Search Results

Search found 12720 results on 509 pages for 'moss2007 security'.

Page 33/509 | < Previous Page | 29 30 31 32 33 34 35 36 37 38 39 40  | Next Page >

  • Cookiless Session Is it a security risk?

    - by Costa
    Hi http://msdn.microsoft.com/en-us/library/aa479314.aspx You have a user who successfully log in from a machine in Cybercafe, Hacker H able to sniff the network and get the sessionID of the user, Can H use the sessionId and act as the user from another machine? Can H enter http://folder/(session id)/CreditCardInformation.aspx to know the credit card number of the user?

    Read the article

  • Basic security, PHP mySQl

    - by yuudachi
    So I am making a basic log-in page. I have a good idea of what to do, but I'm still unsure of some things. I have a database full of students and a password column of course. I know I'm going to use md5 encryption in that column. The student enters their e-mail and student ID, and they get e-mailed a password if correct. But, where do I create the password? Do I have to manually add the password (which is just a randomly generated string) in mySQL to all the students? And I am suppose to send the password to the student; how will I know what to send the student if the password is encrypted? I was thinking about generating the password when the student first enters their e-mail and student ID. They get an e-mail of the random string, and at the same time, I add the same random string to the database, encrypted. Is that how it's suppose to work though? And it feels unsafe doing that all on the same page. Sorry for the long-winded, newbish question. I find this all facisnating at the same time as well (AES and RSA encryption :O)

    Read the article

  • Client / Server security from mobile to website

    - by Amir Latif
    Hey. Am new to the world of web programming and learning a bunch of fairly simple new pieces of tech, trying to piece them all together. So, we have a simple client (currently iPhone, to move to J2ME soon) that's pulling down lists of data via PHP, which is talking to a MySQL db. I have a rudimentary user/login system so that data is only served to someone who matches a known user etc, either on the website or on the client. All the php scripts on the website that query the DB check to make sure an active session is in place, otherwise dumping the user back to the login screen. I've read a little about SSL and want to know if that is sufficient to protect the website AND the data passing between the server and the client?

    Read the article

  • Relogging a user in with different Spring Security Authorities programmatically

    - by user1331982
    PreReq: User logs in and is given roles got from the database using a custom implementation of userService. i.e. authentication-provider user-service-ref="securityPolicyService" The implemented method loadUserByUsername gets called and the roles are load for the user for the particular club they are logging into, Default one is loaded first time in. The user then click on a different club from the UI and I call a method on a service that gets the new list of authorities for this club. I then perform the following: Object principle = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); SecureMember sm = (SecureMember) principle; Authentication auth = new UsernamePasswordAuthenticationToken(sm, null, newAuthories); <br><br> SecurityContextHolder.getContext().setAuthentication(auth);<br> request.getSession(false).invalidate(); SecureMember extends User from SpringFramework. The problem is the SecureMember authorities are never updated with the new ones. thanks Gary

    Read the article

  • Application runs fine when executed directly, fails as scheduled task (security issues)

    - by Carl
    I have an application that loads some files from a network share (the input folder), extracts certain data from them and saves new files (zips them with SharpZLib) on a different network share (output folder). This application runs fine when you open it directly, but when it is set to a scheduled task, it fails in numerous places. This application is scheduled on a Win 2003 server. Let me say right off the bat, the scheduled task is set to use the same login account that I am currently logged in with, so it's not because it's using the LocalSystem account. Something else is going on here. Originally, the application was assigning a drive letter to the input folder using WNetGetConnectionA(). I don't remember why this was done, someone else on our team did that and she's gone now. I think there was some issue with using the WinZip command line with a UNC path. I switched from the WinZip command line utility to using SharpZLib because there were other issues with using the WinZip command line. Anyway, the application failed when trying to assign a drive letter with the error "connection already established." That wasn't true and even after trying WNetCancelConnection(), it still didn't work. Then I decided to just map the drive manually on the server. Then when the app calls Directory.Exists(inputFolderPath) it returns false, even though it does exist. So, for whatever reason, I cannot read this directory from within the application. I can manually navigate to this folder in Windows Explorer and open files. The app log file shows that the user executing it on the schedule is the user I expect, not LocalSystem. Any ideas?

    Read the article

  • asp.net forms authentification security issues

    - by Andrew Florko
    Hi there, I have a kind of asp.net forms authentication with the code like that: FormsAuthentication.SetAuthCookie(account.Id.ToString(), true); HttpContext.Current.User = new GenericPrincipal(new GenericIdentity(account.Id.ToString()), null); What kind of additional efforts shall I take to make authentication cookie (that is user id) more securable? (https, encoding for example) Thank you in advance!

    Read the article

  • PHP Upload file enhance security

    - by mandril
    Hey.. my question is how to prevent someone upload a virus or some malicious code with the extension you pretend for example i have a pdf file uploader, anyone can upload a binary with pdf camouflage there are lots of programs to do that.

    Read the article

  • PHP File System or XML : Security Issue

    - by jasmine
    I want to make a news portal(php) site with minimum mysql force. :create a cron, fetch data from mysql and write to a php file . (I dont know is it right way) But Can I use xml instead of php file? Write mysql data to xml. Is this a secure way? What is the best way? XML or php file? Thanks in advance

    Read the article

  • Disabling security warning caused by BaseIntermediateOutputPath?

    - by Chris R. Donnelly
    Hi all, Our team overrides BaseIntermediateOutputPath (and other related properties) in our Visual Studio projects in order to have build artifacts go outside the main tree. However, this causes an annoying warning dialog to appear when you open a project for the first time in a new location (which happens on new machines, when you check out a branch to a new location, have to delete corrupted .suo/.user files, etc.). Is there any way to disable the warning? FYI, we are using Visual Studio 2008, and we have encountered this warning on Windows XP as well as Windows 7, so it is not UAC-related.

    Read the article

  • Authorization security of ASP.NET Forms authentication

    - by Tomi
    I'm using Forms authentication in ASP.NET MVC website and I store user account login name in AuthCookie like this: FormsAuthentication.SetAuthCookie(account.Login, false); I want to ask if there is a possibility that user on client side will somehow manage to change his login name in AuthCookie and thus he will be for example impersonated as someone with higher privileges and authorized to do more actions than he is normally supposed to have. Also is it better to save in this cookie user account login name or user account ID number?

    Read the article

  • Webservice for uploading data: security considerations

    - by Philip Daubmeier
    Hi everyone! Im not sure about what authentification method I should use for my webservice. I've searched on SO, and found nothing that helped me. Preliminary Im building an application that uploads data from a local database to a server (running my webservice), where all records are merged and stored in a central database. I am currently binary serializing a DataTable, that holds a small fragment of the local database, where all uninteresting stuff is already filtered out. The byte[] (serialized DataTable), together with the userid and a hash of the users password is then uploaded to the webservice via SOAP. The application together with the webservice already work exactly like intended. The Problem The issue I am thinking about is now: What is if someone just sniffs the network traffic, 'steals' the users id and password hash to send his own SOAP message with modified data that corrupts my database? Options The approaches to solving that problem, I already thought of, are: Using ssl + certificates for establishing the connection: I dont really want to use ssl, I would prefer a simpler solution. After all, every information that is transfered to the webservice can be seen on the website later on. What I want to say is: there is no secret/financial/business-critical information, that has to be hidden. I think ssl would be sort of an overkill for that task. Encrypting the byte[]: I think that would be a performance killer, considering that the goal of the excercise was simply to authenticate the user. Hashing the users password together with the data: I kind of like the idea: Creating a checksum from the data, concatenating that checksum with the password-hash and hashing this whole thing again. That would assure the data was sent from this specific user, and the data wasnt modified. The actual question So, what do you think is the best approach in terms of meeting the following requirements? Rather simple solution (As it doesnt have to be super secure; no secret/business-critical information transfered) Easily implementable retrospectively (Dont want to write it all again :) ) Doesnt impact to much on performance What do you think of my prefered solution, the last one in the list above? Is there any alternative solution I didnt mention, that would fit better? You dont have to answer every question in detail. Just push me in the right direction. I very much appreciate every well-grounded opinion. Thanks in advance!

    Read the article

  • How are clientside security vulnerabilities generally discovered?

    - by Jehjoa
    I mean in operating systems or their applications. The only way I can think of is examine binaries for the use of dangerous functions like strcpy(), and then try to exploit those. Though with compiler improvements like Visual Studio's /GS switch this possibility should mostly be a thing of the past. Or am I mistaken? What other ways do people use to find vulnerabilities? Just load your target in a debugger, then send unexpected input and see what happens? This seems like a long and tedious process. Could anyone recommend some good books or websites on this subject? Thanks in advance.

    Read the article

  • IIS7.5 and MVC 2 : Implementing HTTP(S) security

    - by Program.X
    This is my first ASP.NET MVC application, and my first on an IIS 7.x installation whereby I have to do anything over and above the standard. I need to enforce Windows authentication on the /Index and /feeds/xxx.svc pages/services. In ASP.NET Web Forms, I would apply the Windows permissions on the files and remove Anonymous authentication in IIS 6. This needs to work over HTTP/S, but don't worry about that, that's in hand. What happens in MVC/IIS 7? I have tried modifying the permissions on the /Index.aspx view, which seems to block access. It asks me for a username/password, but does not grant access when I enter a valid username/password. Pressing Escape gives me an exception "*Access to the path 'E:\dev\xxx\xxx.ConsultantRegistration.Web.Admin\Views\ConsultantRegistration\index.aspx' is denied. *", which does get sent as a 401. So although the username/password does exist on the Index.aspx view, I can't use those credentials to access said view. I have in my web.config: What am I missing?

    Read the article

  • Autoclick security for a like button

    - by Ali Davut
    Hi everyone I want to develop a button like 'facebook like button'. I am going to use it on my website and thinking it to share as iframe like facebook but I cannot think its securty because someone can develop a script that can click on it automatically. I thought a solution using sessions but I couldn't make an algorithm completely. How can I disallow autoclicks and which solution is the best? It can be any language I just want algorithm. Thanks, have a nice day.

    Read the article

  • Encrypt the file for security

    - by pavun_cool
    Actually I have a file . I am working in linux environment. I need to encrypt that file for secure purpose with giving the some password. The operation could be like zip , tar any compression. When I extract the file It should ask me password , only then it should get extracted Thanks in Advance

    Read the article

  • Write Mysql tables to XML : Security Issue

    - by jasmine
    I want to make a news portal(php) with minimum mysql force. :create a cron, fetch data from mysql and write to a php file . (I dont know is it right way) But Can I use xml instead of php file? Write mysql data to xml. Is this a secure way? What is the best way? XML or php file? Thanks in advance

    Read the article

  • Authenticating a SOAP service in Java (password security)

    - by user1686448
    I am writing an application, in Java, which needs to log in to a remote SOAP service (JIRA) prior to calling methods on that service. I have looked at examples of how to do this, for example http://www.j-tricks.com/1/post/2010/8/jira-soap-client.html, however I am concerned that I need to put the password in memory at some point. I've read that I should store the password as a char[] but still, I'm concerned about storing the password in the clear at all. How should I store the password used by my client to log into the SOAP service? And how should I read it and pass it to JIRA?

    Read the article

  • Security concerns for a multi-lingual web application.

    - by The Rook
    I am converting a PHP MySQL web application written for English language into a Multi-Language site. Do you know any vulnerabilities that affect web applications in another language? Or perhaps vulnerabilities that could be introduced in the conversion of code base to support multiple languages. (If you know any vulnerabilities of this type in another programming language I'll give you a +1)

    Read the article

  • downloading security related problem in php

    - by pareek-rohit
    hi i have to upload a video.but i want to gives permission only authenticate user to download .but i have a problem in that.because if any body type the video detail in browser.(ex http://sitename/folder_name/videoname) then browser download that video.but i don't want this .please suggest me how can i resolve this problem.either i should generate the video name randomly or make a temporary folder in which video reside only for specific time,after this video will be delete. Or if any other ideas you have please let me know Thanks in advance

    Read the article

  • Cookiless Session Is it a security

    - by Costa
    Hi http://msdn.microsoft.com/en-us/library/aa479314.aspx You have a user who successfully log in from a machine in Cybercafe, Hacker H able to sniffer the network and get the sessionID of the user, Can H use the sessionId and act as the user from another machine? Can H enter http://folder/(session id)/CreditCardInformation.aspx to know the credit card number of the user. Thanks

    Read the article

  • .net 2.0 assembly security

    - by anthonywalters
    Hi, I have an assembly and want to restrict the assemblies and applications that can call/use this assemblies functionality. Can anyone provide detailed information on how this can be achieved ? From what I have read on the internet this is not possible because any "fully trusted" assembly will automatically be granted access. I am using .NET 2.0 and 3.5 and the solution needs to be compatible with both versions of the framework. Thanks in advance ;-)

    Read the article

  • implement acl on field in spring security

    - by Mike
    Hi! I would like implement spring acl for my object fields. does anyone has an idea what do i have to implment for it? for example, i have Purchase object. i would like admin_role to have read on all the fields, and secretary_role to have read only on username and address field

    Read the article

  • ASP.NET WebAPI Security 3: Extensible Authentication Framework

    - by Your DisplayName here!
    In my last post, I described the identity architecture of ASP.NET Web API. The short version was, that Web API (beta 1) does not really have an authentication system on its own, but inherits the client security context from its host. This is fine in many situations (e.g. AJAX style callbacks with an already established logon session). But there are many cases where you don’t use the containing web application for authentication, but need to do it yourself. Examples of that would be token based authentication and clients that don’t run in the context of the web application (e.g. desktop clients / mobile). Since Web API provides a nice extensibility model, it is easy to implement whatever security framework you want on top of it. My design goals were: Easy to use. Extensible. Claims-based. ..and of course, this should always behave the same, regardless of the hosting environment. In the rest of the post I am outlining some of the bits and pieces, So you know what you are dealing with, in case you want to try the code. At the very heart… is a so called message handler. This is a Web API extensibility point that gets to see (and modify if needed) all incoming and outgoing requests. Handlers run after the conversion from host to Web API, which means that handler code deals with HttpRequestMessage and HttpResponseMessage. See Pedro’s post for more information on the processing pipeline. This handler requires a configuration object for initialization. Currently this is very simple, it contains: Settings for the various authentication and credential types Settings for claims transformation Ability to block identity inheritance from host The most important part here is the credential type support, but I will come back to that later. The logic of the message handler is simple: Look at the incoming request. If the request contains an authorization header, try to authenticate the client. If this is successful, create a claims principal and populate the usual places. If not, return a 401 status code and set the Www-Authenticate header. Look at outgoing response, if the status code is 401, set the Www-Authenticate header. Credential type support Under the covers I use the WIF security token handler infrastructure to validate credentials and to turn security tokens into claims. The idea is simple: an authorization header consists of two pieces: the schema and the actual “token”. My configuration object allows to associate a security token handler with a scheme. This way you only need to implement support for a specific credential type, and map that to the incoming scheme value. The current version supports HTTP Basic Authentication as well as SAML and SWT tokens. (I needed to do some surgery on the standard security token handlers, since WIF does not directly support string-ified tokens. The next version of .NET will fix that, and the code should become simpler then). You can e.g. use this code to hook up a username/password handler to the Basic scheme (the default scheme name for Basic Authentication). config.Handler.AddBasicAuthenticationHandler( (username, password) => username == password); You simply have to provide a password validation function which could of course point back to your existing password library or e.g. membership. The following code maps a token handler for Simple Web Tokens (SWT) to the Bearer scheme (the currently favoured scheme name for OAuth2). You simply have to specify the issuer name, realm and shared signature key: config.Handler.AddSimpleWebTokenHandler(     "Bearer",     http://identity.thinktecture.com/trust,     Constants.Realm,     "Dc9Mpi3jaaaUpBQpa/4R7XtUsa3D/ALSjTVvK8IUZbg="); For certain integration scenarios it is very useful if your Web API can consume SAML tokens. This is also easily accomplishable. The following code uses the standard WIF API to configure the usual SAMLisms like issuer, audience, service certificate and certificate validation. Both SAML 1.1 and 2.0 are supported. var registry = new ConfigurationBasedIssuerNameRegistry(); registry.AddTrustedIssuer( "d1 c5 b1 25 97 d0 36 94 65 1c e2 64 fe 48 06 01 35 f7 bd db", "ADFS"); var adfsConfig = new SecurityTokenHandlerConfiguration(); adfsConfig.AudienceRestriction.AllowedAudienceUris.Add( new Uri(Constants.Realm)); adfsConfig.IssuerNameRegistry = registry; adfsConfig.CertificateValidator = X509CertificateValidator.None; // token decryption (read from configuration section) adfsConfig.ServiceTokenResolver = FederatedAuthentication.ServiceConfiguration.CreateAggregateTokenResolver(); config.Handler.AddSaml11SecurityTokenHandler("SAML", adfsConfig); Claims Transformation After successful authentication, if configured, the standard WIF ClaimsAuthenticationManager is called to run claims transformation and validation logic. This stage is used to transform the “technical” claims from the security token into application claims. You can either have a separate transformation logic, or share on e.g. with the containing web application. That’s just a matter of configuration. Adding the authentication handler to a Web API application In the spirit of Web API this is done in code, e.g. global.asax for web hosting: protected void Application_Start() {     AreaRegistration.RegisterAllAreas();     ConfigureApis(GlobalConfiguration.Configuration);     RegisterGlobalFilters(GlobalFilters.Filters);     RegisterRoutes(RouteTable.Routes);     BundleTable.Bundles.RegisterTemplateBundles(); } private void ConfigureApis(HttpConfiguration configuration) {     configuration.MessageHandlers.Add( new AuthenticationHandler(ConfigureAuthentication())); } private AuthenticationConfiguration ConfigureAuthentication() {     var config = new AuthenticationConfiguration     {         // sample claims transformation for consultants sample, comment out to see raw claims         ClaimsAuthenticationManager = new ApiClaimsTransformer(),         // value of the www-authenticate header, // if not set, the first scheme added to the handler collection is used         DefaultAuthenticationScheme = "Basic"     };     // add token handlers - see above     return config; } You can find the full source code and some samples here. In the next post I will describe some of the samples in the download, and then move on to authorization. HTH

    Read the article

< Previous Page | 29 30 31 32 33 34 35 36 37 38 39 40  | Next Page >