Search Results

Search found 9696 results on 388 pages for 'proxy authentication'.

Page 137/388 | < Previous Page | 133 134 135 136 137 138 139 140 141 142 143 144  | Next Page >

  • two scp and ssh processes with single authentication

    - by Tomek Wyderka
    I need to scp and then ssh to the same host. Is it possible to authenticate just one time? Is it possible to input password once, then scp file, then ssh on that host and work interactively? Update I get HOSTNAME and SSH_PASSWORD. I never log in on that machine before. I need to send some files (probably using scp) and then log in using ssh and work on that HOST interactively. I want to save time and input password just once. I have lots of such hosts...

    Read the article

  • Solr authentication possible? (or apache port authentication would also work)

    - by Camran
    Currently anybody can access the solr admin page by going to my_ip:8983/solr I can't have it like that, so how can I make it prompt for password or something? I have setup my servers apache2.conf file to prompt for password whenever my site is accessed by www.mydomain.com. But when using another port, the "require password" wont show up. Any ideas how to secure this? Don't point me to the SolrSecurity wiki because it's simply too outdated. I have tried it without luck. Thanks

    Read the article

  • Spring Security RememberMe Services with Session Cookie

    - by Jarrod
    I am using Spring Security's RememberMe Services to keep a user authenticated. I would like to find a simple way to have the RememberMe cookie set as a session cookie rather than with a fixed expiration time. For my application, the cookie should persist until the user closes the browser. Any suggestions on how to best implement this? Any concerns on this being a potential security problem? The primary reason for doing so is that with a cookie-based token, any of the servers behind our load balancer can service a protected request without relying on the user's Authentication to be stored in an HttpSession. In fact, I have explicitly told Spring Security to never create sessions using the namespace. Further, we are using Amazon's Elastic Load Balancing, and so sticky sessions are not supported. NB: Although I am aware that as of Apr. 08, Amazon now supports sticky sessions, I still do not want to use them for a handful of other reasons. Namely that the untimely demise of one server would still cause the loss of sessions for all users associated with it. http://aws.amazon.com/about-aws/whats-new/2010/04/08/support-for-session-stickiness-in-elastic-load-balancing/

    Read the article

  • Authenticating Windows 7 against MIT Kerberos 5

    - by tommed
    Hi There, I've been wracking my brains trying to get Windows 7 authenticating against a MIT Kerberos 5 Realm (which is running on an Arch Linux server). I've done the following on the server (aka dc1): Installed and configured a NTP time server Installed and configured DHCP and DNS (setup for the domain tnet.loc) Installed Kerberos from source Setup the database Configured the keytab Setup the ACL file with: *@TNET.LOC * Added a policy for my user and my machine: addpol users addpol admin addpol hosts ank -policy users [email protected] ank -policy admin tom/[email protected] ank -policy hosts host/wdesk3.tnet.loc -pw MYPASSWORDHERE I then did the following to the windows 7 client (aka wdesk3): Made sure the ip address was supplied by my DHCP server and dc1.tnet.loc pings ok Set the internet time server to my linux server (aka dc1.tnet.loc) Used ksetup to configure the realm: ksetup /SetRealm TNET.LOC ksetup /AddKdc dc1.tnet.loc ksetip /SetComputerPassword MYPASSWORDHERE ksetip /MapUser * * After some googl-ing I found that DES encryption was disabled by Windows 7 by default and I turned the policy on to support DES encryption over Kerberos Then I rebooted the windows client However after doing all that I still cannot login from my Windows client. :( Looking at the logs on the server; the request looks fine and everything works great, I think the issue is that the response from the KDC is not recognized by the Windows Client and a generic login error appears: "Login Failure: User name or password is invalid". The log file for the server looks like this (I tail'ed this so I know it's happening when the Windows machine attempts the login): If I supply an invalid realm in the login window I get a completely different error message, so I don't think it's a connection problem from the client to the server? But I can't find any error logs on the Windows machine? (anyone know where these are?) If I try: runas /netonly /user:[email protected] cmd.exe everything works (although I don't get anything appear in the server logs, so I'm wondering if it's not touching the server for this??), but if I run: runas /user:[email protected] cmd.exe I get the same authentication error. Any Kerberos Gurus out there who can give me some ideas as to what to try next? pretty please?

    Read the article

  • Why does Silverlight 4 ClientHttp WebRequest prompt the user for a login and password?

    - by James Cadd
    One of the new features of the client http stack in Silverlight 4 is the ability to supply network credentials. When I use this feature Windows shows a "Windows Security" message box that prompts the user for a login and password (text in the box is "The server xx at xx requires a username and password. Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection)."). I'm setting the login and password as shown below so I'm not sure why this is displayed. My code is: var request = WebRequestCreator.ClientHttp.Create(new Uri("http://myserver:8080/gui/?list=1")); request.Credentials = new NetworkCredential("login", "password"); request.BeginGetResponse(new AsyncCallback(OnRequestComplete), request); If I enter the username and password into the messagebox the request completes successfully. For a number of reasons I'd rather prompt the user for the login and password so I'd like to avoid the messagebox if possible. My setup is Silverlight 4 final, VS 2010 final, Windows 7 x86. The application is out of browser with elevated permissions.

    Read the article

  • Single Sign On for Web Application and Application in Virtual Directory

    - by Stefan
    To enable single sign-on for a web application and a web application in a virtual directory, I set the machinekey in both apps to the same: <machineKey validationKey="xxx" decryptionKey="yy" validation="SHA1" /> The single sign on works just fine, but existing users can't sign in any more; their passwords are rejected. The machinekey used to be this in the parent application: <machineKey validationKey="xxx,IsolateApps" decryptionKey="yy,IsolateApps" validation="SHA1" /> I tried other ways to make single sign on work, but it just won't as long as the keys contain "IsolateApps". What am I missing? I should add that the in the membership provider, passwordFormat is set to "Encrypted". So I assume the password was encrypted using the key that contained "IsolateApps" and now when it tries to validate the password it's using the key without the "IsolateApps". Still not sure how to solve that problem. Is there maybe a way that I can set the encryption keys for the password separately from the one that is used for the authentication cookie?

    Read the article

  • How to get current Joomla user with external PHP script

    - by Joey Adams
    I have a couple PHP scripts used for AJAX queries, but I want them to be able to operate under the umbrella of Joomla's authentication system. Is the following safe? Are there any unnecessary lines? joomla-auth.php (located in the same directory as Joomla's index.php): <?php define( '_JEXEC', 1 ); define('JPATH_BASE', dirname(__FILE__)); define( 'DS', DIRECTORY_SEPARATOR ); require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' ); require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' ); /* Create the Application */ $mainframe =& JFactory::getApplication('site'); /* Make sure we are logged in at all. */ if (JFactory::getUser()->id == 0) die("Access denied: login required."); ?> test.php: <?php include 'joomla-auth.php'; echo 'Logged in as "' . JFactory::getUser()->username . '"'; /* We then proceed to access things only the user of that name has access to. */ ?>

    Read the article

  • WCF net.tcp bindings, message formats and security questions

    - by RemotecUk
    Hi, sorry for the stupid questions but there are just some things about WCF I cant get my head around. Would be greatful for some advice on the following.... At a very basic level is it correct that WCF uses either Binary (Net.Tcp), HTTP or MSMQ to transfer my message on the wire? However is it true that in all cases, regardless of how the data is transferred the message itself in in the SOAP format with headers and a body? So its a sort of XML message that is transmitted in either HTTP/S or in a binary format. Is Net.Tcp a good choice for my client server app - its similar to a messenger app in that the clients are all remote users on the other side of the firewall to my server. Most things I am reading are telling to use WS* and HTTP. Is Net.Tcp secured by standard and without certificates? - that is - people cannot listen on the wire and decode the data thats going to and from. Is it possible to send a username and password using net.tcp and without an installed certificate? If so I presume I can hook this up to my membership provider and authenticate access to each method on my service contract implementation. I presume that with username and password security, the proxy is initialised with the username and password and that this information is is sent with every request. Then my membership provider will be invoked for each method call and do whatever it needs to do to get the authorisation for the method. Sorry for the dump of questions but would be great to know if Im thinking the right way about how WCF works. Thanks.

    Read the article

  • Problems requesting the LDAP: The server is unwilling to process the request.

    - by Flo
    We have written an authentication provider for a SharePoint web application which can requests multiple LDAP directories. One of the LDAP server have to be requested via SSL. So we imported the CA certificate which was used to sign the LDAP server's certificate into the certificate store of the SharePoint server. The following code snippet shows how we authenticate an user. The passed credentials (account, password) belong to the user we want to authenticate. var entry = new DirectoryEntry("LDAP://<ldap-server-address>", "cn=account,ou=sub,o=xyz,c=de", "password", AuthenticationTypes.SecureSocketsLayer); var searcher = new DirectorySearcher(entry); var found = searcher.FindOne(); When the code is processed, the call to searcher.FindOne() throws following exception. System.Runtime.InteropServices.COMException (0x80072035): The server is unwilling to process the request What circumstance can lead to this error? UPDATE: I found some information about the error message. There the problem seems to be the certificate store, as the user has only stored the certificate in the in the user's store and not in the computer's store. Unfortunately we've already stored it there. So could this be still a certificate issue? UPDATE/SOLUTION: Actually the problem is solved. It seems as if the root CA certificate was imported correctly but the error messages the LDAP server responded was caused by an expired user account our customer gave us for testing.

    Read the article

  • Web service SSL handshake fails in production environment unless SSL debugging enabled

    - by JST
    Scenario: calling a client web service over SSL (https) with mutual SSL authentication. Different service endpoint URLs and certs (both keystore and truststore) for test vs. production environments. Both test and production environments run tomcat / JBoss clustered. Production environment has load balancing / BigIP, runs Blade and non-Blade machines. Truststore is set (using -Djavax.net.ssl.trustStore=value) at startup. Keystore is set using System.setProperty("javax.net.ssl.keyStore", "value") in Java code. Web service call made using Axis2. All works fine in test environment, but when we moved to production environment (6 servers), it appears certs are not being forwarded for the handshake. Here's what we've done: in test environment, handshake using test versions of certs has been working all along, with no ssl debugging enabled confirmed in test environment that handshake with client production endpoint succeeds (production certs, both ours and theirs, are fine) -- this was done using -Djavax.net.debug=handshake,ssl confirmed that the error condition occurs on all 6 production servers took one server out of the cluster, turned on ssl debugging for just that one (with a restart), hit it directly, handshake works! switched to a different server without the debugging turned on, handshake error condition occurs turned debugging on on that second server (with a restart), hit it directly, handshake works! From the evidence, it seems like somehow the debugging being enabled causes the certificates to be properly retrieved/conveyed, although that makes no sense! I wonder whether somehow the enabled debugging makes the system pay attention to the System.setProperty call, and ignore it otherwise. However, in local and test environments, handshake worked without debugging enabled. Do I maybe need to be setting keystore on server startup like I'm setting truststore? Have been avoiding that because the keystore will differ for each of our test environments (16 of them).

    Read the article

  • Programmatically implementing an interface that combines some instances of the same interface in var

    - by namin
    What is the best way to implement an interface that combines some instances of the same interface in various specified ways? I need to do this for multiple interfaces and I want to minimize the boilerplate and still achieve good efficiency, because I need this for a critical production system. Here is a sketch of the problem. Abstractly, I have a generic combiner class which takes the instances and specify the various combinators: class Combiner<I> { I[] instances; <T> T combineSomeWay(InstanceMethod<I,T> method) { // ... method.call(instances[i]) ... combined in some way ... } // more combinators } Now, let's say I want to implement the following interface among many others: Interface Foo { String bar(int baz); } I want to end up with code like this: class FooCombiner implements Foo { Combiner<Foo> combiner; @Override public String bar(final int baz) { return combiner.combineSomeWay(new InstanceMethod<Foo, String> { @Override public call(Foo instance) { return instance.bar(baz); } }); } } Now, this can quickly get long and winded if the interfaces have lots of methods. I know I could use a dynamic proxy from the Java reflection API to implement such interfaces, but method access via reflection is hundred times slower. So what are the alternatives to boilerplate and reflection in this case?

    Read the article

  • Is an LSA MSV1_0 subauthentication package needed for some impersonation use cases?

    - by Chris Sears
    Greetings, I'm working with a vendor who has implemented some code that uses a Windows LSA MSV1_0 subauthentication package (MSDN info if you're interested: http://msdn.microsoft.com/en-us/library/aa374786(VS.85).aspx ) and I'm trying to figure out if it's necessary. As far as I can tell, the subauthentication routine and filter allow for hooking or customizing the standard LSA MSV1_0 logon event processing. The issue is that I don't understand why the vendor's product would need these capabilities. I've asked them and they said they use it to perform impersonation. The product definitely does need to do impersonation, but based on my limited win32 knowledge, they could get the functionality they need using the normal auth APIs (LsaLogonUser, ImpersonateLoggedOnUser, etc) without the subauthentication package. Furthermore, I've worked with a number of similar products that all do impersonation, and this is the only one that's used a subauthentication package. If you're wondering why I would care, a previous version of the product had a bug in the subauthentication package dll that would cause lockups or bluescreens. That makes me rather nervous and has me questioning the use of such a low-level, kernel sensitive interface. I'd like to go back to the vendor and say "There's no way you could need an LSA subauth package for impersonation - take it out", but I'm not sure I understand the use cases and possible limitations of the standard win32 authentication/impersonation APIs well enough to make that claim definitively. So, to the win32 security gurus out there, is there any reason you would need an LSA MSV1_0 subauthentication package if all you were doing is impersonation? Thanks in advance for any thoughts!

    Read the article

  • How to set up RPX widget and facebook app to be able to authenticate with rpx_now?

    - by Andrei
    Using the sample app for rpx_now gem ( http://github.com/grosser/rpx_now_example) on localhost:3000, I have successfully logged in via Google Accounts, myOpenID, Yahoo, but cannot make it via Facebook. In the RPX app/widget settings I have set my facebook-app key and secret. In my facebook app settings, the Connect URL is myappname.rpxnow.com. But when I try to connect, then I don't even see a facebook login page, just a number of redirects and I am back to my localhost with the following exception http://gist.github.com/386520 . Before I was successfully connecting with oauth2 gem, however, without fetching user data - only authentication. That time I set only key/secret and localhost as my Connect URL. Currently, I don't even ask for email etc., but still the same problem. Can it happen because rpx_now cannot get requested user data from facebook? Or it is a problem of facebook key/secret? May be I need to provide more settings of my facebook app? RPXNow::ApiError in UsersController#create Got error: Invalid parameter: token (code: 1), HTTP status: 200 RAILS_ROOT: /home/Andrei/rpx_now_example Application Trace | Framework Trace | Full Trace /usr/lib/ruby/gems/1.8/gems/rpx_now-0.6.20/lib/rpx_now/api.rb:71:in `parse_response' /usr/lib/ruby/gems/1.8/gems/rpx_now-0.6.20/lib/rpx_now/api.rb:21:in `call' /usr/lib/ruby/gems/1.8/gems/rpx_now-0.6.20/lib/rpx_now.rb:23:in `user_data' /home/Andrei/rpx_now_example/app/controllers/users_controller.rb:16:in `create' Request Parameters: None Show session dump Response Headers: {"Content-Type"="", "Cache-Control"="no-cache"}

    Read the article

  • WCF configuration and ISA Proxies

    - by Morten Louw Nielsen
    Hi, I have a setup with a .NET WCF Service hosted on IIS. The client apps are connecting to the service through a set of ISA proxy's. I don't know how many and don't know about their configuration etc. In the client apps I open a client to the service and make several calls via the same client. It works great in my office, but when I deploy at the customer (using the ISAs), after some calls, the connection breaks. In a successfull case, the client will maximum live a few seconds, but is that too much? I think there might be several proxyes. Maybe it's using load ballancing. pseudo code is something like this: WcfClient myClient = new WcfClient(); foreach (WorkItem Item in WorkItemsStack) myClient.ProcessItem(Item); myClient.Close(); I am thinking whether I have to do something like this foreach (WorkItem Item in WorkItemsStack) { WcfClient myClient = new WcfClient(); myClient.ProcessItem(Item); myClient.Close(); } Any one with experience with this field? Kind Regards, Morten, Denmark

    Read the article

  • Authenticating to Google Search Appliance using Basic HTTP auth and ASP.NET (VB)

    - by Chainlink
    I've run into a snag though which has to do with authentication between the Google Search Appliance and ASP. Normally, when asking for secure pages from the search appliance, the search appliance asks for credentials, then uses these credentials to try and access the secure results. If this attempt is successful, the page shows up in the results list. Since ASP is contacting the search appliance on the client's behalf, it will need to collect credentials and pass them along to the search appliance. I have tried a couple of different documented ways of accomplishing this, but they don't seem to work. Below is the code I have tried: 'Bypass SSL since discovery.gov.mb.ca does not have valid SSL cert (NOT PRODUCTION SAFE) ServerCertificateValidationCallback = New System.Net.Security.RemoteCertificateValidationCallback(AddressOf customXertificateValidation) googleUrl = "https://removed.com" Dim rdr As New XmlTextReader(googleUrl) Dim resolver As New XmlUrlResolver() Dim myCred As New System.Net.NetworkCredential("USERNAME", "PASSWORD", Nothing) Dim credCache As New CredentialCache() credCache.Add(New Uri(googleUrl), "Basic", myCred) resolver.Credentials = credCache rdr.XmlResolver = resolver doc = New System.Xml.XPath.XPathDocument(rdr) path = doc.CreateNavigator() Private Function customXertificateValidation(ByVal sender As Object, ByVal certificate As System.Security.Cryptography.X509Certificates.X509Certificate, ByVal chain As System.Security.Cryptography.X509Certificates.X509Chain, ByVal sslPolicyErrors As Net.Security.SslPolicyErrors) As Boolean Return True End Function

    Read the article

  • Django - Override admin site's login form

    - by TrojanCentaur
    I'm currently trying to override the default form used in Django 1.4 when logging in to the admin site (my site uses an additional 'token' field required for users who opt in to Two Factor Authentication, and is mandatory for site staff). Django's default form does not support what I need. Currently, I've got a file in my templates/ directory called templates/admin/login.html, which seems to be correctly overriding the template used with the one I use throughout the rest of my site. The contents of the file are simply as below: # admin/login.html: {% extends "login.html" %} The actual login form is as below: # login.html: {% load url from future %}<!DOCTYPE html> <html> <head> <title>Please log in</title> </head> <body> <div id="loginform"> <form method="post" action="{% url 'id.views.auth' %}"> {% csrf_token %} <input type="hidden" name="next" value="{{ next }}" /> {{ form.username.label_tag }}<br/> {{ form.username }}<br/> {{ form.password.label_tag }}<br/> {{ form.password }}<br/> {{ form.token.label_tag }}<br/> {{ form.token }}<br/> <input type="submit" value="Log In" /> </form> </div> </body> </html> My issue is that the form provided works perfectly fine when accessed using my normal login URLs because I supply my own AuthenticationForm as the form to display, but through the Django Admin login route, Django likes to supply it's own form to this template and thus only the username and password fields render. Is there any way I can make this work, or is this something I am just better off 'hard coding' the HTML fields into the form for?

    Read the article

  • IIS 6 forces AppRoot/Starting Point to upper case when Virtual Directory is imported from a file

    - by user276464
    I have searched the web for this and couldn't find anything (well one remotely relevant post), so here I am. We have multiple ASP.NET apps in IIS 6 using Forms Authentication with dedicated path for each app. Since path is case sensitive it must match URL's path section exactly. However, because of an incorrect casing in IIS 6 Metabase for AppRoot (or Starting Point in IIS UI) bowser doesn't send Form cookie to the server whenever URL is previously resolved on the server and sent to client in incorrect case. Example: App URL = "https://Test.net/Application1" Cookie path = /Application1 Metabase AppRoot = /LM/W3SVC/1393818691/ROOT/APPLICATIONPATH1 Resolved URL = "https://Test.net/APPLICATIONPATH1" Now to the root cause... We create virtual directories on test server manually in a specific case (matches Path for each application). We then export virtual directory using UI to an XML file, which is then imported to another server (let's say production), at which point IIS decides to uppercase AppRoot element of the metabase. Can anyone shed some light on this? Is there a setting on IIS I am not aware of? I am trying to avoid manual edit of metabase after the import. Is that a bug?

    Read the article

  • AspNetMembership provider with WCF service

    - by Sly
    I'm trying to configure AspNetMembershipProvider to be used for authenticating in my WCF service that is using basicHttpBinding. I have following configuration: <system.serviceModel> <serviceHostingEnvironment aspNetCompatibilityEnabled="true" /> <bindings> <basicHttpBinding> <binding name="basicSecureBinding"> <security mode="Message"></security> </binding> </basicHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="MyApp.Services.ComputersServiceBehavior"> <serviceAuthorization roleProviderName="AspNetSqlRoleProvider" principalPermissionMode="UseAspNetRoles" /> <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="AspNetSqlMembershipProvider"/> </serviceCredentials> <serviceMetadata httpGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="true" /> </behavior> </serviceBehaviors> </behaviors> <services> <service behaviorConfiguration="MyApp.Services.ComputersServiceBehavior" name="MyApp.Services.ComputersService"> <endpoint binding="basicHttpBinding" contract="MyApp.Services.IComputersService" /> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> </service> </services> </system.serviceModel> Roles are enabled and membership provider is configured (its working for web site). But authentication process is not fired at all. There is no calles to data base during request, and when I try to set following attribute on method: [PrincipalPermission(SecurityAction.Demand, Authenticated = true)] public bool Test() { return true; } I'm getting access denied exception. Any thoughts how to fix it?

    Read the article

  • how to verify browser IP for server-side web service

    - by Anthony
    I have a web service that needs to be able to verify the end-user's IP that called the server-script that is requesting the web service. Simple layout: Person A goes to Webpage B. Webpage B calls Web Service C to get some info on Person A. Web Service C won't give Webpage B the requested information without confirmation that the request originated from Person A's IP and not someone who has stolen Person A's session. I'm thinking that for a browser-based solution, the original site (Webpage B) can open an iframe that goes to the Web Service's authentication page. A key of some kind is passed to the browser which will some how indicate both the user's IP and Web Page B's IP, so that the Web Service can confirm that no one has nabbed anything. I have two challenges, but I'll stick to the more immediate one first: I'm not sure if my browser-based plan really makes sense. If someone steals the session cookie, how is the Web Service going to know? Would this cookie be held be Web Page B and thus be harder to steal? Is it a sound assumption that a cookie or key held by the server only and not the browser is safe? Also, would the web service, based on the iframe initial connection, be expecting the server/user-ip combo? What I mean is, does the session key provided via the iframe get stored by the web service and the Web Site B shows it has a match? Or is the session key more generic, meaning the web service is passed the key by Website B and the Web Service verifies that this is a valid session key based on what a valid session key should look like?

    Read the article

  • Browser security when calling HTTP assets via a SWF on a HTTPS site

    - by Mark Ursino
    We have a site that runs on HTTPS and needs to pull in various JS assets to run a video player on the page. We get a browser security warning on this page because the JS files we are externally calling are being accessed via HTTP, not HTTPS. E.g. // HTTP reference on a HTTPS site <script src="http://the-cdn.tld/player.js"></script> Simply accessing this one JS assets via HTTP and not HTTPS will cause the browser security warning which we need to get rid of. The provider of the JS file does not support an HTTPS equivalent (like Google Analytics does). We would ideally love to just do the following, but the provider does not have this: // HTTPS reference on a HTTPS site <script src="https://the-cdn.tld/player.js"></script> One option we had was to just download a copy of the JS file and serve it on the HTTPS site, however we have concerns with this as it is not recommended by the provider and will not include updates from them. Assuming we cannot do that, we were thinking a possible other option would be to use a SWF file as a proxy. We were thinking that we could have one of our flash guys create a SWF that loads in the HTTP-served JS file to the page. We were wondering that if this SWF makes the request, would that prevent the browser from showing the security warning or not? I assumed that we would still see the warning since the SWF is still making the request through the browser, but I wanted to see what the hive mind thinks.

    Read the article

  • My Website was hacked using Statcounter! Does Statcounter keep a record of cookies?

    - by Cyril Gupta
    I had a rather interesting case of hacking on my ASP.Net MVC website. For this website I had implemented a rather uncomplicated authentication system for my admin area -- an encrypted cookie which had an identifying signature for the member. Whenever the admin visits the website the cookie would be decrypted and signature verified. If matching he wouldn't have to sign in. Couple of days ago a visitor on my site told me that he was able to sign into my website simply by clicking no a referral link on his Statcounter console which pointed to my admin area (I had visited his site from a link inside my admin view). He just clicked on a link in statcounter and he was signed in as the admin! The only way this could have happened was if statcounter somehow recorded my cookies and used those when he clicked on the link pointing to my admin! Is that logical or fathomable? I don't understand what's going on. Do you have any suggestions as to how I can protect my website against things like this?

    Read the article

  • How to elegantly handle ReturnUrl when using UrlRewrite in ASP.NET 2.0 WebForms

    - by Brian Kim
    I have a folder with multiple .aspx pages that I want to restrict access to. I have added web.config to that folder with <deny users="?"/>. The problem is that ReturnUrl is auto-generated with physical path to the .aspx file while I'm using UrlRewrite. Is there a way to manipulate ReturnUrl without doing manual authentication check and redirection? Is there a way to set ReturnUrl from code-behind or from web.config? EDIT: The application is using ASP.NET 2.0 WebForms. I cannot use 3.5 routing. EDIT 2: It seems like 401 status code is never captured. It returns 302 for protected page and redirects to login page with ReturnUrl. It does not return 401 for protected page. Hmm... Interesting... Ref: http://msdn.microsoft.com/en-us/library/aa480476.aspx This makes things harder... I might have to write reverse rewrite mapping rules to regex match ReturnUrl and replace it if it doesn't return 401... If it does return 401 I can either set RawUrl to Response.RedirectLocation or replace ReturnUrl with RawUrl. Anyone else have any other ideas?

    Read the article

  • Multiuser login into winforms application

    - by schoetbi
    Hi there, i have a winforms app in C# that needs access control for certain forms. That means, the application is running under the same (default) user at system startup, but certain forms need to be secured, so that only certain windows users could have access to the additional functions after identifying themself with username and password. For that step windows authentication should be used. Now the tricky part. Although the application was started under a "normal" user I would like the superusers to "login" into the special form without restarting the entiere application. My question now is. Is this possible (i.e. create one thread with the credentials of an administrator). Or do I need to setup another appdomain for that? Please give me a hint wather the user of a running application could be changed somehow. Thank you. EDIT I replaced administrators by "certain users" since the privileged user could be just another ordinary user that is granted access to the special functionality by the configuration of the installation.

    Read the article

  • Forms Auth: have different credentials for a subdirectory?

    - by Fyodor Soikin
    My website has forms authentication, and all is well. Now I want to create a subdirectory and have it also password-protected, but! I need the subdirectory to use a completely different set of logins/passwords than the whole website uses. Say, for example, I have users for the website stored in the "Users" table in a database. But for the subdirectory, I want the users to be taken from the "SubdirUsers" table. Which probably has a completely different structure. Consequently, I need the logins to be completely parallel, as in: Logging into the whole website does not make you logged into the subdirectory as well Clicking "logout" on the whole website does not nullify your login in the subdirectory And vice versa I do not want to create a separate virtual application for the subdirectory, because I want to share all libraries, user controls, as well as application state and cache. In other words, it has to be the same application. I also do not want to just add a flag to the "Users" table indicating whether this is a whole website user or the subdirectory user. User lists have to come from different sources. For now, the only option that I see is to roll my own Forms Auth for the subdirectory. Anybody can propose a better alternative?

    Read the article

< Previous Page | 133 134 135 136 137 138 139 140 141 142 143 144  | Next Page >