VMware vmxnet3 virtual NIC driver - version 1.1.29.0-k-NAPI [0.781204] VMware PVSCSI driver - version 1.0.2.0-k [0.789555] VMware vmxnet virtual NIC driver [0.799356] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000200 [0.799356] [0.799472] Pid: 1, comm: init Tainted: G 0 3.5.0-17-generic #28-Ubuntu [0.799549] Call Trace: [0.799603] [<c15bf0ec>] panic+0x81/0x17b [0.799654] [<c104a6a5>] do_exit+0x745/0x7a0 [0.799707] [<c104a9a4>] do_group_exit+0x34/0xa0 [0.799760] [<c104aa28>] sys_exit_group+0x18/0x20 [0.799813] [<c15cff5f>] sysenter_do_call+0x12/0x28 Possible problem I suspect that the problem is the VMware vmxnet virtual NIC driver - however, I do not know how I can uninstall it, and possibly install one for a bare metal machine. If anyone knows which packages needs installing/uninstalling at the .rootfs/ chroot directory stage, please let me know. Details on procedure Do note that after importing the .ova file into Virtualbox, the virtual machine is stored as a .vmdk file already, and not a .vdi file. I would like to point out some results of the procedure followed in case of any questions. This is after extracting the filesystem from the .raw file to the .rootfs/ directory mentioned in the blog. I changed the filesystem table as mentioned in the blog, then looked at the possible "kernel optimized for virtualization". However, I found that linux-image-generic was already installed. Also, when running the command dpkg-query --showformat='${Package}\n' -W 'vmware-tools*' (or dpkg-query --showformat='${Package}\n' -W '*-virtual'), no packages were found. Thus, I did not find any virtualization specific packages. I proceeded to generate the iso following the steps in the blog, and burned it to a DVD.

    Read the article

  • How do I Change a damaged Disk in a Raid 5 array

    - by Egakagoc2xI
    Hi, I have a server with a 4-drives Raid 5 array; one of the disks is damaged. All the disks are hot pluggable. My Question is, I want to replace the damaged disk with a new one, do I have to shutdown the server or should I just change the hard disk with the server on and it will rebuild the array? There is a procedure to follow? My Server is a HP. Regards.

    Read the article

  • Download Flash video file from any video site?

    - by UK
    I know there are plenty of ways to download Flash video files (.flv) from the video sites like YouTube, etc. But if the site changes the procedure of download, most of the time, it will break. Is there any generic way to download without depending on a particular site/software?

    Read the article

  • SQL Server 2005: Improving performance for thousands or Insert requests. logout-login time= 120ms.

    - by Rad
    Can somebody shed some lights on how SQL Server 2005 deals with may request issued by a client using ADO.NET 2.0. Below is the shortend output of SQL Trace. I can see that connection pooling is working (I believe there is only one connection being pooled). What is not clear to me is why we have so many sp_reset_connection calls i.e a series of: Audit Login, SQL:BatchStarting, RPC:Starting and Audit Logout for each loop in for loop below. I can see that there is constant switching between tempdb and master database which leads me to conclude that we lost the context when next connection is created by fetching it from the pool based on ConectionString argument. I can see that every 15ms I can get 100-200 login/logout per second (reported at the same time by Profiler). The after 15ms I have again a series fo 100-200 login/logout per second. I need clarification on how this might affect much complex insert queries in production environment. I use Enterprise Library 2006, the code is compiled with VS 2005 and it is a console application that parses a flat file with 10 of thousand of rows grouping parent-child rows, runs on an application server and runs 2 stored procedure on a remote SQL Server 2005 inserting a parent record, retrieves Identity value and using it calls the second stored procedure 1, 2 or multiple times (sometimes several thousands) inserting child records. The child table has close to 10 million records with 5-10 indexes some of them being covering non-clustered. There is a pretty complex Insert trigger that copies inserted detail record to an archive table. All in all I only have 7 inserts per second which means it can take 2-4 hours for 50 thousand records. When I run Profiler on the test server (that is almost equivalent with production server) I can see that there is about 120ms between Audit Logout and Audit Login trace entries which almost give me chance to insert about 8 records. So my question is if there is some way to improve inserting of records since the company loads 100 thousands of records and does daily planning and has SLA to fulfill client request coming as flat file orders and some big files 10 thousands have to be processed(imported quickly). 4 hours to import 60 thousands should be reduced to 30 minutes. I was thinking to use BatchSize of DataAdapter to send multiple stored procedure calls, SQL Bulk inserts to batch multiple inserts from DataReader or DataTable, SSIS fast load. But I don't know how to properly analyze re-indexing and stats population and maybe this has to take some time to finish. What is worse is that the company uses the biggest table for reporting and other online processing and indexes cannot be dropped. I manage transaction manually by setting a field to a value and do an transactional update changing that value to a new value that other applications are using to get committed rows. Please advise how to approach this problem. For now I am trying to have a staging tables with minimal logging in a separate database and no indexes and I will try to do batched (massive) parent child inserts. I believe Production DB has simple recovery model, but it could be full recovery. If DB user that is being used by my .NET console application has bulkadmin role does it mean its bulk inserts are minimally logged. I understand that when a table has clustered and many non-clustered indexes that inserts are still logged for each row. Connection pooling is working, but with many login/logouts. Why? for (int i = 1; i <= 10000; i++){ using (SqlConnection conn = new SqlConnection("server=(local);database=master;integrated security=sspi;")) {conn.Open(); using (SqlCommand cmd = conn.CreateCommand()){ cmd.CommandText = "use tempdb"; cmd.ExecuteNonQuery();}}} SQL Server Profiler trace: Audit Login master 2010-01-13 23:18:45.337 1 - Nonpooled SQL:BatchStarting use tempdb master 2010-01-13 23:18:45.337 RPC:Starting exec sp_reset_conn tempdb 2010-01-13 23:18:45.337 Audit Logout tempdb 2010-01-13 23:18:45.337 2 - Pooled Audit Login -- network protocol master 2010-01-13 23:18:45.383 2 - Pooled SQL:BatchStarting use tempdb master 2010-01-13 23:18:45.383 RPC:Starting exec sp_reset_conn tempdb 2010-01-13 23:18:45.383 Audit Logout tempdb 2010-01-13 23:18:45.383 2 - Pooled Audit Login -- network protocol master 2010-01-13 23:18:45.383 2 - Pooled SQL:BatchStarting use tempdb master 2010-01-13 23:18:45.383 RPC:Starting exec sp_reset_conn tempdb 2010-01-13 23:18:45.383 Audit Logout tempdb 2010-01-13 23:18:45.383 2 - Pooled

    Read the article

  • I need help in inno setup custom page

    - by vinutavishal
    in inno setup i hav created a custom page with following code and has 3 text boxes now i want to validate that text box on custom form next button click if in text.text='2121212' something text is entered by user then only next button enabled pls help any one its urgent [CustomMessages] CustomForm_Caption=CustomForm Caption CustomForm_Description=CustomForm Description CustomForm_Label1_Caption0=College Name: CustomForm_Label2_Caption0=Product Type: CustomForm_Label3_Caption0=Product ID: [Code] var Label1: TLabel; Label2: TLabel; Label3: TLabel; Edit1: TEdit; Edit2: TEdit; Edit3: TEdit; Edit4: TEdit; Edit5: TEdit; Edit6: TEdit; { CustomForm_Activate } procedure CustomForm_Activate(Page: TWizardPage); begin // enter code here... end; { CustomForm_ShouldSkipPage } function CustomForm_ShouldSkipPage(Page: TWizardPage): Boolean; begin Result := False; end; { CustomForm_BackButtonClick } function CustomForm_BackButtonClick(Page: TWizardPage): Boolean; begin Result := True; end; { CustomForm_NextkButtonClick } function CustomForm_NextButtonClick(Page: TWizardPage): Boolean; begin RegWriteStringValue(HKEY_LOCAL_MACHINE, 'Software\SGS2.2\CS', 'College Name', Edit1.Text); RegWriteStringValue(HKEY_LOCAL_MACHINE, 'Software\SGS2.2\CS', 'Product Type', Edit2.Text); RegWriteStringValue(HKEY_LOCAL_MACHINE, 'Software\SGS2.2\CS', 'Product ID', Edit3.Text); Result := True; end; { CustomForm_CancelButtonClick } procedure CustomForm_CancelButtonClick(Page: TWizardPage; var Cancel, Confirm: Boolean); begin // enter code here... end; { CustomForm_CreatePage } function CustomForm_CreatePage(PreviousPageId: Integer): Integer; var Page: TWizardPage; begin Page := CreateCustomPage( PreviousPageId, ExpandConstant('{cm:CustomForm_Caption}'), ExpandConstant('{cm:CustomForm_Description}') ); { Label1 } Label1 := TLabel.Create(Page); with Label1 do begin Parent := Page.Surface; Caption := ExpandConstant('{cm:CustomForm_Label1_Caption0}'); Left := ScaleX(16); Top := ScaleY(24); Width := ScaleX(70); Height := ScaleY(13); end; { Label2 } Label2 := TLabel.Create(Page); with Label2 do begin Parent := Page.Surface; Caption := ExpandConstant('{cm:CustomForm_Label2_Caption0}'); Left := ScaleX(17); Top := ScaleY(56); Width := ScaleX(70); Height := ScaleY(13); end; { Label3 } Label3 := TLabel.Create(Page); with Label3 do begin Parent := Page.Surface; Caption := ExpandConstant('{cm:CustomForm_Label3_Caption0}'); Left := ScaleX(17); Top := ScaleY(88); Width := ScaleX(70); Height := ScaleY(13); end; { Edit1 } Edit1 := TEdit.Create(Page); with Edit1 do begin Parent := Page.Surface; Left := ScaleX(115); Top := ScaleY(24); Width := ScaleX(273); Height := ScaleY(21); TabOrder := 0; end; { Edit2 } Edit2 := TEdit.Create(Page); with Edit2 do begin Parent := Page.Surface; Left := ScaleX(115); Top := ScaleY(56); Width := ScaleX(273); Height := ScaleY(21); TabOrder := 1; end; { Edit3 } Edit3 := TEdit.Create(Page); with Edit3 do begin Parent := Page.Surface; Left := ScaleX(115); Top := ScaleY(88); Width := ScaleX(273); Height := ScaleY(21); TabOrder := 2; end; with Page do begin OnActivate := @CustomForm_Activate; OnShouldSkipPage := @CustomForm_ShouldSkipPage; OnBackButtonClick := @CustomForm_BackButtonClick; OnNextButtonClick := @CustomForm_NextButtonClick; OnCancelButtonClick := @CustomForm_CancelButtonClick; end; Result := Page.ID; end; { CustomForm_InitializeWizard } procedure InitializeWizard(); begin CustomForm_CreatePage(wpWelcome); end;

    Read the article

  • ORA-06502: PL/SQL: numeric or value error: character string buffer too small with Oracle aggregate f

    - by Tunde
    Good day gurus, I have a script that populates tables on a regular basis that crashed and gave the above error. The strange thing is that it has been running for close to 3 months on the production system with no problems and suddenly crashed last week. There has not been any changes on the tables as far as I know. Has anyone encountered something like this before? I believe it has something to do with the aggregate functions I'm implementing in it; but it worked initially. please; kindly find attached the part of the script I've developed into a procedure that I reckon gives the error. CREATE OR REPLACE PROCEDURE V1 IS --DECLARE v_a VARCHAR2(4000); v_b VARCHAR2(4000); v_c VARCHAR2(4000); v_d VARCHAR2(4000); v_e VARCHAR2(4000); v_f VARCHAR2(4000); v_g VARCHAR2(4000); v_h VARCHAR2(4000); v_i VARCHAR2(4000); v_j VARCHAR2(4000); v_k VARCHAR2(4000); v_l VARCHAR2(4000); v_m VARCHAR2(4000); v_n NUMBER(10); v_o VARCHAR2(4000); -- -- Procedure that populates DEMO table BEGIN -- Delete all from the DEMO table DELETE FROM DEMO; -- Populate fields in DEMO from DEMOV1 INSERT INTO DEMO(ID, D_ID, CTR_ID, C_ID, DT_NAM, TP, BYR, ENY, ONG, SUMM, DTW, REV, LD, MD, STAT, CRD) SELECT ID, D_ID, CTR_ID, C_ID, DT_NAM, TP, TO_NUMBER(TO_CHAR(BYR,'YYYY')), TO_NUMBER(TO_CHAR(NVL(ENY,SYSDATE),'YYYY')), CASE WHEN ENY IS NULL THEN 'Y' ELSE 'N' END, SUMMARY, DTW, REV, LD, MD, '1', SYSDATE FROM DEMOV1; -- LOOP THROUGH DEMO TABLE FOR j IN (SELECT ID, CTR_ID, C_ID FROM DEMO) LOOP Select semic_concat(TXTDESC) INTO v_a From GEOT WHERE ID = j.ID; SELECT COUNT(*) INTO v_n FROM MERP M, PROJ P WHERE M.MID = P.COD AND ID = j.ID AND PROAC IS NULL; IF (v_n > 0) THEN Select semic_concat(PRO) INTO v_b FROM MERP M, PROJ P WHERE M.MID = P.COD AND ID = j.ID; ELSE Select semic_concat(PRO || '(' || PROAC || ')' ) INTO v_b FROM MERP M, PROJ P WHERE M.MID = P.COD AND ID = j.ID; END IF; Select semic_concat(VOCNAME('P02',COD)) INTO v_c From PAR WHERE ID = j.ID; Select semic_concat(VOCNAME('L05',COD)) INTO v_d From INST WHERE ID = j.ID; Select semic_concat(NVL(AUTHOR,'Anon') ||' ('||to_char(PUB,'YYYY')||') '||TITLE||', '||EDT) INTO v_e From REFE WHERE ID = j.ID; Select semic_concat(NAM) INTO v_f FROM EDM E, EDO EO WHERE E.EDMID = EO.EDOID AND ID = j.ID; Select semic_concat(VOCNAME('L08', COD)) INTO v_g FROM AVA WHERE ID = j.ID; SELECT or_concat(NAM) INTO v_o FROM CON WHERE ID = j.ID AND NAM = 'Unknown'; IF (v_o = 'Unknown') THEN Select or_concat(JOBTITLE || ' (' || EMAIL || ')') INTO v_h FROM CON WHERE ID = j.ID; ELSE Select or_concat(NAM || ' (' || EMAIL || ')') INTO v_h FROM CON WHERE ID = j.ID; END IF; Select commaencap_concat(COD) INTO v_i FROM PAR WHERE ID = j.ID; IF (v_i = ',') THEN v_i := null; ELSE Select commaencap_concat(COD) INTO v_i FROM PAR WHERE ID = j.ID; END IF; Select commaencap_concat(COD) INTO v_j FROM INST WHERE ID = j.ID; IF (v_j = ',') THEN v_j := null; ELSE Select commaencap_concat(COD) INTO v_j FROM INST WHERE ID = j.ID; END IF; Select commaencap_concat(COD) INTO v_k FROM SAR WHERE ID = j.ID; IF (v_k = ',') THEN v_k := null; ELSE Select commaencap_concat(COD) INTO v_k FROM SAR WHERE ID = j.ID; END IF; Select commaencap_concat(CONID) INTO v_l FROM CON WHERE ID = j.ID; IF (v_l = ',') THEN v_l := null; ELSE Select commaencap_concat(CONID) INTO v_l FROM CON WHERE ID = j.ID; END IF; Select commaencap_concat(PROID) INTO v_m FROM PRO WHERE ID = j.ID; IF (v_m = ',') THEN v_m := null; ELSE Select commaencap_concat(PROID) INTO v_m FROM PRO WHERE ID = j.ID; END IF; -- UPDATE DEMO TABLE UPDATE DEMO SET GEOC = v_a, PRO = v_b, PAR = v_c, INS = v_d, REFER = v_e, ORGR = v_f, AVAY = v_g, CON = v_h, DTH = v_i, INST = v_j, SA = v_k, CC = v_l, EDPR = v_m, CTR = (SELECT NAM FROM EDM WHERE EDMID = j.CTR_ID), COLL = (SELECT NAM FROM EDM WHERE EDMID = j.C_ID) WHERE ID = j.ID; END LOOP; END V1; / The aggregate functions, commaencap_concat (encapsulates with a comma), or_concat (concats with an or) and semic_concat(concats with a semi-colon). the remaining tables used are all linked to the main table DEMO. I have checked the column sizes and there seems to be no problem. I tried executing the SELECT statements alone and they give the same error without populating the tables. Any clues? Many thanks for your anticipated support.

    Read the article

  • SINGLE SIGN ON SECURITY THREAT! FACEBOOK access_token broadcast in the open/clear

    - by MOKANA
    Subsequent to my posting there was a remark made that this was not really a question but I thought I did indeed postulate one. So that there is no ambiquity here is the question with a lead in: Since there is no data sent from Facebook during the Canvas Load process that is not at some point divulged, including the access_token, session and other data that could uniquely identify a user, does any one see any other way other than adding one more layer, i.e., a password, sent over the wire via HTTPS along with the access_toekn, that will insure unique untampered with security by the user? Using Wireshark I captured the local broadcast while loading my Canvas Application page. I was hugely surprised to see the access_token broadcast in the open, viewable for any one to see. This access_token is appended to any https call to the Facebook OpenGraph API. Using facebook as a single click log on has now raised huge concerns for me. It is stored in a session object in memory and the cookie is cleared upon app termination and after reviewing the FB.Init calls I saw a lot of HTTPS calls so I assumed the access_token was always encrypted. But last night I saw in the status bar a call from what was simply an http call that included the App ID so I felt I should sniff the Application Canvas load sequence. Today I did sniff the broadcast and in the attached image you can see that there are http calls with the access_token being broadcast in the open and clear for anyone to gain access to. Am I missing something, is what I am seeing and my interpretation really correct. If any one can sniff and get the access_token they can theorically make calls to the Graph API via https, even though the call back would still need to be the site established in Facebook's application set up. But what is truly a security threat is anyone using the access_token for access to their own site. I do not see the value of a single sign on via Facebook if the only thing that was established as secure was the access_token - becuase for what I can see it clearly is not secure. Access tokens that never have an expire date do not change. Access_tokens are different for every user, to access to another site could be held tight to just a single user, but compromising even a single user's data is unacceptable. http://www.creatingstory.com/images/InTheOpen.png Went back and did more research on this: FINDINGS: Went back an re ran the canvas application to verify that it was not any of my code that was not broadcasting. In this call: HTTP GET /connect.php/en_US/js/CacheData HTTP/1.1 The USER ID is clearly visible in the cookie. So USER_ID's are fully visible, but they are already. Anyone can go to pretty much any ones page and hover over the image and see the USER ID. So no big threat. APP_ID are also easily obtainable - but . . . http://www.creatingstory.com/images/InTheOpen2.png The above file clearly shows the FULL ACCESS TOKEN clearly in the OPEN via a Facebook initiated call. Am I wrong. TELL ME I AM WRONG because I want to be wrong about this. I have since reset my app secret so I am showing the real sniff of the Canvas Page being loaded. Additional data 02/20/2011: @ifaour - I appreciate the time you took to compile your response. I am pretty familiar with the OAuth process and have a pretty solid understanding of the signed_request unpacking and utilization of the access_token. I perform a substantial amount of my processing on the server and my Facebook server side flows are all complete and function without any flaw that I know of. The application secret is secure and never passed to the front end application and is also changed regularly. I am being as fanatical about security as I can be, knowing there is so much I don’t know that could come back and bite me. Two huge access_token issues: The issues concern the possible utilization of the access_token from the USER AGENT (browser). During the FB.INIT() process of the Facebook JavaScript SDK, a cookie is created as well as an object in memory called a session object. This object, along with the cookie contain the access_token, session, a secret, and uid and status of the connection. The session object is structured such that is supports both the new OAuth and the legacy flows. With OAuth, the access_token and status are pretty much al that is used in the session object. The first issue is that the access_token is used to make HTTPS calls to the GRAPH API. If you had the access_token, you could do this from any browser: https://graph.facebook.com/220439?access_token=... and it will return a ton of information about the user. So any one with the access token can gain access to a Facebook account. You can also make additional calls to any info the user has granted access to the application tied to the access_token. At first I thought that a call into the GRAPH had to have a Callback to the URL established in the App Setup, but I tested it as mentioned below and it will return info back right into the browser. Adding that callback feature would be a good idea I think, tightens things up a bit. The second issue is utilization of some unique private secured data that identifies the user to the third party data base, i.e., like in my case, I would use a single sign on to populate user information into my database using this unique secured data item (i.e., access_token which contains the APP ID, the USER ID, and a hashed with secret sequence). None of this is a problem on the server side. You get a signed_request, you unpack it with secret, make HTTPS calls, get HTTPS responses back. When a user has information entered via the USER AGENT(browser) that must be stored via a POST, this unique secured data element would be sent via HTTPS such that they are validated prior to data base insertion. However, If there is NO secured piece of unique data that is supplied via the single sign on process, then there is no way to guarantee unauthorized access. The access_token is the one piece of data that is utilized by Facebook to make the HTTPS calls into the GRAPH API. it is considered unique in regards to BOTH the USER and the APPLICATION and is initially secure via the signed_request packaging. If however, it is subsequently transmitted in the clear and if I can sniff the wire and obtain the access_token, then I can pretend to be the application and gain the information they have authorized the application to see. I tried the above example from a Safari and IE browser and it returned all of my information to me in the browser. In conclusion, the access_token is part of the signed_request and that is how the application initially obtains it. After OAuth authentication and authorization, i.e., the USER has logged into Facebook and then runs your app, the access_token is stored as mentioned above and I have sniffed it such that I see it stored in a Cookie that is transmitted over the wire, resulting in there being NO UNIQUE SECURED IDENTIFIABLE piece of information that can be used to support interaction with the database, or in other words, unless there were one more piece of secure data sent along with the access_token to my database, i.e., a password, I would not be able to discern if it is a legitimate call. Luckily I utilized secure AJAX via POST and the call has to come from the same domain, but I am sure there is a way to hijack that. I am totally open to any ideas on this topic on how to uniquely identify my USERS other than adding another layer (password) via this single sign on process or if someone would just share with me that I read and analyzed my data incorrectly and that the access_token is always secure over the wire. Mahalo nui loa in advance.

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 121 122 123 124 125 126 127 128 129 130 131 132  | Next Page >