Search Results

Search found 3707 results on 149 pages for 'secure'.

Page 131/149 | < Previous Page | 127 128 129 130 131 132 133 134 135 136 137 138  | Next Page >

• How would a user stay logged in to a REST-based website?

  - by unforgiven3

  A year or so ago I asked this question: Can you help me understand this? “Common REST Mistakes: Sessions are irrelevant”. My question was essentially this: Okay, I get that HTTP authentication is done automatically on every message - but how? Is the username/password sent with every request? Doesn't that just increase attack surface area? I feel like I'm missing part of the puzzle. The answers I received made perfect sense in the context of a mobile (iPhone, Android, WP7) app - when talking to a REST service, the app would just send user credentials along with each request. That worked great for me. But now, I would like to better understand how one would secure a REST-like website, like StackOverflow itself or something like Reddit. How would things work if it was a user logged in via a web browser instead of logged in via an iPhone app? What happens when a user logs in? Are the credentials saved in the browser somehow? How would the browser know what credentials to send with subsequent REST requests? What if it's a JavaScript call to a webservice? How would the JavaScript call include user credentials? I'll be quite frank: my understanding of security when it comes to websites is pretty limited. I enjoyed working with REST services from an app perspective, but now I want to try and build a website that is based on REST principles, and I'm finding myself to be pretty lost. If there is anything in the above question that is unclear that you'd like me to clarify, please leave a comment and I'll address it.

  Read the article

• Firing through HTTP a Perl script for sending signals to daemons

  - by Eric Fortis

  Hello guys, I'm using apache2 on Ubuntu. I have a Perl script which basically read the files names of a directory, then rewrites a text file, then sends a signal to a daemon. How can this be done, as secure as possible through a web-page? Actually I can run the code below, but not if I remove the comments. I'm looking for advise considering: Using HTTP Requests? How about Apache file permissions on the directory shown in code? Is htaccess enough to enable user/pass access to the cgi? Should I use a database instead of writing to a file and run a cron querying the db with permission granted to write and send the signal? Granting as less permissions as possible to the webserver. Should I set a VPN? #!/usr/bin/perl -wT use strict; use CGI; #@fileList = </home/user/*>; #read a directory listing my $query = CGI->new(); print $query->header( "text/html" ), $query->p( "FirstFileNameInArray" ), #$query->p( $fileList[0] ), #output the first file in directory $query->end_html;

  Read the article

• Bruteforcing Blackberry PersistentStore?

  - by Haoest

  Hello, I am experimenting with Blackberry's Persistent Store, but I have gotten nowhere so far, which is good, I guess. So I have written a a short program that attempts iterator through 0 to a specific upper bound to search for persisted objects. Blackberry seems to intentionally slow the loop. Check this out: String result = "result: \n"; int ub = 3000; Date start = Calendar.getInstance().getTime(); for(int i=0; i<ub; i++){ PersistentObject o = PersistentStore.getPersistentObject(i); if (o.getContents() != null){ result += (String) o.getContents() + "\n"; } } result += "end result\n"; result += "from 0 to " + ub + " took " + (Calendar.getInstance().getTime().getTime() - start.getTime()) / 1000 + " seconds"; From 0 to 3000 took 20 seconds. Is this enough to conclude that brute-forcing is not a practical method to breach the Blackberry? In general, how secure is BB Persistent Store?

  Read the article

• Is encrypting session id (or other authenticate value) in cookie useful at all?

  - by Ji

  In web development, when session state is enabled, a session id is stored in cookie(in cookieless mode, query string will be used instead). In asp.net, the session id is encrypted automatically. There are plenty of topics on the internet regarding how you should encrypt your cookie, including session id. I can understand why you want to encrypt private info such as DOB, but any private info should not be stored in cookie at first place. So for other cookie values such as session id, what is the purpose encryption? Does it add security at all? no matter how you secure it, it will be sent back to server for decryption. Be be more specific, For authentication purpose, turn off session, i don't want to deal with session time out any more store some sort of id value in the cookie, on the server side, check if the id value exists and matches, if it is, authenticate user. let the cookie value expire when browser session is ended, this way. vs Asp.net form authentication mechanism (it relies on session or session id, i think) does latter one offer better security?

  Read the article

• Using Lucene to index private data, should I have a separate index for each user or a single index

  - by Nathan Bayles

  I am developing an Azure based website and I want to provide search capabilities using Lucene. (structured json objects would be indexed and stored in Lucene and other content such as Word documents, etc. would be indexed in lucene but stored in blob storage) I want the search to be secure, such that one user would never see a document belonging to another user. I want to allow ad-hoc searches as typed by the user. Lastly, I want to query programmatically to return predefined sets of data, such as "all notes for user X". I think I understand how to add properties to each document to achieve these 3 objectives. (I am listing them here so if anyone is kind enough to answer, they will have better idea of what I am trying to do) My questions revolve around performance and security. Can I improve document security by having a separate index for each user, or is including the user's ID as a parameter in each search sufficient? Can I improve indexing speed and total throughput of the system by having a separate index for each user? My thinking is that having separate indexes would allow me to scale the system by having multiple index writers (perhaps even on different server instances) working at the same time, each on their own index. Any insight would be greatly appreciated. Regards, Nate

  Read the article

• How does this Bookmarklet allow you to stay signed into this site?

  - by Abs

  Hello all, I have come across Evernote's bookmarklet and was wondering how this worked. You can just drag it to your bookmark and go to any webpage, click that bookmarklet and it will first ask you to login in. All this I have done already and know how it works. The bit that I don't understand is that when you log in they authenticate you and allow you to submit stuff (in this case, a site url etc). When you are done the bookmarklet which placed a small overlay on the page you are viewing disappears. When you go to a new tab and use the bookmarklet again you are still logged in! How? I can see they are using an iFrame when their bookmarklet loads the overlay onto the page - but do they set cookies or something? If so, is this secure? Anyone can change the values? Or are they using some sort of private/public key system Btw, I would like to replicate this Bookmarklet using PHP/Javascript(JQuery maybe). I would appreciate if anyone can help me understand how they do this or point me to relevant tutorials. Thanks all for any help.

  Read the article

• Domain Authentication from .NET Client over VPN

  - by Holy Christ

  I am writing a ClickOnce WPF app that will sometimes be used over VPN. The app uses resources available only to domain authenticated users. Some of the things include accessing SSRS Reports, accessing LDAP to lookup user information, hitting web services, etc. When a user logs in from a machine that is not authenticated on the domain, I need to somehow get his credentials, authenticate him on the domain, and store his credentials. What is the recommended approach for authenticating domain users over VPN? How can I securely store the credentials? I've found several articles but, not much posted recently and a lot of the solutions seem kinda hacky, or aren't very secure (ie - storing strings clear text in memory). It would be cool if I could use the ActiveDicrtoryMembershipProvider, but that seems to be geared for use in web apps. EDIT: The above is kind of a workaround. The user must enter their domain credentials to authenticate on the VPN. It would be ideal to access the credentials the user has already entered to login to the VPN instead of the WindowsIdentity.GetCurrent() (which returns the user logged into the computer). Any ideas on how that could work? We use Juniper Networks to connect to the VPN. Thanks!

  Read the article

• iPhone Custom CA certificate for an application which uses NSURLConnection?

  - by jr

  I have an application which is communicating with many different sites and each site has its own SSL certificate signed by our own internal CA. Doing this prevents us the need from purchasing SSL certificates for each site (hundreds or thousands) and is more secure then using a wildcard certificate with a shared key on each of those sites. So, basically using a CA certificate is the only way. Right now, I have a mobileprovision file which will install the CA certificate as a profile on the phone. When our iPhone application launches if it gets an SSL Certificate error it redirects to a this mobile provision file via Safari and the user will be prompted to install the CA. The problem is that I am concerned that the Apple AppStore might deny my app for doing this (Just some feedback from other developers at this point), and I wanted to research other ways to accomplish this. Basically what I need to accomplish is allow an SSL connection which will verify against a custom CA certificate which will be embedded in my application. This will make the CA certificate active for only the calls I make. I am using the standard NSURLConnection methods in order to communicate with the service. Is this possible? Can someone show me how to load the CA (what form PEM?) and add it to the list of trusted CA certificates for my application? If that is not possible what other options do I have? Just trusting all certificates isn't really any option, we want to prevent man in the middle attacks and only trust our CA issued certificates. Thanks!

  Read the article

• MySQL query returning mysql_error

  - by Sebastian

  This returns mysql_error: <?php $name = $_POST['inputName2']; $email = $_POST['inputEmail2']; $instruments = $_POST['instruments']; $city = $_POST['inputCity']; $country = $_POST['inputCountry']; $distance = $_POST['distance']; // ^^ These all echo properly ^^ // CONNECT TO DB $dbhost = "xxx"; $dbname = "xxx"; $dbuser = "xxx"; $dbpass = "xxx"; $con = mysqli_connect("$dbhost", "$dbuser", "$dbpass", "$dbname"); if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); } $query = "INSERT INTO depfinder (name, email, instrument1, instrument2, instrument3, instrument4, instrument5, city, country, max_distance) VALUES ($name, $email, $instruments[0], $instruments[1], $instruments[2], $instruments[3], $instruments[4], $city, $country, $max_distance)"; $result = mysqli_query($con, $query) or die(mysqli_error($con)); // script fails here if (!$result) { echo "There was a problem with the signup process. Please try again later."; } else { echo "Success"; } } ?> N.B. I'm not sure whether it's relevant, but the user may not choose five instruments so some $instrument[] array values may be empty. Bonus question: is my script secure enough or is there more I could do?

  Read the article

• Where should global Application Settings be stored on Windows 7?

  - by Kerido

  Hi everybody, I'm working hard on making my product work seamlessly on Windows 7. The problem is that there is a small set of global (not user-specific) application settings that all users should be able to change. On previous versions I used HKLM\Software\__Company__\__Product__ for that purpose. This allowed Power Users and Administrators to modify the Registry Key and everything worked correctly. Now that Windows Vista and Windows 7 have this UAC feature, by default, even an Administrator cannot access the Key for writing without elevation. A stupid solution would, of course, mean adding requireAdministrator option into the application manifest. But this is really unprofessional since the product itself is extremely far from administration-related tasks. So I need to stay with asInvoker. Another solution could mean programmatic elevation during moments when write access to the Registry Key is required. Let alone the fact that I don't know how to implement that, it's pretty awkward also. It interferes with normal user experience so much that I would hardly consider it an option. What I know should be relatively easy to accomplish is adding write access to the specified Registry Key during installation. I created a separate question for that. This also very similar to accessing a shared file for storing the settings. My feeling is that there must be a way to accomplish what I need, in a way that is secure, straightforward and compatible with all OS'es. Any ideas?

  Read the article

• Continuous build infrastructure recommendations for primarily C++; GreenHills Integrity

  - by andersoj

  I need your recommendations for continuous build products for a large (1-2MLOC) software development project. Characteristics: ClearCase revision control Approx 80% C++; 15% Java; 5% script or low-level Compiles for Green Hills Integrity OS, but also some windows and JVM chunks Mostly an embedded system; also includes some UI pieces and some development support (simulation tools, config tools, etc...) Each notional "version" of the deliverable includes deployment images for a number of boards, UI machines, etc... (~10 separate images; 5 distinct operating systems) Need to maintain/track many simultaneous versions which, notably, are built for a variety of different board support packages Build cycle time is a major issue on the project, need support for whatever features help address this (mostly need to manage a large farm of build machines, I guess..) Operates in a secure environment (this is a gov't program) (Edited to add: This is a classified program; outsourcing the build infrastructure is a non-starter.) Interested in any best practices or peripheral guidance you might offer. The build automation issues is one of several overlapping best practices that appear to be missing on the program, but try to keep your answers focused on build infrastructure piece and observations directly related. Cost is not an object. Scalability and ease of retrofitting onto an existing infrastructure are key. JA

  Read the article

• Client Side Only Cookies

  - by Mike Jones

  I need something like a cookie, but I specifically don't want it going back to the server. I call it a "client side session cookie" but any reasonable mechanism would be great. Basically, I want to store some data encrypted on the server, and have the user type a password into the browser. The browser decrypts the data with the password (or creates and encrypts the data with the password) and the server stores only encrypted data. To keep the data secure on the server, the server should not store and should never receive the password. Ideally there should be a cookie session expiration to clean up. Of course I need it be available on multiple pages as the user walks through the web site. The best I can come up with is some sort of iframe mechanism to store the data in javascript variables, but that is ugly. Does anyone have any ideas how to implement something like this? FWIW, the platform is ASP.NET, but I don't suppose that matters. It needs to support a broad range of browsers, including mobile. In response to one answer below, let me clarify. My question is not how to achieve the crypto, that isn't a problem. The question is where to store the password so that it is persistent from page to page, but not beyond a session, and in such a way that the server doesn't see it.

  Read the article

• What prevents a user from adding controls to an ASP.NET page client side?

  - by Curtis White

  This goes back to my other question which I thought was sufficiently answers but upon reflect am not sure that it was (sorry). Backgrounder: I am generating a form dynamically. I am pulling from the database the controls. I must associate each control with a database ID which is not the user's session id. I do this currently by storing my ID in the ID for the web control with some other stuff to make it unique/clear what I am doing. On the post back, I iterate through all the controls on my web page checking for my special identifier, ie, MyGeneratedTextBox_ID_Unique. This process enables for 2 important steps, identifying the control was one I generated and also getting the ID for this input field. And, all of this works but I'm still concerned about the security of it. I do not see a security issue with showing the actual database ID's in this case, although agree it is not desirable. However, I am concerned of the following possibilities: If a user could add a nefarious control to my collection and use that for a SQL injection attack. More academic, but if a user could somehow store data for fields they do not have access too by changing the id's. I agree this is a "hack" of a way to do it. But my question is, is it a security risk and is there an 'easy' way to do it in a less hack way? I assume that only the controls that are created/instantiated on the page are added to the controls list.. thus all controls must be created server side and thus the security issue is address but just wanted to validate. Thanks again. PS: I could see adding a property for each control and encrypting the viewstate would be a little more secure.

  Read the article

• [C#] How to receive uncrackable data or so ? ;P

  - by Prix

  Hi, I am working on an C# application to communicate with my website and retrieve some information from it, using SSL which is working just fine. Now what i want/need is a way to receive encrypted or codified or obfuscated data that if some one cracks my application they will not be able to decrypt the data because it needs something from the server (api, website) but yet the application needs to decrypt it in order to use it... initally i was thinking of an inside RSA pair or keys, to send and receive the encrypt data but let's consider that someone has cracked the application, they could just replace those keys for keys they have made, so i was looking into some methods but havent found or been able to think of any way to harder this... I was learning about RSA, encryption and such and started developing this as a self learning and got involved with it and now i am trying to figure out a way to receive data like that... I have considered obfuscating and compiling my code with packers and etc but this is not about packing it etc... i am more interested in knowing a better way to secure what i described i know it may or is impossible but yet i am looking forward to some approch. I would appreciate advices, suggestions and C# code samples, if you need more information or anything please let me know.

  Read the article

• Make password case unsensitive in shared ASP.Net membership tables web ap

  - by bill

  Hi all, i have two webapps.. that share ASP.Net membership tables. Everything works fine except i cannot remove case-sensitivity in one of the apps the way i am doing it in the other. in the non-working app void Login1_LoggingIn(object sender, LoginCancelEventArgs e) { string username = Login1.UserName.Trim(); if (!string.IsNullOrEmpty(username)) { MembershipUser user = Membership.GetUser(username); if (user != null) { // Only adjust the UserName if the password is correct. This is more secure // so a hacker can't find valid usernames if we adjust the case of mis-cased // usernames with incorrect passwords. string password = Login1.Password.ToUpper(); if (Membership.ValidateUser(user.UserName, password)) { Login1.UserName = user.UserName; } } } } is not working. the password is stored as all upper case. Converted at the time the membership user is created! So if the password is PASSWORD, typing PASSWORD allows me to authenticate. but typing password does not! Even though i can see the string being sent is PASSWORD (converted with toUpper()). I am at a complete loss on this.. in the other app i can type in lower or upper or mixed and i am able to authenticate. In the other app i am not using the textboxes from the login control though.. not sure if this is making the difference??

  Read the article

• Log in to subdomain via main domain

  - by Mattias

  I have a website, available through multiple domainnames. like www.domain1.com .... www.domain5.com All my customers have their own subdomain. like: customer1.domain1.com customer2.domain1.com .... customer351.domain4.com Currently i dont use SSL, each customer log in their own account via their sub domain. I want to change this, and make all customers log in on a central log in page, that would use SSL, for example. https://login.domain1.com And somehow redirect each user to the correct sub domain adress. (Sub domain that don't use SSL) How do I do this, and maintain security? One idea i had: Login - add random value somewhere in the database, Redirect to subdomain, with querystring the randomvalue. And after that the session takes care of it, Each value can be used once only.. But how secure is that? I guess someone would ask the question "why?" to me. Because SSL costs money. And unfortunately i dont have a lot of it. :D Thanks for your time!

  Read the article

• How to control access to third party HTML pages

  - by Wylie

  Hello, We have a Learning Management System (LMS) that runs on its own server (IIS/Server 2003). Students must login with Forms authentication to gain access to the content. We want to offer access to third party flash and audio that is embedded in HTML pages hosted on the third party server (IIS/Server 2003). Currently we use a frame in a pop-up window that is populated via a simple URL to the third party HTML pages. How can the third party control access to their content, so that only students who launch the pop-up windows from our site can access their content? Since the content is mostly video and flash, we would prefer not to stream all of their content through our server to the Student. We have a programming staff, so we could maybe... - either post or get for our HTTP request to the third party server - we could use SSL - we could programmatically assign a global NT user account to all of our users and then do some kind of Active Directory login from the LMS server to the third party server - could the third party content be hosted at Amazon S3? Would this allow for secure access/download? These are just ideas. We really have no idea. Any suggestions would be greatly appreciated. TIA, Wylie

  Read the article

• How would I authenticate against a local windows user on another machine in an ASP.NET application?

  - by Daniel Chambers

  In my ASP.NET application, I need to be able to authenticate/authorise against local Windows users/groups (ie. not Active Directory) on a different machine, as well as be able to change the passwords of said remote local Windows accounts. Yes, I know Active Directory is built for this sort of thing, but unfortunately the higher ups have decreed it needs to be done this way (so authentication against users in a database is out as well). I've tried using DirectoryEntry and WinNT like so: DirectoryEntry user = new DirectoryEntry(String.Format("WinNT://{0}/{1},User", serverName, username), username, password, AuthenticationTypes.Secure) but this results in an exception when you try to log in more than one user: Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again. I've tried making sure my DirectoryEntries are used inside a using block, so they're disposed properly, but this doesn't seem to fix the issue. Plus, even if that did work it is possible that two users could hit that line of code concurrently and therefore try to create multiple connections, so it would be fragile anyway. Is there a better way to authenticate against local Windows accounts on a remote machine, authorise against their groups, and change their passwords? Thanks for your help in advance.

  Read the article

• How do I migrate from a basic plaintext password authentication to an OAuth based system?

  - by different

  Hello, Found out today that Twitter will be discontinuing its basic authentication for its API; the push is now towards OAuth but I don’t have a clue as to how to use it or whether it’s the right path for me. All I want to be able to do is post a tweet linking to the most recently published post when I hit publish. Currently I’m sending the login credentials for my Twitter account as plaintext, which I realise isn’t that secure but as my site is fairly small it isn’t an issue at least for now. I’m using this basic PHP code: $status = urlencode(stripslashes(urldecode("Test tweet"))); $tweetUrl = 'http://www.twitter.com/statuses/update.xml'; $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, "$tweetUrl"); curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 2); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, "status=$status"); curl_setopt($curl, CURLOPT_USERPWD, "$username:$password"); $result = curl_exec($curl); $resultArray = curl_getinfo($curl); if ($resultArray['http_code'] == 200) { curl_close($curl); $this->redirect(""); } else { curl_close($curl); echo 'Could not post to Twitter. Please go back and try again.'; } How do I move from this to an OAuth system? Do I need to?

  Read the article

• File upload fails when user is authenticated. Using IIS7 Integrated mode.

  - by Nikkelmann

  These are the user identities my website tells me that it uses: Logged on: NT AUTHORITY\NETWORK SERVICE (Can not write any files at all) and Not logged on: WSW32\IUSR_77 (Can write files to any folder) I have a ASP.NET 4.0 website on a shared hosting IIS7 web server running in Integrated mode with 32-bit applications support enabled and MSSQL 2008. Using classic mode is not an option since I need to secure some static files and I use Routing. In my web.config file I have set the following: <system.webServer> <modules runAllManagedModulesForAllRequests="true" /> </system.webServer> My hosting company says that Impersonation is enabled by default on machine level, so this is not something I can change. I asked their support and they referred me to this article: http://www.codinghub.net/2010/08/differences-between-integrated-mode-and.html Citing this part: Different windows identity in Forms authentication When Forms Authentication is used by an application and anonymous access is allowed, the Integrated mode identity differs from the Classic mode identity in the following ways: * ServerVariables["LOGON_USER"] is filled. * Request.LogognUserIdentity uses the credentials of the [NT AUTHORITY\NETWORK SERVICE] account instead of the [NT AUTHORITY\INTERNET USER] account. This behavior occurs because authentication is performed in a single stage in Integrated mode. Conversely, in Classic mode, authentication occurs first with IIS 7.0 using anonymous access, and then with ASP.NET using Forms authentication. Thus, the result of the authentication is always a single user-- the Forms authentication user. AUTH_USER/LOGON_USER returns this same user because the Forms authentication user credentials are synchronized between IIS 7.0 and ASP.NET. A side effect is that LOGON_USER, HttpRequest.LogonUserIdentity, and impersonation no longer can access the Anonymous user credentials that IIS 7.0 would have authenticated by using Classic mode. How do I set up my website so that it can use the proper identity with the proper permissions? I've looked high and low for any answers regarding this specific problem, but found nil so far... I hope you can help!

  Read the article

• Custom authentication module inheriting IHttpModule issue.

  - by Chandan Khatwani

  LoginPage.aspx:- protected void Button1_Click(object sender, EventArgs e) { Context.Items["Username"] = txtUserId.Text; Context.Items["Password"] = txtPassword.Text; // FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, Context.Items["Username"].ToString(), DateTime.Now, DateTime.Now.AddMinutes(10), true, "users", FormsAuthentication.FormsCookiePath); // Encrypt the cookie using the machine key for secure transport string hash = FormsAuthentication.Encrypt(ticket); HttpCookie cookie = new HttpCookie( FormsAuthentication.FormsCookieName, // Name of auth cookie hash); // Hashed ticket // Set the cookie's expiration time to the tickets expiration time if (ticket.IsPersistent) cookie.Expires = ticket.Expiration; Response.Cookies.Add(cookie); Response.Redirect("Default.aspx"); } Global.asax file:- void Application_AuthenticateRequest(object sender, EventArgs e) { if (HttpContext.Current.User != null) { if (HttpContext.Current.User.Identity.IsAuthenticated) { if (HttpContext.Current.User.Identity is FormsIdentity) { FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity; FormsAuthenticationTicket ticket = id.Ticket; // Get the stored user-data, in this case, our roles string userData = ticket.UserData; string[] roles = userData.Split(','); HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(id, roles); Response.Write(HttpContext.Current.User.Identity.Name); Response.Redirect("Default.aspx"); } } } } I get the following error after signing in This webpage has a redirect loop. The webpage at http://localhost:1067/Default.aspx has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer.

  Read the article

• Sanitize input before executing at server in php

  - by Interfaith

  I want to let user input two variable, Name and Password in a form. I want to disable any XSS or script insert in the input values. I have the following code in the form method: <form name="form1" method="post" action="checkpw.php"> Your Name: <table> <tr><td><input class="text" name="name" onBlur="capitalize(this);" maxlength=12 type="text" /></td></tr> </table> Password: <table> <tr><td><input class="text" name="passwd" maxlength=8 type="password" /></td></tr> <tr><td align="center"><br/> <input class="text" type="submit" name="submitbt" value="Login" /> </td></tr> </table> and the following checkpw.php: <?php // Clean up the input values $post = filter_input_array(INPUT_POST, array( 'name' => FILTER_SANITIZE_STRING, 'pw' => FILTER_SANITIZE_STRING, )); if (is_null($post) || in_array(null, $post)) { header("location:login.php"); return; // missing fields (or failed filter) } // pw is the password sent from the form $pw=$_POST['passwd']; $name=$_POST['name']; if($pw == 'testpass'){ header("location:index.php"); } else { header("location:wrong.php"); } ?> Is this a secure way to ensure the form is sent to the server and executed ONLY after the input values have been sanitized? Also, the $name value i want to pass it to index.php file. I insert a code in the index.php as follow: <?php echo $name ?> But it's empty. Any idea how to resolve it?

  Read the article

• getting windows username with javascript

  - by jbkkd

  I have a site which is built in ASP.net and C#. Let's call it webapp. it uses a Form system to log on into it, and cannot be changed easliy. I got a request to change the log in to some kind of windows authentication. I'll explain. Our windows login uses active directory for users to log into their windows account. their login name is sXXXXXXX. X are numbers. in my webapp, I want to take the users numbers from their active directory login, and check if those exist in the webapp database. if it exists, they will automatically log in. If it doesn't, they will be referred to the regular login page for the webapp system which is currently in use. I tried changing my IIS to disable anonymous login and enabling windows authentication, therefore making the user browser to send it's current logged in user name to my webapp. I changed the web config as well from "Forms" to "Windows", which made my whole webapp obsolete as the whole forms system did not work. My question is this - is there a different way for the browser only to send the username to my webapp? I thought maybe javascript, I just don't know how to implement that, if it's even possible. I know it's not very secure, but all this platform and system is built outside the internet, it's on a private network.

  Read the article

• Why does PDO print my password when the connection fails?

  - by Joe Hopfgartner

  I have a simple website where I establish a connection to a Mysql server using PDO. $dbh = new PDO('mysql:host=localhost;dbname=DB;port=3306', 'USER', 'SECRET',array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8")); I had some traffic on my site and the servers connection limit was reached, and the website throw this error, with my PLAIN password in it! Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[08004] [1040] Too many connections' in /home/premiumize-me/html/index.php:64 Stack trace: #0 /home/premiumize-me/html/index.php(64): PDO-__construct('mysql:host=loca...', 'USER', 'SECRET', Array) #1 {main} thrown in /home/premiumize-me/html/index.php on line 64 Ironically I switched to PDO for security reasons, this really shocked me. Because this exact error is something you can provoke very easily on most sites using simple http flooding. I now wrapped my conenction into a try/catch clause, but still. I think this is catastrophic! So I am new to PDO and my questino is: What do I have to consider to be safe! How to I establish a connection in a secure way? Are there other known security holes like this one that I have to be aware of?

  Read the article

• Why Can't Businesses Upgrade their Browsers from IE6/IE7?

  - by viatropos

  I have read lots these past few weeks on IE6, seeing if it was really that bad to make it look right. I have just learned HTML and CSS this past year so I've been spoiled to start with basically CSS3 and HTML5, and I can do some really cool stuff super fast. I'm no IE6 master and I don't have years of experience with IE. So I thought it'd take a little time to figure out all the hacks to IE6/7 discovered and just implement them. But it's way harder than that (or maybe just way too much work). I'd have to either completely rebuild my design using "Internet Explorer 'Principles'", or cut out a lot of the neat things I could do using more recent technologies. For a million and one other reasons, everyone who builds things online seems to think IE should die. My question is, why can't businesses upgrade their browsers? When I work with businesses, they almost always resist the first time I ask, but 5 seconds later I'll show them what it looks like on my computer and talk about how great the latest stuff is (how much more secure later browser are, all the famous IE security cases, how much smoother and faster they new browsers are, how the IE team has basically missed the boat entirely, how much smoother business processes run, etc.), and they get excited! And within a few seconds they're up and running with Chrome or something. So can businesses not upgrade for some reasons? What are the reasons a business cannot upgrade? The main reason I think of is because they have an old version of windows. But a) wasn't there a legal case against this? and b) somebody must have figured out how to install Chrome or Firefox on ancient versions of Windows by now.

  Read the article

< Previous Page | 127 128 129 130 131 132 133 134 135 136 137 138  | Next Page >