Search Results

Search found 16593 results on 664 pages for 'adf security deploy'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 204/664 | < Previous Page | 200 201 202 203 204 205 206 207 208 209 210 211  | Next Page >

  • Persisting sensitve data in asp.net, odd implementation

    - by rawsonstreet
    For reasons not in scope of this question I have implemented a .net project in an iframe which runs from a classic asp page. The classic asp site persisted a few sensitive values by hitting the db on each page. I have passed there variables as xml to the aspx page, now I need to make these values available on any page of this .net site. I've looked into the cache object but we are on a web farm so I am not sure it would work. Is there a way I can can instantiate an object in a base page class and have other pages inherit from the base page to access these values? What is the best way to persist these values? A few more points to consider the site runs in https mode and I cannot use session variables, and I would like to avoid cookies if possible..

    Read the article

  • Session Fixation in ASP.NET

    - by AJM
    I'm wondering how to prevent Session fixation in ASP.NET My approach would to this would normally be to generate and issue a new session id whenever someone logs in. But is this level of control possible in ASP.NET land?

    Read the article

  • Why can't we just use a hash of passphrase as the encryption key (and IV) with symmetric encryption algorithms?

    - by TX_
    Inspired by my previous question, now I have a very interesting idea: Do you really ever need to use Rfc2898DeriveBytes or similar classes to "securely derive" the encryption key and initialization vector from the passphrase string, or will just a simple hash of that string work equally well as a key/IV, when encrypting the data with symmetric algorithm (e.g. AES, DES, etc.)? I see tons of AES encryption code snippets, where Rfc2898DeriveBytes class is used to derive the encryption key and initialization vector (IV) from the password string. It is assumed that one should use a random salt and a shitload of iterations to derive secure enough key/IV for the encryption. While deriving bytes from password string using this method is quite useful in some scenarios, I think that's not applicable when encrypting data with symmetric algorithms! Here is why: using salt makes sense when there is a possibility to build precalculated rainbow tables, and when attacker gets his hands on hash he looks up the original password as a result. But... with symmetric data encryption, I think this is not required, as the hash of password string, or the encryption key, is never stored anywhere. So, if we just get the SHA1 hash of password, and use it as the encryption key/IV, isn't that going to be equally secure? What is the purpose of using Rfc2898DeriveBytes class to generate key/IV from password string (which is a very very performance-intensive operation), when we could just use a SHA1 (or any other) hash of that password? Hash would result in random bit distribution in a key (as opposed to using string bytes directly). And attacker would have to brute-force the whole range of key (e.g. if key length is 256bit he would have to try 2^256 combinations) anyway. So either I'm wrong in a dangerous way, or all those samples of AES encryption (including many upvoted answers here at SO), etc. that use Rfc2898DeriveBytes method to generate encryption key and IV are just wrong.

    Read the article

  • What is this hacker trying to do?

    - by JW
    If you do a search for: http://www.google.co.uk/search?q=0x57414954464F522044454C4159202730303A30303A313527&hl=en&start=30&sa=N you will see a lot of examples of an attempted hack along the lines of: 1) declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q) -- What is exactly is it trying to do? Which db is it trying to work on? Do you know of any advisories about this?

    Read the article

  • An old flaw in X Window System. How does it work?

    - by Legend
    I was going through an article today when it mentioned the following: "We've found many errors over the years. One of the absolute best was the following in the X Window System: if(getuid() != 0 && geteuid == 0) { ErrorF("Only root"); exit(1); } It allowed any local user to get root access. (The tautological check geteuid == 0 was intended to be geteuid() == 0. In its current form, it compress the address of geteuid to 0; given that the function exists, its address is never 0)." The article explained what was wrong with the code but I would like to know what it means to say that "It allowed any local user to get root access". I am not an expert in C but can someone give me an exact context in which this exploit would work? Specifically, what I mean is, lets say I am the local user, how would I get root access if we assume this code to be present somewhere?

    Read the article

  • Securing input of private / protected methods?

    - by ts
    Hello, normally, all sane developers are trying to secure input of all public methods (casting to proper types, validating, sanitizing etc.) My question is: are you in your code validating also parameters passed to protected / private methods? In my opinion it is not necessary, if you securize properly parameters of public methods and return values from outside (other classes, db, user input etc...). But I am constantly facing frameworks and apps (ie. prestashop to name one) where validation is often repeated in method call, in method body and once again for securize returned value - which, I think, is creating performace overhead and is also a sign of bad design.

    Read the article

  • How to control access to third party HTML pages

    - by Wylie
    Hello, We have a Learning Management System (LMS) that runs on its own server (IIS/Server 2003). Students must login with Forms authentication to gain access to the content. We want to offer access to third party flash and audio that is embedded in HTML pages hosted on the third party server (IIS/Server 2003). Currently we use a frame in a pop-up window that is populated via a simple URL to the third party HTML pages. How can the third party control access to their content, so that only students who launch the pop-up windows from our site can access their content? Since the content is mostly video and flash, we would prefer not to stream all of their content through our server to the Student. We have a programming staff, so we could maybe... - either post or get for our HTTP request to the third party server - we could use SSL - we could programmatically assign a global NT user account to all of our users and then do some kind of Active Directory login from the LMS server to the third party server - could the third party content be hosted at Amazon S3? Would this allow for secure access/download? These are just ideas. We really have no idea. Any suggestions would be greatly appreciated. TIA, Wylie

    Read the article

  • Single Sign On with 3 applications

    - by John H.
    I'm building three web applications in .NET that will all share a users database and login information. Lets pretend that application 1 is the "parent" application and applications "A" and "B" are the "child" applications. All users have to be logged into application 1 to have access to applications A and B. Authorization, Authentication, and MachineKey sections of all web configs are present and work correctly. I have the correct web.config settings in all applications to achieve Single Sign On except one problem remains: what do I put in the "loginUrl" attribute of the forms tag in Applications A and B. Assume that the url for the login to application 1 is "www.johnsapp.com/login.aspx" How can I get applications A and B to send the user back to application 1 for authentication using only settings in web.config?

    Read the article

  • How to prevent a specific directory from running Php, Html, and Javascript languages?

    - by Emily
    Hi, Let's say i have an image uploader script, i want to prevent the upload directory from executing Php or even html by only showing it as plain text, i've seen this trick in many websites but i don't know how they do it. Briefly, if i upload evil.php to that directory, and i try to access it i will only see a plain text source , No html or php is executed. ( but i still want the images to appear normally ofcourse) I know i can do like that by header("content-type:text/plain"); but that's will not be helpful, because what i want, is to set the content-type:text/plain automatically by the server for every thing outputed from the upload directory except images. Note: i'm running php 5.3.2/Cent OS and the latest cPanel. Thanks

    Read the article

  • How do I validate that my the openid.op_endpoint when a request is completed.

    - by Sam Saffron
    I have an Open ID based authentication system on my site. Occasionally users will have an account registered under [email protected] and they will attempt to login using the google open id provider https://www.google.com/accounts/o8/id, in this case I would like to automatically associate the account and log them in. When the process is done I get a payload from somewhere claiming that openid.op_endpoint=https://www.google.com/accounts/o8/id. My question: Can I trust openid.op_endpoint to be correct? Can this be spoofed somehow by a malicious openid provider? For illustration, lets say someone types in http://evil.org as their openid provider, can I somehow end up getting a request back that claims openid.op_endpoint is google? Do I need to store extra information against the nonce to validate? The spec is kind of tricky to understand

    Read the article

  • Using Forms authentication with remote auth system?

    - by chobo
    I am working on a website that uses a remote websites database to check for authentication (they are both share some database tables, but are separate website...) Right now I check the username and password against the remote websites account / member table, if there is a match I create a session. Questions: Is this secure? On authenticated pages I just check if a session of a specific type exists.Is it possible for someone to create an empty session or something that could bypass this? Is it possible to use Forms authentication with this setup? Right now if a user is authenticated I just get an object back with the username, email and id.

    Read the article

  • Safari - showing expired .NET Page

    - by Hidayath
    We have a strange problem in Safari. When the user logs out of our Web Application we expire the forms authentication with the following FormsAuthentication.SignOut(); Session.Abandon(); This works fine in IE and Firefox (when the user hits the back button they are presented with a page expired message and are forced to login) but in Safari the last page the user was working on shows up. I tried many of the suggested thinks like setting the Response.Expires but nothing helps , Has anyone faced this problem ? Do u have any suggestion / workarounds ? Thanks

    Read the article

  • Customer provider Password Reset client.

    - by ProfK
    I'm looking for guidence on writing a custom password reset UI, but it must fit the Provider 'Pattern', or degrade silently to built-in defaults. E.g. my Reset Control must collect extra information, and perform differently to the standard Password Recovery Control. It must close as possible use the standard MembershipProvider interface for standard functions, and only use an extended interface for the non-standard stuff. I'd like some reading on issues such as, what must I ask the Membership Provider for, and what must I do myself. What must I tell the provider (service?) about what I do? Etc.

    Read the article

  • How to play music on site preventing direct file download

    - by Hugo Palma
    I'm starting a blog with a hosted wordpress instance and i would like to be able to stream music using a flash player on some posts. The problem is that every player i find uses a simple param to get the file url which makes it very easy for someone to find that url and just download the file. A server side solution can be implemented as i have full access to the server.

    Read the article

  • How much effort does it take to spoof an Ip Address in a call to a webservice?

    - by Rory Becker
    I don't want to know how... Just how complicated.... I'm thinking of securing a webservice or 2 based on the incoming client ipaddress of the caller. Is this in any way secure? Surely if the IPaddress was being spoofed then the result would have to be sent back to the address that was being spoofed and therefore not reach the spoofer? Update: Ok so from what I can tell.... I should create a Gettoken() method which checks the IPaddress and passes out a cryptographically significant token with a timeout to any valid IP address. This is then required by any other method before any kind of side effect is allowed. Since an Attacker can't (likely) get the token without having a valid IP, he will be unable to validly call any of my "dangerous" webmethods ?

    Read the article

  • Is this safe on a production server?

    - by Camran
    I have a database application (or search engine) which is called Solr. I connect to it via port 8983. I do this from php code, so I add and remove records from it via php. On my server I have a firewall. I have set this firewall to only allow connections to and from this port (8983) from the ip adress of my own server. In other words, only allow servers IP to access this port. Is that safe? Or am I thinking all wrong here? Will others be able to "simulate" my ip adress and act as the server? This is because otherwise others may add/remove records as they want from their own ip adresses... Thanks

    Read the article

  • How to Check Authenticity of an AJAX Request

    - by Alex Reisner
    I am designing a web site in which users solve puzzles as quickly as they can. JavaScript is used to time each puzzle, and the number of milliseconds is sent to the server via AJAX when the puzzle is completed. How can I ensure that the time received by the server was not forged by the user? I don't think a session-based authenticity token (the kind used for forms in Rails) is sufficient because I need to authenticate the source of a value, not just the legitimacy of the request. Is there a way to cryptographically sign the request? I can't think of anything that couldn't be duplicated by a hacker. Is any JavaScript, by its exposed, client-side nature, subject to tampering? Am I going to have to use something that gets compiled, like Flash? (Yikes.) Or is there some way to hide a secret key? Or something else I haven't thought of? Update: To clarify, I don't want to penalize people with slow network connections (and network speed should be considered inconsistent), so the timing needs to be 100% client-side (the timer starts only when we know the user can see the puzzle). Also, there is money involved so no amount of "trusting the user" is acceptable.

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 200 201 202 203 204 205 206 207 208 209 210 211  | Next Page >