Search Results

Search found 15648 results on 626 pages for 'wcf security'.

Page 242/626 | < Previous Page | 238 239 240 241 242 243 244 245 246 247 248 249 | Next Page >

What is the best "forgot my password" method?

- by Edward Tanguay

I'm programming a community website. I want to build a "forgot my password" feature. Looking around at different sites, I've found they employ one of three options: send the user an email with a link to a unique, hidden URL that allows him to change his password (Gmail and Amazon) send the user an email with a new, randomly generated password (Wordpress) send the user his current password (www.teach12.com) Option #3 seems the most convenient to the user but since I save passwords as an MD5 hash, I don't see how option #3 would be available to me since MD5 is irreversible. This also seems to be insecure option since it means that the website must be saving the password in clear text somewhere, and at the least the clear-text password is being sent over insecure e-mail to the user. Or am I missing something here? So if I can't do option #1, option #2 seems to be the simplest to program since I just have to change the user's password and send it to him. Although this is somewhat insecure since you have to have a live password being communicated via insecure e-mail. However, this could also be misused by trouble-makers to pester users by typing in random e-mails and constantly changing passwords of various users. Option #1 seems to be the most secure but requires a little extra programming to deal with a hidden URL that expires etc., but it seems to be what the big sites use. What experience have you had using/programming these various options? Are there any options I've missed?

Read the article
[Architecture] Roles for white-label service access.

- by saurabhj

Okay, I know I'm doing something wrong - but can't figure out a better way. I am developing a website which is going to allow users to setup their own mini-websites. Something like Ning. Also, I have only 1 basic login and access to each mini website is provided (right now) via roles. So the way I am doing this right now is: Everytime a new mini website is created - say blah, I create 2 roles in my application. blah_users and blah_admin The user creating the mini website is given the role - blah_admin and every other user wanting to join this mini website (or network) is given the role - blah_user. Anyone can view data from any website. However to add data, one must be a member of that mini site (must have the blah_user role assigned) The problem that I am facing is that by doing a role based system, I'm having to do loads of stuff manually. Asp.Net 2 controls which work on the User.IsAunthenticated property are basically useless to me now because along with the IsAuthenticated property, I must also check if the user has the proper role. I'm guessing there is a better way to architect the system but I am not sure how. Any ideas? This website is being developed in ASP.Net 2 on IIS 6. Thanks a tonne!

Read the article
.Net - using FileIOPermission with mask in file name

- by Max Gontar

Hello! I would like to apply FileIOPermission on set of files using mask in file name, ex. on all txt files in folder C:\TMP: [type: FileIOPermission(SecurityAction.PermitOnly, Read = @"C:\TMP\*.txt")] class SomeClass { static void testPermissions() { Console.WriteLine("allowed action"); File.OpenRead(@"C:\TMP\1.txt"); // <--- here goes exception Console.WriteLine("denied action"); try { File.Create(@"C:\TMP\2.txt"); } catch (Exception e) { Console.WriteLine(e.Message); } finally { Console.ReadKey(); } } } This throws ArgumentException "Illegal characters in path." What is wrong? Is it possible to achieve anyway?

Read the article
Programatical authentication in J2EE 6

- by Kevin

Hello, is it possible to authenticate programmatically a user in J2ee 6? Let me explain with some more details: I've got an existing Java SE project with Servlets and hibernate; where I manage manually all the authentication and access control: class Authenticator { int Id string username } Authenticator login(string username, string password) ; void doListData(Authenticator auth) { if (isLoggedIn(auth)) listData(); else doListError } void doUpdateData (Authenticator auth) { if (isLoggedAsAdmin(auth)) updateData() ; else doListError(); } void doListError () { listError() ; } And Im integrating J2ee/jpa/servlet 3/... (Glassfish 3) in this project. I've seen anotations like : @RolesAllowed ("viewer") void doListdata (...) { istData() ; } @RolesAllowed("admin") void doUpdateData (...) { updateData() ; } @PermotAll void dolisterror () { listerror() ; } but how can I manually state, in login(), that my user is in the admin and/or viewer role?

Read the article
How to use the Rhino javascript engine in an applet

- by Robber

For my java program I'm using Rhino to execute JS scripts. Now I'm trying to convert it to an applet which works great, except that everytime it's calling evaluateString(...) the JVM throws an AccessControlException. After some (a lot) of research I found out that this is caused by Rhino's custom classloader. My problem is that after hours of googling I still can't find a way to stop Rhino from trying to load it's own classloader. I hope someone can help me...

Read the article
Authlogic, logout and credential capture

- by Paddy

Ok this is something weird. I got authlogic-oid installed in my rails app today. Everything works perfectly fine but for one small nuisance. This is what i did: I first register with my google openid. Successful login, redirection and my email, along with my correct openid is stored in my database. I am happy that everything worked fine! Now when i logout, my rails app as usual destroys the session and redirects me back to my root url where i can login again. Now if i try to login it still remembers my last login id. Not a big issue as i can always "Sign in as a different user" but i am wondering if there is anyway to not only logout from my app but also logout from google. I noticed the same with stack overflow's openid authentication system. Why am i so bothered about this, you may ask. But is it not a bad idea if your web apps end user, who happens to be in a cyber cafe, thinks he has logged out from your app and hence from his google account only to realize later that his google account had got hacked by some unworthy loser who just happened to notice that the one before had not logged out from google and say.. changed his password!! Should i be paranoid?

Read the article
HTTP requests and Apache modules: Creative attack vectors

- by pinkgothic

Slightly unorthodox question here: I'm currently trying to break an Apache with a handful of custom modules. What spawned the testing is that Apache internally forwards requests that it considers too large (e.g. 1 MB trash) to modules hooked in appropriately, forcing them to deal with the garbage data - and lack of handling in the custom modules caused Apache in its entirety to go up in flames. Ouch, ouch, ouch. That particular issue was fortunately fixed, but the question's arisen whether or not there may be other similar vulnerabilities. Right now I have a tool at my disposal that lets me send a raw HTTP request to the server (or rather, raw data through an established TCP connection that could be interpreted as an HTTP request if it followed the form of one, e.g. "GET ...") and I'm trying to come up with other ideas. (TCP-level attacks like Slowloris and Nkiller2 are not my focus at the moment.) Does anyone have a few nice ideas how to confuse the server and/or its modules to the point of self-immolation? Broken UTF-8? (Though I doubt Apache cares about encoding - I imagine it just juggles raw bytes.) Stuff that is only barely too long, followed by a 0-byte, followed by junk? et cetera I don't consider myself a very good tester (I'm doing this by necessity and lack of manpower; I unfortunately don't even have a more than basic grasp of Apache internals that would help me along), which is why I'm hoping for an insightful response or two or three. Maybe some of you have done some similar testing for your own projects? (If stackoverflow is not the right place for this question, I apologise. Not sure where else to put it.)

Read the article
Secure hash and salt for PHP passwords

- by luiscubal

It is currently said that MD5 is partially unsafe. Taking this into consideration, I'd like to know which mechanism to use for password protection. Is “double hashing” a password less secure than just hashing it once? Suggests that hashing multiple times may be a good idea. How to implement password protection for individual files? Suggests using salt. I'm using PHP. I want a safe and fast password encryption system. Hashing a password a million times may be safer, but also slower. How to achieve a good balance between speed and safety? Also, I'd prefer the result to have a constant number of characters. The hashing mechanism must be available in PHP It must be safe It can use salt (in this case, are all salts equally good? Is there any way to generate good salts?) Also, should I store two fields in the database(one using MD5 and another one using SHA, for example)? Would it make it safer or unsafer? In case I wasn't clear enough, I want to know which hashing function(s) to use and how to pick a good salt in order to have a safe and fast password protection mechanism. EDIT: The website shouldn't contain anything too sensitive, but still I want it to be secure. EDIT2: Thank you all for your replies, I'm using hash("sha256",$salt.":".$password.":".$id) Questions that didn't help: What's the difference between SHA and MD5 in PHP Simple Password Encryption Secure methods of storing keys, passwords for asp.net How would you implement salted passwords in Tomcat 5.5

Read the article
SQL Server 2008, Kerberos and SPN

- by andrew007

Hi, I installed SQL Server 2008 on a Win XP SP2 workstation in a AD domain and configured to run with the "Network Service" account. In my error log I have the following message (Event ID:26037): The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. **Error: 0xd, state: 13**. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies. The strange thing is that I have another SQL Server 2008 installation in a Win 2003 server configured in the same way and there I do not have this message. My questions are: Does anybody know if there are limitations with Kerberos on Windows XP and SQL Server? Why the SPN is not automatically registered on Win XP when I use the "Network Service" but it works on Windows 2003 server? THANKS!

Read the article
Secure ajax form POST

- by user194630

I was wondering how to develop a secure form post through AJAX. For example, i have: My HTML form. My JavaScript handling the submit. The submit url is "post_data.php" The posted data is: id=8&name=Denis The PHP verifies if variables id and name are POSTED and their data type. If this is ok it proceed to do some stuff on a database. My question is, how can i prevent someone from creating his own html form, outside my web site, or whatever, and posting false data to my PHP script? Imagine that data realy exists on my database, this could be bad. Thanks

Read the article
Looking for DOS/DDOS protection tools and strategies

- by Alexandre Victoor

I am working on a java application that exposes webservices for a flash client. Any idea on how to prevent DOS/DDOS attacks ? I cannot use mechanism unfriendly for the end user such as captcha. So far I have found mod_evasive, an apache module which looks quite promising... Any suggestions, best practices, tools I might use ? Thanks in advance

Read the article
how to hash a password?

- by 5YrsLaterDBA

My next task will be encrypt password. I am working at the database access layer and my co-work has this comment, implement SHA512 hash, on an empty method which I will implement it. any recommendation about this? thanks

Read the article
ActiveXObject issue in javaScript

- by shan.swf

hi.. I wrote a javascript function in my html page to execute an .exe file. for this i used ActiveXObject. my function is: //~~~~~~~~~~~~~~~~~~~~~~~~~~~JavaScript~~~~~~~~~~~~~~~~ function openWin(url) { if (!document.all) { alert ("Available only with Internet Explorer."); return; } var ws = new ActiveXObject("WScript.Shell"); ws.Exec(url); } //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It works fine but there is a alert "An ActiveX control might be unsafe to interact with other parts of the page. Do you want to allow this interaction?" comes up to confirm. If i say YES only it will get loaded. Pls anyone help me on this how to avoid this pop-up coming every time when i reload my html page.

Read the article
Somebody is storing credit card data - how are they doing it?

- by pygorex1

Storing credit card information securely and legally is very difficult and should not be attempted. I have no intention of storing credit card data but I'm dying to figure out the following: My credit card info is being stored on a server some where in he tworld. This data is (hopefully) not being stored on a merchant's server, but at some point it needs to be stored to verify and charge the account identified by merchant submitted data. My question is this: if you were tasked with storing credit card data what encryption strategy would you use to secure the data on-disk? From what I can tell submitted credit card info is being checked more or less in real time. I doubt that any encryption key used to secure the data is being entered manually, so decryption is being done on the fly, which implies that the keys themselves are being stored on-disk. How would you secure your data and your keys in an automated system like this?

Read the article
PHP password protection question?

- by PeAk

How do I use the sha512 function for PHP? Can I replace all my md5 funtions with the sha512 function? Do I have to download something if so what? Can any one provide examples? Thanks!

Read the article
Generate an LTPA token?

- by Shadowman

We have a need to integrate a server with our WebSphere environment that does not support LTPA. I found the blog post here and corresponding code to decode the information in an LTPA token. However, there's no code explaining the digital signature and how that's generated/validated. Does anyone have any information on how to generate an LTPA token in custom code?

Read the article
Minimum permissions to COM Object to Instantiate running as LocalService

- by Paul Farry

I'm writing a .NET Service that creates a COM object. If I run the Service as the Logged on user (everything is fine). If I run the Service as LocalSystem, everything is fine. If I run the Service as LocalService, then I get an AccessDeniedException when trying to instantiate the COM Object. I've come up with the following block to grant the necessary permissions and it appears to work correctly, but I wanted to make sure I wasn't missing something regarding the COM rules. Private Sub SetAccessToRockeyRegistry() Using reg As RegistryKey = Microsoft.Win32.Registry.ClassesRoot.OpenSubKey("CLSID\{EE0680D3-AAC3-446B-AFD7-F9DE2D3E28FB}", True) Dim sec As RegistrySecurity sec = reg.GetAccessControl Dim ar As RegistryAccessRule Dim sid As SecurityIdentifier sid = New SecurityIdentifier(WellKnownSidType.LocalServiceSid, Nothing) ar = New RegistryAccessRule(sid, RegistryRights.ReadKey Or RegistryRights.EnumerateSubKeys Or RegistryRights.QueryValues, AccessControlType.Allow) sec.AddAccessRule(ar) ar = New RegistryAccessRule(sid, RegistryRights.ReadKey Or RegistryRights.EnumerateSubKeys Or RegistryRights.QueryValues, _ InheritanceFlags.ObjectInherit Or InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly Or PropagationFlags.NoPropagateInherit, AccessControlType.Allow) sec.AddAccessRule(ar) reg.SetAccessControl(sec) End Using End Sub

Read the article
What are the best practices for avoid xss attacks in a PHP site

- by rikh

I have PHP configured so that magic quotes are on and register globals are off. I do my best to always call htmlentities() for anything I am outputing that is derived from user input. I also occasionally seach my database for common things used in xss attached such as... <script What else should I be doing and how can I make sure that the things I am trying to do are always done.

Read the article
How to secure access to SWF file using ASP.NET?

- by elsharpo

hi guys, We have a swf file that we want to secure and make available only to authorized users. I embedded the file in an aspx page and that works fine, since ASP.NET handles the aspx page, I can use ASP.NET authorization features and in the web.config restrict the access to roles="AllowedUsers" for example. However smart users could still get to the file by accessing directly for example www.mysite/flash.swf. We want to make that kind of access secure. Any help would be greatly appreciated! Thanks!

Read the article
Preventing $.POST hijack

- by Jamie

I'm currently building a facebook application. Lets say I have a variable $uid that identifies the user so I can store this in my database along with their submitted data. I pass $uid and $data via json encoded values using $.post. However, this doesn't prevent someone changing $uid to save data as someone else. I have been thinking about how to overcome this, so far I haven't found a solution apart from: create database with $uid $secretkey on first page load. When $.post send $secretkey with the post and then retrieve the $uid from the database. Would this be the correct approach to use?

Read the article
Ensure exclusive access to webservice

- by Henrik P. Hessel

Just to be on the safe side, what's the best practice to ensure that only my application has access to my webservice, which is hosted on a public server? Should I implement I shared key or something? My webservice is hosted on Googles App Engine and my Application runs on iPhones and iPads. If you need further information, just ask. Thanks, Henrik

Read the article
autehntication on gui application written on perl

- by oren

Its not specific perl question I am building a perl gui/wxperl application that connect to DB . I want my application to be a password protected i.e first the user should enter the user and password and then use the appication . what is the best secure method to store the password could someone provide an idea what is the best method to how should i store the user and the password and how should i retrieve them for authentication ? if possible could someone provide some perl code how to do this ?

Read the article
Storing secret keys on iPhone source and project resources

- by hgpc

Is storing secret keys (internal use passwords and such) on iPhone source code and project resources (such as plist files) secure? Obviously nothing is 100% secure, but can this information be extracted easily from an installed app? How do you recommend storing these keys to use them in the source code? Just in case, this question is not about storing user passwords.

Read the article
Who does actually use XACML?

- by lajuette

Who knows actively developed XACML Implemtations other than the Sun XACML Implementation and XEngine? Which vendors provide a PDP? I read something about a WebLogic XACML Privider. What other products support XACML?

Read the article
How can UNIX access control create compromise problems ?

- by Berkay

My system administrators advice me to be careful when setting access control to files and directories. He gave me an example and i got confused, here it is: a file with protection mode 644 (octal) contained in a directory with protection mode 730. so it means: File:101 100 100 (owner, group,other: r-x r-- r--) Directory:111 011 000 (owner, group,other: rwx -wx ---) How can file be compromised in this case ?

Read the article

< Previous Page | 238 239 240 241 242 243 244 245 246 247 248 249 | Next Page >