Search Results

Search found 14771 results on 591 pages for 'security policy'.

Page 168/591 | < Previous Page | 164 165 166 167 168 169 170 171 172 173 174 175  | Next Page >

• How are CD Keys generated?

  - by The Rook

  CD Keys are the defacto-standard as an anti-piracy measure. To be honest this strikes me as Security Though Obscurity, although I really have no idea how CD Keys are generated. What is a good (secure) example of CD Key generation? What cryptographic primitive (if any) are they using? Is it a message digest? If so what data would they be hashing? What methods do developers employ to make it difficult for crackers to build their own key generators?

  Read the article

• Reliably detect caller domain over cURL request?

  - by Utkanos

  OK so server-side security is not my forte. Basically, I'm building a service which users may use (via an SDK) only on the domain they stipulated when they signed up. The SDK calls my web service over cURL in PHP. Would I be right in thinking I cannot reliably detect the caller domain, i.e. enforce that it is the same domain they stipulated when signing up? cURL of course sends this over headers, but headers can always (?) be faked. Is there a better course of action to enforce domain for this sort of thing? (NB I'm already using an API key, too - it's just I wanted to restrict domain, too) Thanks in advance

  Read the article

• Securing an ajax request

  - by asdasdsa

  i have a website that uses session cookies for security. it works fine and all, but any ajax requests right now are not secure. example being lets say a user is on a page. they can only get to this page if they are logged in with a session - so far so good. but now the ajax request they ask for is ajaxpages/somepage.php?somevar=something&anothervar=something if any other user decides to just go to that link themselves (without a session) they still get the same ajax output that was meant for logged in people. so obviously im going to have to pass session data across when i send an ajax request. anyone have any tips for the best way of doing this? ive never done this before and would rather use trusted methods than make up my own.

  Read the article

• URIs vs Hidden Forms

  - by NateDogg

  I'm working in the Codeigniter framework, and want to send requests to my controller/model that have several variables involved. Is there a difference between passing those variables via a hidden form (i.e. using "post") as opposed to passing them through URIs (e.g. 'travel/$month/$day/')? What about security concerns? e.g. URIs: http://www.example.com/travel/$month/$day/ Hidden Form: form_hidden('month',$month); form_hidden('day',$day);

  Read the article

• WYSIWYG-editor with "add custom html feature" and secure (validated) html output?

  - by Tom

  I've been looking into some of the WYSIWYG editors (TinyMCE, FCKEditor, etc.) and they all seem to offer a lot of options. However, one vital feature that seems to lack is a simple "add custom html" option which would allow the user to input any of these embed-snippets you find all around the web these days, for example a youtube video. This is different than a "edit html/source" feature as that requires actual knowledge of html and there is the risk of the user writing invalid code. Another issue that I couldn't find much about is the output html. How would I make sure that this output causes no security invulnerabilities? Even when the user has the ability to add his own html? So, basically, is there an open source WYSIWYG editor which covers these 2 features?

  Read the article

• does it make sense to send password information during email communication from websites

  - by Samuel

  Most of the online sites on registration do send a link to activate the site and on any further correspondence with the end user they provide information about the site and also provide the login credentials with password in clear text (as given below) Username - [email protected] Password - mysecretpassword What would you do in such a case? From a usability perspective does it make sense to send the password information in clear text or should you just avoid sending this information. I was under the impression that most of the passwords are MD5 hashed before storing in the database and hence the service provider will not have any access to clear text passwords, is this a security violation?

  Read the article

• MD5 password twice

  - by NoviceCoding

  I know MD5's safety is under question lately and this is the reason a lot of people are using salt (I dont understand this at all btw) but I was wondering if you wanted to easily implement a safe system in php can you just md5 something twice? like test 098f6bcd4621d373cade4e832627b4f6 fb469d7ef430b0baf0cab6c436e70375 So basically: $val = 'test'; $val = md5($val); $val = md5($val); Would that solve the whole rainbow security stuff? Is there an easy/noob proof way of making secure database passwords in php?

  Read the article

• Sending passwords over the web

  - by Falmarri

  So I'm working on a mobile platform application that I'd like to have users authenticate over the web. I was wondering the best way to do security. The user is sending a password for HTTP to a php server wich authenticates against a mysql database on the same server. Obviously I don't want to send the password in plain text over the internet, but I also don't want to do 2 SHA hashes. This is what the server looks like (in pseudocode) $pass = $_POST['pass']; if ((get PASSWORD where USERNAME = USERNAME) == SHA($pass)) return PASS; This is pretty standard and I don't think there's any other way to do this. But I was wondering how I should prepare the data before sending it over the internet.

  Read the article

• Disadvantages of hard coding credentials? What's the resolution?

  - by SeeBees

  I am building a Sharepoint web part that will be used by all users. The web part connects to a web service which needs credentials with higher privileges than common users. I hard coded credentials in the web part's code. query.Credentials = new System.Net.NetworkCredential("username", "password", "domain"); query is an instance of the web service class This may not be a good approach. In regard with security, source code of the web apart is available to people who are not allowed to see the credential. This is bad enough, But is there any other drawback of this approach? How to prevent hard coding credentials into the source code? Thanks

  Read the article

• Best way to Store Passwords, User information/Profile data and Photo/Video albums for a social websi

  - by Nick

  Need some help figuring out how to best Store Passwords, User information/Profile data and Photo/Video albums for a social website? For photos/videos the actual photo/video + even encrypting the URL with the IDs to the photo/videos so other users cannot figure it out. Creating a site like myspace and designing retirement documents but i am unsure how to specify the security requirements for the database. Two things: 1) Protect from outside users 2) Protect all these from employees being able to access this info For #2, the additional question is: If we encrypt the user info and password so even the system admins cannot get in, how can we retrieve the user data tomorrow if someone flags the user's account as spam and admin needs to check it out or if law enforcement wants info on a user? Thanks.

  Read the article

• I'm trying to implement 2 factor authentication on the cheap. How would I do that?

  - by Biff MaGriff

  Ok so I need 2 of the 3. Something the user knows. Something the user has. Something the user is. I have a system that is exposed to the internet and we need clients to connect in a secure manner to satisfy our security standards. I'm thinking when a user registers to use our system we send them an application that they install on their home system. The application generates a key based on a timed randomness algorithm. Our application server has the same algorithm so when the user submits their credentials with the key we know that they are a legitimate user. Is this a valid method of 2 factor authentication? What is another way of doing this? Are there any pitfalls that I should be aware of? Thanks for your help!

  Read the article

• Can Spring access-denied-handler refer to popup?

  - by Rens Groenveld

  I am working with Spring Security 3.1.x and have implemented method annotation securities. As I want, when I perform a certain action while being logged in as a used that doesn't have the rights, I get a 403 acces is denied in my console! Perfect! Now I would like to catch this 403, and give the user a popup with a custom message. I don't want to redirect users to a page saying that they have no rights. Is there any way the access-denied-handler of Spring can take care of a popup? Or can it only redirect to another page? Maybe there are other options for me? Thanks in advance!

  Read the article

• Sql server execute permission; failure to apply permissions

  - by WestDiscGolf

  I've just migrated from SQL2000 to SQL2008 and I have started getting an execute permission issue on a stored proc which uses sp_OACreate. The rest of the system works fine with the db login which has been setup and added to the database. I've tried: USE master GO GRANT EXEC ON sp_OACreate TO [dbuser] GO But this fails with the following error: Msg 15151, Level 16, State 1, Line 1 Cannot find the user 'dbuser', because it does not exist or you do not have permission. I'm logged into the server as sa with full permissions. I can execute a similar sql statement and apply the permissions to a server role, however not a login/user. How do I apply the changes to the specific user/login? I can apply the permissions to the public role and it resolves my issue; however this seems to be a security issue to me which I don't really want to apply to the live server.

  Read the article

• The risk of granting to IUSR* NTFS permissions on a folder on the server

  - by vtortola

  I have two web applications that must share a file in the server file system. Both apps are inside of "Inetpub\wwwroot". The file cannot be accessed freely from outside, so it is in a folder out of "Inetpub". I have granted full NTFS permissions to the user "IUSR_whatever" (is the user that runs IIS in anonymous requests) in that folder. The folder has only that file, and has no other use. It works so far :) But, what is the risk? what should I be afraid of? As I see it, as long the folder is out of the "InetPub" cannot be accessed, and as long the apps don't have any security flaw like "path traversal" or server side code injection, it should be safe enough.... But I'm always keen to be wrong :) What do you think? May the file or even the server itself get compromised because of this? Thanks.

  Read the article

• How long can a hash left out in the open be considered safe?

  - by Xeoncross

  If I were to leave a SHA2 family hash out on my website - how long would it be considered safe? How long would I have before I could be sure that someone would find a collision for it and know what was hashed? I know that the amount of time would be based on the computational power of the one seeking to break it. It would also depend on the string length, but I'm curious just how secure hashes are. Since many of us run web-servers we constantly have to be prepared for the day when someone might make it all the way to the database which stores the user hashes. So, move the server security out of the way and then what do you have? This is a slightly theoretical area for many of the people I have talked with, so I would love to actually have some more information about average expectations for cracking.

  Read the article

• Sitemap Links don't work on live site, Windows Authentication

  - by Chris

  I have a intranet site with Windows Authentication. I have 'Administrator' pages in an 'Administrator' folder that will only show for those in the admin group (windows security group) These pages work I have a folder with sub folders containing reports. These permissions are broken down for each type of report. They have similar role priveleges. When I test the application, I can navigate to the pages. When I deploy the site live on the intranet the links don't return a page. Error missing link 404. Do I need to set something in IIS?

  Read the article

• Secure to store an ID in an ASP.NET control ID?

  - by Curtis White

  I'm auto-generating a form in my ASP.NET page. This is already tested and working. I want to know if: If there are any security problems with storing the database ID as part of my controls ID? I can see think of 2 issues: the id will be visible in page source (not really important in this case), and the possibility someone could change the name of the control somehow? This second possibility is more serious. Is this a potential problem and how to void it? If there would be a better preferred way to associate a unique data with any type of control? Is it possible to store a custom item in the viewstate for the control?

  Read the article

• Securing Web Services approach valid?

  - by NBrowne

  Hi , Currently I am looking at securing our web services. At the moment we are not using WCF so this is not an option. One approach I have seen and implemented locally fairly easily was the approach described in article: http://www.codeproject.com/KB/aspnet/wsFormsAuthentication.aspx Which describes adding a HttpModule which prompts for user credentials if the user browses to any pages (web services) which are contained in a services folder. Does anyone see any way that this security could fall down and could be bypassed etc. I'm really just trying to decide whether this is a valid approach to take or not? thanks

  Read the article

• Secure xml messages being read from database into app.

  - by scope-creep

  I have an app that reads xml from a database using NHibernate Dal. The dal calls stored procedures to read and encapsulate the data from the schema into an xml message, wrap it up to a message and enqueue it on an internal queue for processing. I would to secure the channel from the database reads to the dequeue action. What would be the best way to do it. I was thinking of signing the xml using System.Security.Cryptography.Xml namespace, but is their any other techniques or approaches I need to know about? Any help would be appreciated. Bob.

  Read the article

• Retrieve web user's Identity outside of request scope

  - by Kendrick

  I have an ASP.NET app that logs Audit reports using nHibernate's IPreUpdateListener. In order to set the current user in the Listener events, I was using System.Security.Principal.WindowsIdentity.GetCurrent(). This works fine when debugging on my machine, but when I move it to the staging server, I'm getting the ASP.NET process credentials, not the requesting user. In the ASP.NET page, I can use Request.LogonUserIdentity (which works fine since I'm using integrated authentication), but how do I reference this user directly without having to pass it directly to my event? I don't want to have to pass this info through the pipeline because it really doesn't belong in the intermediate events/calls.

  Read the article

• Established javascript solution for secure registration & authentication without SSL

  - by Tomas

  Is there any solution for secure user registration and authentication without SSL? With "secure" I mean safe from passive eavesdropping, not from man-in-the-middle (I'm aware that only SSL with signed certificate will reach this degree of security). The registration (password setup, i.e. exchanging of pre-shared keys) must be also secured without SSL (this will be the hardest part I guess). I prefer established and well tested solution. If possible, I don't want to reinvent the wheel and make up my own cryptographic protocols. Thanks in advance.

  Read the article

• Web Application - Authentication / Login Framework

  - by user456563

  This is a very simple, probably a most asked question and frequently developed as part of any web application. Say I'm planning to build a web application and some of the functional requirements include (apart from the usual hard hitting security reqs), - Need to have users sign up for a new account profile - Authenticate user using the native app authentication / Facebook or Google or Yahoo or OpenId login - Allow lost password retrieval - Session handling needs Is there an out of the box frameworks (Drupal, Liferay??) that I can use to wrap my application which can be a bunch of JSP's or HTML's with JS? I know I'm asking a very simple and maybe a naive question. But this is a topic every web developer guru will go thru. Any help, advise and pointers much appreciated.

  Read the article

• Images with unknown content: Dangerous for a browser?

  - by chris_l

  Let's say I allow users to link to any images they like. The link would be checked for syntactical correctness, escaping etc., and then inserted in an <img src="..."/> tag. Are there any known security vulnerabilities, e.g. by someone linking to "evil.example.com/evil.jpg", and evil.jpg contains some code that will be executed due to a browser bug or something like that? (Let's ignore CSRF attacks - it must suffice that I will only allow URLs with typical image file suffixes.)

  Read the article

• PHP - How to determine if request is coming from a specific file.

  - by John

  I have fileA.php on SERVER_A and fileB.php on SERVER_B fileB.php makes a curl request to fileA.php for it's contents How can fileA.php determine that the request is coming specifically from fileB.php? -- I was thinking about sending the $_SERVER['SCRIPT_NAME'] in fileB.php to fileA.php but since someone can go into fileB.php or any file in general and just do $_SERVER['SCRIPT_NAME'] = 'fileB.php'; it's not really that secure. So how can I determine, for security reasons, that the request is coming from a specific file on a different server?

  Read the article

• Leaving SQL Management open on the internet

  - by Tim Fraud

  I am a developer, but every so often need access to our production database -- yeah, poor practice, but anyway... My boss doesn't want me directly on the box using RDP, and so we decided to just permit MS SQL Management Console access so that I can do my tasks. So right now we have the SQL box somewhat accessible on the internet (on port 1433 if I am not mistaken), which opens a security hole. But I am wondering, how much of an uncommon practice is this, and what defaults should I be concerned about? We use MSSQL2008 and I created an account that has Read-Only access, because my production tasks only need that. I didn't see any unusual default accounts with default passwords on the system, so I would be interested to hear your take. (And of-course, is there a better way?)

  Read the article

< Previous Page | 164 165 166 167 168 169 170 171 172 173 174 175  | Next Page >