Search Results

Search found 3707 results on 149 pages for 'secure'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 130/149 | < Previous Page | 126 127 128 129 130 131 132 133 134 135 136 137  | Next Page >

  • Multiple websites, Single sign-on design

    - by Yannis
    Hi all, I have a question. A client I have been doing some work recently has a range of websites with different login mechanisms. He is looking to slowly migrate to a single sign-on mechanism for his websites (all written in asp.net mvc). I am looking at my options here, so here is a list of requirements: 1) It has to be secure (duh) 2) It needs to support extra user properties over and above the usual name, address stuff (such as money or credits for a user) 3) It has to provide a centralized user management web console for his convenience (I understand that this will be a small project on top of whatever design solution I choose to go for) 4) It has to integrate with the existing websites without re-engineering the whole product (I understand that this depends on the current product implementation). 5) It has to deal with emailing the user when he registers (in order for him to activate his account) 6) It has to deal with activating the user when he clicks the activate me link in the email (I understand that 5 and 6 require some form of email templating system to support different emails per application) I was thinking of creating a library working together with forms authentication that exposes whatever methods are required (e.g. login, logout, activate, etc. and a small restful service to implement activation from email, registration processing etc. Taking into account that loads of things have been left out to make this question brief and to the point, does this sound like a good design? But this looks like a very common problem so arent there any existing projects that I could use? Thanks for reading.

    Read the article

  • Works in Firefox & Opera, but not IE 8

    - by Ai Pragma
    1) This issue involves just one html webpage, lets call it "ajax.html".2) I have AJAX functions in this webpage that work in both Firefox and IE8.3) I now attempt generating just the option values of a dropdown list of dates using my ajax functions, and it works in Firefox & Opera, but not IE8.4) The surrounding html code for the dropdown looks like this:<select name="entry_7_single" id="entry_7" onChange="Ajax_PhpResultsWithVar('./secure/db/SummaryCls.php','entry_8','dateval',this.value)"></select>The onchange call refers to an ajax function that successfully(both Firefox & IE8) populates a textarea(entry_8) with a description of an event associated with the date selected in this dropdown. 5) An onload call initiates the ajax function to generate the dropdown list values:<body class="ss-base-body" onLoad="OnLoadWebPage()">6) The js script that calls the ajax function is as follows:function OnLoadWebPage(){    Ajax_PhpResults('./secure/db/GenDateListCls.php','entry_7');}7) Since it works in Firefox, but not IE8, I throw the output of the ajax function into a Firefox large textbox and I get the following:<option selected value="8 JUN 2010">8 JUN 2010</option>                   <option value="9 JUN 2010">9 JUN 2010</option>                   <option value="10 JUN 2010">10 JUN 2010</option>                   <option value="11 JUN 2010">11 JUN 2010</option> 8 ) There are over a hundred generated but you get the gist of what the ajax function generates. Next I will list the PHP function that outputs the above dropdown values://///////////////////////////////////////////////////////////////////////////////////////////////////////<?phpinclude_once 'SPSQLite.class.php';include_once 'misc_funcs.php';class GenDateListCls {    var $dbName;    var $sqlite;        function GenDateListCls()    {        $this->dbName = 'accrsc.db';        $this->ConstructEventDates();    }        function ConstructEventDates()    {         $this->sqlite = new SPSQLite($this->dbName);         $todayarr = getdate();         $today = $todayarr[mday] . " " . substr($todayarr[month],0,3) . " " . $todayarr[year];                  $ICalDate = ChangeToICalDate($today);         $dateQuery = "SELECT dtstart from events where substr(dtstart,1,8) >= '" . $ICalDate . "';";         $this->sqlite->query($dateQuery);         $datesResult = $this->sqlite->returnRows();                      foreach (array_reverse($datesResult) as $indx => $row)         {                       $normDate = NormalizeICalDate(substr($row[dtstart],0,8));              if ($indx==0)              { ?>                 <option selected value=<?php echo('"' . $normDate . '"'); ?>><?php echo $normDate; ?></option><?php                               }                          else              {?>                  <option value=<?php echo('"' . $normDate . '"'); ?>><?php echo $normDate; ?></option><?php                                   }                       }                   $this->sqlite->close();     }}$dateList = new GenDateListCls();    ?>/////////////////////////////////////////////////////////////////////////////////////////////////////////////<<< I appreciate any assistance on this matter. Aipragma >>> My Background: To let you all know, I am a complete newbie to PHP, Ajax, & javascript, and learning it all on my own, no classes. My background is in Linux, Windows, C++, Java, VB,VBA,MS XML, & some html.

    Read the article

  • Force sending a user to custom QuerySet.

    - by Jack M.
    I'm trying to secure an application so that users can only see objects which are assigned to them. I've got a custom QuerySet which works for this, but I'm trying to find a way to force the use of this additional functionality. Here is my Model: class Inquiry(models.Model): ts = models.DateTimeField(auto_now_add=True) assigned_to_user = models.ForeignKey(User, blank=True, null=True, related_name="assigned_inquiries") objects = CustomQuerySetManager() class QuerySet(QuerySet): def for_user(self, user): return self.filter(assigned_to_user=user) (The CustomQuerySetManager is documented over here, if it is important.) I'm trying to force everything to use this filtering, so that other methods will raise an exception. For example: Inquiry.objects.all() ## Should raise an exception. Inquiry.objects.filter(pk=69) ## Should raise an exception. Inquiry.objects.for_user(request.user).filter(pk=69) ## Should work. inqs = Inquiry.objects.for_user(request.user) ## Should work. inqs.filter(pk=69) ## Should work. It seems to me that there should be a way to force the security of these objects by allowing only certain users to access them. I am not concerned with how this might impact the admin interface.

    Read the article

  • Block facebook from my website

    - by Joseph Szymborski
    I have a secure link direction service I'm running (expiringlinks.co). If I change the headers in php to redirect my visitors, then facebook is able to show a preview of the website I'm redirecting to when users send links to one another via facebook. I wish to avoid this. Right now, I'm using an AJAX call to get the URL and javascript to redirect, but it's causing problems for users who don't use javascript. Here are a number of ways I'd like to block facebook, but I can't seem to get working: I've tried blocking the facebook bot (facebookexternalhit/1.0 and facebookexternalhit/1.1) but it's not working, I don't think they're using them for this functionality. I'm thinking of blocking the facebook IP addresses, but I can't find all of them, and I don't think it'll work unless I get all of them. I've thought of using a CAPTCHA or even a button, but I can't bring myself to do that to my visitors. Not to mention I don't think anyone would use the site. I've searched the facebook docs for meta tags that would "opt-me out", but haven't found one, and doubt that I would trust it if I had. Any creative ideas or any idea how to implement the ones above? Thank you so much in advance!

    Read the article

  • A local error has occurred while connecting to AD in Windows 2008 server

    - by Sara
    There's Active directory on windows 2000 advance server, I have a web server on Windows 2008 server Enterprise Edition, the following code works fine in Winsows 2003 server but when I installed Win 2008 server, it gives me the following error, the webserver is not subdomain of the AD server. but they have the same range IP address. A local error has occurred.\r\n"} System.Exception system.DirectoryServices.DirectoryServicesCOMException} I want to Authenticate Via AD from my webserver, I even test the port 389 and it was open(by telnet), I even added port 389 UDP and TCP to firewall of webserver to be sure it is open, even I turned the firewall off but nothing changed. I don't know what's wrong with Windows 2008 server that cannot run my code, I search Internet but I found nothing. any solution would be helpful. Thank you public bool IsAuthenticated(string username, string pwd,string group) { string domainAndUsername = "LDAP://192.xx.xx.xx:389/DC=test,DC=oc,DC=com" ; string usr="CN=" + username + ",CN=" + group; DirectoryEntry entry = new DirectoryEntry(domainAndUsername, usr, pwd, AuthenticationTypes.Secure ); try { DirectorySearcher search = new DirectorySearcher(entry); search.Filter = "(SAMAccountName=" + username + ")"; SearchResult result = search.FindOne(); if (result == null) { return false; } } catch (Exception ex) { return false; } return true; }

    Read the article

  • pagination and url encoding help

    - by Sufyan
    <?php $name=$_POST['name']; ?> <form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <input type="text" name="name"> <input type="submit" value="GO" name="submit"> </form> <?php include ('db.php'); if(isset($_POST['submit'])) { mysql_query ("INSERT INTO example (name) VALUES('$name')") or die(mysql_error()); } if (!isset($_GET['startrow']) or !is_numeric($_GET['startrow'])) { $startrow = 0; } else { $startrow = (int)$_GET['startrow']; } $query = "SELECT * FROM example ORDER BY id DESC LIMIT $startrow, 20"; $result = mysql_query($query) or die(mysql_error()); while($row = mysql_fetch_array($result)){ echo "<li>"; echo $row['name'] ." "." <a href= 'like.php?quote=" . urlencode( $row['name'] ) . "'>Click Here</a>"; echo "</li>"; } echo '<a href="'.$_SERVER['PHP_SELF'].'?startrow='.($startrow+10).'">Next</a>'; ?> I want to make my page links hidden , how can i make then hidden so that a user cant edit it. 2nd question, currently i am showing total 10 records on each page and then a next page button , but the next button is keep showing even when there is no more records...! how to remove a next page button when records ended. ?? line number 28 is the link to pages which can be easyily editable by any user, i wnat to make them secure (using ID) and line 35 is n'next' page link , this link should not be appear when number of records ended

    Read the article

  • JavaScript cookie value can't be retrieved in Django

    - by Boris Rusev
    I am trying to build a web site in both English and Bulgarian using the Django framework. My idea is the user should click on a button, the page will reload and the language will be changed. This is how I am trying to do it: In my html I hava a the button tag <button id='btn' onclick="changeLanguage();" type="button"> ... </button> An excerpt from cookies.js: function changeLanguage() { if (getCookie('language') == 'EN') { document.getElementById('btn').innerHTML = getCookie('language'); setCookie("language", 'BG'); } else { document.getElementById('btn').innerHTML = getCookie('language'); setCookie("language", 'EN'); } } function setCookie(sName, sValue, oExpires, sPath, sDomain, bSecure) { var sCookie = sName + "=" + encodeURIComponent(sValue); if (oExpires) { sCookie += "; expires=" + oExpires.toGMTString(); } if (sPath) { sCookie += "; path=" + sPath; } if (sDomain) { sCookie += "; domain=" + sDomain; } if (bSecure) { sCookie += "; secure"; } document.cookie = sCookie; } And in my views.py file this is the situation @base def index(request): if request.session['language'] == 'EN': return """<b>%s</b>""" % "Home" else request.session['language'] == 'BG': return """<b>%s</b>""" % "??????" So I know that my JS changes the value of the language cookie but I think Django doesn't get that. On the other hand when I set and get the cookie in my Python code again the cookie is set. My question is whether there is a way to make JS and Django work together - JavaScript sets the cookie value and Python only reads it when asked and takes adequate actions? Thank you.

    Read the article

  • How to Connect to a web service (SSL enabled and proxy interface)

    - by blgnklc
    There is a web service running on tomcat on a server. It is built on Java Servlet. It is listening others to call itself on a SSL enabled http port. so its web service adreess looks like: https://172.29.12.12/axis/services/XYZClient?wsdl On the other hand I want to connect the web service above from a windows application which is built on .NET frame work. Finally, when I want to connect the web service from my computer; I get some specific erros; Firstly I get; Proxy authentication error; then I added some new line to my code; Dim cr As System.Net.NetworkCredential = New System.Net.NetworkCredential("xname", "xsurname", "xdomainname") Dim myProxy As New WebProxy("http://mar.xxxyyy.com", True) myProxy.Credentials = cr Secondly, after this modifications It says that bad request. I did not get over this error. Moreover I did try to connect the web server on the same computer. I copied my executable program to the computer where the web service runs. The error was like; The underlying connection was closed: Could not establish trust relationship for SSL/TLS secure channel PS: When I try to connect to web service by using Internet Explorer; I see firstly some warnings about accepting an unknown certificate and I click take me to web service an I get there clearly. I want to know what are the basic elements to connect a web service, could you please tell me the requirements that I have to use on my windows project. regards bk

    Read the article

  • Should I Use Anchor, Button Or Form Submit For "Follow" Feature In Rails

    - by James
    I am developing an application in Rails 3 using a nosql database. I am trying to add a "Follow" feature similar to twitter or github. In terms of markup, I have determined that there are three ways to do this. 1) Use a regular anchor. (Github Uses This Method) <a href="/users/follow?target=Joe">Follow</a> 2) Use a button. (Twitter Uses This Method) <button href="/friendships/create/">Follow</button> 3) Use a form with a submit button. (Has some advantages for me, but I haven't see anyone do it yet.) <form method="post" id="connection_new" class="connection_new" action="/users/follow"> <input type="hidden" value="60d7b563355243796dd8496e17d36329" name="target" id="target"> <input type="submit" value="Follow" name="commit" id="connection_submit"> </form> Since I want to store the user_id in the database and not the username, options 1 and 2 will force me to do a database query to get the actual user_id, whereas option 3 will allow me to store the user_id in a hidden form field so that I don't have to do any database lookups. I can just get the id from the params hash on form submission. I have successfully got each of these methods working, but I would like to know what is the best way to do this. Which way is more semantic, secure, better for spiders, etc...? Is there a reason both twitter and github don't use forms to do this? Any guidance would be appreciated. I am leaning towards using the form method since then I don't have to query the db to get the id of the user, but I am worried that there must be a reason the big guys are just using anchors or buttons for this. I am a newb so go easy on me if I am totally missing something. Thanks!

    Read the article

  • Got Hacked. Want to understand how.

    - by gaoshan88
    Someone has, for the second time, appended a chunk of javascript to a site I help run. This javascript hijacks Google adsense, inserting their own account number, and sticking ads all over. The code is always appended, always in one specific directory (one used by a third party ad program), affects a number of files in a number of directories inside this one ad dir (20 or so) and is inserted at roughly the same overnight time. The adsense account belongs to a Chinese website (located in a town not an hour from where I will be in China next month. Maybe I should go bust heads... kidding, sort of), btw. So, how could they append text to these files? Is it related to the permissions set on the files (ranging from 755 to 644)? To the webserver user (it's on MediaTemple so it should be secure, yes?)? I mean, if you have a file that has permissions set to 777 I still can't just add code to it at will... how might they be doing this?

    Read the article

  • POSTmethod and PHP- login verification

    - by Neethusha
    I wrote a code for login verification..I got output with GET. But i need output with POST since it is more secure.pls let me know if there is any error in my code. javascript code: var xml; function verifyusernamepasswd(pass) { //pass is password that will be passed as parameter xml=new XMLHttpRequest(); var url="http://localhost/loginvalidate.php"; var para="q="+username+"&p="+pass;//username is global xml.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xml.setRequestHeader("Content-length", para.length); xml.setRequestHeader("Connection", "close"); xml.open("POST",url,true); xml.onreadystatechange=statechanged1; xml.send(para); } function statechanged1() { if(xml.readyState==4) alert(xml.responseText); } php code: <?php $username=$_POST["q"]; $password=$_POST["p"]; $con=mysql_connect("localhost","root","blaze"); if(!$con) { die('Could not connect: '.mysql.error()); } mysql_select_db("BLAZE",$con) or die("No such Db"); $result=mysql_query("SELECT Passwword FROM USERTABLE WHERE Userhandle='$username'"); if($result==null) echo "false"; else if($result!=null) { $row=mysql_fetch_array($result); if((strcmp($row['Passwword'],$password)==0)) echo "true"; else echo "false"; } ?> the verification does not return anything, cos my alert is not displayed at all...pls tell me whats wrong....

    Read the article

  • How to catch an expected (and intended) 302 Ajax response?

    - by Anthony
    So, if you look back at my previous question about Exchange Autodiscover, you'll see that the easiet way to get the autodiscover URL is to send a non-secure, non-authenticated GET request to the server, ala: http://autodiscover.exchangeserver.org/autodiscover/autodiscover.xml The server will respond with a 302 redirect with the correct url in the Location header. I'm trying out something really simple at first with a Chrome extension, where I have: if (req.readyState==4 && req.status==302) { return req.getResponseHeader("Location"); } With another ajax call set up with the full XML Post and the user credentials, But instead Chrome hangs at this point, and a look at the developer panel shows that it is not returning back the response but instead is acting like no response was given, meanwhile showing a Uncaught Error: NETWORK_ERR: XMLHttpRequest Exception 101 in the error log. The way I see it, refering to the exact response status is about the same as "catching" it, but I'm not sure if the problem is with Chrome/WebKit or if this is how XHR requests always handle redirects. I'm not sure how to catch this so that I can get still get the headers from the response. Or would it be possible to set up a secondary XHR such that when it gets the 302, it sends a totally different request? Quick Update I just changed it so that it doesn't check the response code: if (req.readyState==4) { return req.getResponseHeader("Location"); } and instead when I alert out the value it's null. and there is still the same error and no response in the dev console. SO it seems like it either doesn't track 302 responses as responses, or something happens after that wipes that response out?

    Read the article

  • trouble setting up anonymous login in ejabberd

    - by sofia
    Hi, In ejabberd.cfg I have the following {host_config, "thisislove-MacBook-2.local", [{auth_method, [internal, anonymous]}, {allow_multiple_connections, false}, {anonymous_protocol, both}]}. but when using speeqe javascript client (speeqe.com) to connect, I see it sends <body rid='1366284187' xmlns='http://jabber.org/protocol/httpbind' to='thisislove-macbook-2.local' xml:lang='en' wait='60' hold='1' window='5' content='text/xml; charset=utf-8' ver='1.6' xmpp:version='1.0' xmlns:xmpp='urn:xmpp:xbosh'/> and the server responds with <body xmlns='http://jabber.org/protocol/httpbind' sid='f89bf034b02fa6b884bb0c55be3f1f69e45e3866' wait='60' requests='2' inactivity='30' maxpause='120' polling='2' ver='1.8' from='thisislove-macbook-2.local' secure='true' authid='353072658' xmlns:xmpp='urn:xmpp:xbosh' xmlns:stream='http://etherx.jabber.org/streams' xmpp:version='1.0'><stream:features xmlns:stream='http://etherx.jabber.org/streams'><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism></mechanisms><register xmlns='http://jabber.org/features/iq-register'/></stream:features></body> Notice the mechanisms, DIGEST-MD5 & PLAIN. If I'm not mistaken it should have ANONYMOUS as a mechanism as well. So what happens is that speeqe simply terminates the connection. As such I'm thinking i must be missing something in the anonymous configuration or the muc config. In the mod_muc configg, I have {mod_muc, [ %%{host, "conference.@HOST@"}, {access, muc}, {access_create, muc}, {access_persistent, muc}, {access_admin, muc_admin}, {max_room_name, 190}, {max_room_desc, 190}, {max_users, 500} ]} So what am I missing? Thanks

    Read the article

  • Storing Credit Card Numbers in SESSION - ways around it?

    - by JM4
    I am well aware of PCI Compliance so don't need an earful about storing CC numbers (and especially CVV nums) within our company database during checkout process. However, I want to be safe as possible when handling sensitive consumer information and am curious how to get around passing CC numbers from page to page WITHOUT using SESSION variables if at all possible. My site is built in this way: Step 1) collect Credit Card information from customer - when customer hits submit, the information is first run through JS validation, then run through PHP validation, if all passes he moves to step 2. Step 2) Information is displayed on a review page for customer to make sure the details of their upcoming transaction are shown. Only the first 6 and last 4 of the CC are shown on this page but card type, and exp date are shwon fully. If he clicks proceed, Step 3) The information is sent to another php page which runs one last validation, sends information through secure payment gateway, and string is returned with details. Step 4) If all is good and well, the consumer information (personal, not CC) is stored in DB and redirected to a completion page. If anything is bad, he is informed and told to revisit the CC processing page to try again (max of 3 times). Any suggestions?

    Read the article

  • How to track the touch vector?

    - by mystify
    I need to calculate the direction of dragging a touch, to determine if the user is dragging up the screen, or down the screen. Actually pretty simple, right? But: 1) Finger goes down, you get -touchesBegan:withEvent: called 2) Must wait until finger moves, and -touchesMoved:withEvent: gets called 3) Problem: At this point it's dangerous to tell if the user did drag up or down. My thoughts: Check the time and accumulate calculates vectors until it's secure to tell the direction of touch. Easy? No. Think about it: What if the user holds the finger down for 5 minutes on the same spot, but THEN decides to move up or down? BANG! Your code would fail, because it tried to determine the direction of touch when the finger didn't move really. Problem 2: When the finger goes down and stays at the same spot for a few seconds because the user is a bit in the wind and thinks about what to do now, you'll get a lot of -touchesMoved:withEvent: calls very likely, but with very minor changes in touch location. So my next thought: Do the accumulation in -touchesMoved:withEvent:, but only if a certain threshold of movement has been exceeded. I bet you have some better concepts in place?

    Read the article

  • ASP MVC: E-mail Verification (Encrypting the activation link)

    - by wh0emPah
    Okay i'm a little bit stuck on how to solve this problem. When a user registers. I want to send him a link so that he can verify hes email address. But i have troubles generating the link. I've already written the controller to accept the links with the correct keys. i only have no idea on how to generate the activation keys. So when the user registers i'll send him a link by mail like this: Your activation link is : http://site.com/user/verify?key=keyhere Now i have created this method (called by the controller/action) to handle the key in the link: public string Verify(string value) { String email = Decrypt(value); user u = gebRep.GetUsers().WithEmail(email).SingleOrDefault(); if (u != null) { u.emailValid = true; userReppository.Save(); } return "Invallid validation value!"; } Now my problem is I have no idea on how to encrypt and decrypt the email into some sort of key (url friendly) So i can mail it with the link and can use it to verify the email. I need some kind of (not to complicated but secure) way to encrypt the email into a urlfriendly key. Tyvm

    Read the article

  • SSL + Jquery + Ajax

    - by chobo2
    Hi I starting too look at a bit of security into my site. My site I would consider a very low security risk as it has really no personal information from the user other than email. However the security risk will go up a bit as I am partnering with a company and the initial password for this companies users will be the same password they use essentially to get onto the network and every piece of software. So I have up my security( what is fine by me...I wanted to get around to this anyways). So one of my security concerns is this. A user logs in. form submit(non ajax is done). Password is hashed & Salted and compared to one in the database. Reject or let them proceed. So this uses no jquery or ajax but is just asp.net mvc and C#. Still if my understanding is right the password is sent in clear text. So if a use SSL and I would not need to worry about that is this correct? If that is true is that all I need? Second the user can change their password at anytime. This is done through ajax. So when the password is sent it is sent in clear text( and I can verify this by looking at firebug). So if I have SSL enabled on this page is that all I need or do I need to do more? So I am just kinda confused of what I need to make the password being sent to the server(both ajax and full post ways secure). I am not sure if I need to do more then SSL or if that is enough and if it is not enough what is the next layer of security?

    Read the article

  • Which open source repository or version control systems store files' original mtime, ctime and atime

    - by sampablokuper
    I want to create a personal digital archive. I want to be able to check digital files (some several years old, some recent, some not yet created) into that archive and have them preserved, along with their metadata such as ctime, atime and mtime. I want to be able to check these files out of that archive, modify their contents and commit the changes back to the archive, while keeping the earlier commits and their metadata intact. I want the archive to be very reliable and secure, and able to be backed up remotely. I want to be able to check files in and out of the archive from PCs running Linux, Mac OS X 10.5+ or Win XP+. I want to be able to check files in and out of the archive from PCs with RAM capacities lower than the size of the files. E.g. I want to be able to check in/out a 13GB file using a PC with 2GB RAM. I thought Subversion could do all this, but apparently it can't. (At least, it couldn't a couple of years ago and as far as I know it still can't; correct me if I'm wrong.) Is there a libre VCS or similar capable of all these things? Thanks for your help.

    Read the article

  • Building a system that allows users to see a video only once

    - by Bart van Heukelom
    My client wants to distribute a video to some people, specifically car dealers, but he doesn't want the video to end up on Youtube or something like that. Therefore he wants the recipients of the video to be able to see it only once. My idea to implement this is: Generate a unique key per viewer Send each viewer a link to a page with a Flash based video player, with their key in the URL Have Flash get the video from the server. On the server the key is checked and the file sent (using php's readfile or something equivalent). Then the key is invalidated. I was thinking this wouldn't take more than a day to build. I know that if you want somebody to be able to play something, you implicitly give them the power to record it as well, but the client just wants me to make it as hard as possible. Do you think this is secure enough for the intended audience? Anything else I can do to add some security without exceeding the development time of 1 day? I'm also interested in ready made solutions, if they exist.

    Read the article

  • How to build a simulation of a login hardware token in .Net

    - by Michel
    Hi, i have a hardware token for remote login to some citrix environment. When i click the button on the device, i get an id and i can use that to login to the citrix farm. I can click the button as much as i like, and every time a new code gets generated, and they all work. Now i want to secure my private website likewise, but not with the hardware token, but with a 'token app' on my phone. So i run an app on my phone, generate a key, and use that to (partly) authenticate myself on the server. But here's the point: i don't know how it works! How can i generate 1, 2 or 100 keys at one time which i can see (on the server) are all valid, but without the server and the phone app having contact (the hardware token also is an 'offline' solution). Can you help me with a hint how i would do this? This is what i thought of so far: the phone app and the server app know (hardcoded) the same encryption key. The phone app encrypts the current time. The server app decrypts the string to the current time and if the diff between that time and the actual server time is less than 10 minutes it's an ok. Difficult for other users to fake a key, but encryption gives such nasty strings to enter, and the hardware token gives me nice things like 'H554TU8' And this is probably not how the real hardware token works, because the server and the phone app must 'know' the same encryption key. Michel

    Read the article

  • #1146 - Table 'phpmyadmin.pma_recent' doesn't exist

    - by Mumin Ali
    Solution Guys... FYI i am using xampp to use phpmyadmin. and this error happens during the process of creating a database on localhost. Below is the code for config.inc file under phpmyadmin directory: <?php /* * This is needed for cookie based authentication to encrypt password in * cookie */ $cfg['blowfish_secret'] = 'xampp'; /* YOU SHOULD CHANGE THIS FOR A MORE SECURE COOKIE AUTH! */ /* * Servers configuration */ $i = 0; /* * First server */ $i++; /* Authentication type and info */ $cfg['Servers'][$i]['auth_type'] = 'HTTP'; $cfg['Servers'][$i]['user'] = 'root'; $cfg['Servers'][$i]['password'] = 'password'; $cfg['Servers'][$i]['extension'] = 'mysql'; $cfg['Servers'][$i]['AllowNoPassword'] = true; $cfg['Lang'] = ''; /* Bind to the localhost ipv4 address and tcp */ $cfg['Servers'][$i]['host'] = 'localhost'; $cfg['Servers'][$i]['connect_type'] = 'tcp'; /* User for advanced features */ $cfg['Servers'][$i]['controluser'] = 'pma'; $cfg['Servers'][$i]['controlpass'] = ''; /* Advanced phpMyAdmin features */ $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin'; $cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark'; $cfg['Servers'][$i]['relation'] = 'pma_relation'; $cfg['Servers'][$i]['table_info'] = 'pma_table_info'; $cfg['Servers'][$i]['table_coords'] = 'pma_table_coords'; $cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages'; $cfg['Servers'][$i]['column_info'] = 'pma_column_info'; $cfg['Servers'][$i]['history'] = 'pma_history'; $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords'; $cfg['Servers'][$i]['tracking'] = 'pma_tracking'; $cfg['Servers'][$i]['userconfig'] = 'pma_userconfig'; $cfg['Servers'][$i]['recent'] = 'pma_recent'; $cfg['Servers'][$i]['table_uiprefs'] = 'pma_table_uiprefs'; /* * End of servers configuration */ ?>

    Read the article

  • WCF + Azure = Nightmare!

    - by lsb
    Hi! I've spent the prior week trying to get a secure form of WCF to work on Azure, but all to no avail! My use case is pretty simple. I want to call a WCF endpoint in the cloud and pass messages to be queued for a Worker Role. Beyond that I want to limit access to pre-authrorized users, authenticated via username & password. I've tried to get this working with Transport, TransportWithMessageCredential and Message security but nothing seems to work. Indeed, I've worked through every example and snippet that I could find, most recently the "Service using binary HTTP binding with transport security and message credentials and Silverlight client" example on the http://code.msdn.microsoft.com/wcfazure page. I'm pretty sure that I'm being knocked down by small bugs and beta changes but the end result is that I'm totally stuck. This is a critical path item for me so any suggestions would be greatly appreciated. A complete working example or a walkthrough would be even better!

    Read the article

  • Web Applications Development: Security practices for Application design

    - by Shyam
    Hi, As I am creating more web applications that are targeted for multiple users, I figured out that I have to start thinking about user management and security. At a glance and in my ideal world, all users belong to a group. Permissions and access is thus defined per group (and inherited by the users of that group). Logically, I have my group of administrators, which are identified with a level "7" (integer) clearance. A group of webusers have for example level "1". This in generally all works great for me, but I need some kind of list that I have to keep in mind how I secure my system, and some general practices. I am not looking for a specific environment; I want to learn the why's and how's. An example is privilege escalation. If someone would be able to "push" themselves inside a group with higher privileges, for example the Administration, how can I prevent this, or what measures should I take to have some sort of precaution? I don't like in that case to walk into a caveat. My question is basically: where can I find a good resource, list, policy, book that explains the security of web applications, the why's, the how's and readable if you don't have any experience in the realm of advanced security? I prefer a free resource, as I believe I couldn't be the first one who thought about this. Thank you for your answers, comments and feedback.

    Read the article

  • jQuery password strength plugin callback validation method

    - by jmorhardt
    I'm using a a jQuery plugin to evaluate password strength. It gives a graphical representation for the user to see how secure the password is. I'd like to use it to validate the field as well. The plugin works by assessing the password and giving it a score. I want to be able to verify that the user has entered a password of at least a certain score. The code is hosted on jQuery's site here: http://plugins.jquery.com/project/pstrength. The documentation states that there is a way to add a rule and do custom validation. I'm not sure where to start. The inline documentation states: * === Changelog === * Version 2.1 (18/05/2008) * Added a jQuery method to add a new rule: jQuery('input[@type=password]').pstrength.addRule(name, method, score, active) And later in the code there's this method: jQuery.extend(jQuery.fn.pstrength, { 'addRule': function (name, method, score, active) { digitalspaghetti.password.addRule(name, method, score, active); return true; }, 'changeScore': function (rule, score) { digitalspaghetti.password.ruleScores[rule] = score; return true; }, 'ruleActive': function (rule, active) { digitalspaghetti.password.rules[rule] = active; return true; } }); If anybody has seen an example of how to do this I'd appreciate a pointer in the right direction. Thanks!

    Read the article

  • ASP.Net Session Storage provider in 3-layer architecture

    - by Tedd Hansen
    I'm implementing a custom session storage provider in ASP.Net. We have a strict 3-layer architecture and therefore the session storage needs to go through the business layer. Presentation-Business-Database. The business layer is accessed through WPF. The database is MSSQL. What I need is (in order of preference): A commercial/free/open source product that solves this. The source code of a SqlSessionStateStore (custom session store) (not the ODBC-sample on MSDN) that I can modify to use a middle layer. I've tried looking at .Net source through Reflector, but the code is not usable. Note: I understand how to do this. I am looking for working samples, preferably that has been proven to work fine under heavy load. The ODBC sample on MSDN doesn't use the (new?) stored procs that the build in SqlSessionStateStore uses - I'd like to use these if possible (decreases traffic). Edit1: To answer Simons question on more info: ASP.Net Session()-object can be stored in either InProc, ASP.Net State Service or SQL-server. In a secure 3-layer model the presentation layer (web server) does not have direct/physical access to the database layer (SQL-server). And even without the physical limitations, from an architectural standpoint you may not want this. InProc and ASP.Net State Service does not support load balancing and doesn't have fault tolerance. Therefore the only option is to access SQL through webservice middle layer (business layer).

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 126 127 128 129 130 131 132 133 134 135 136 137  | Next Page >