Search Results

Search found 2011 results on 81 pages for 'token bucket'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 33/81 | < Previous Page | 29 30 31 32 33 34 35 36 37 38 39 40  | Next Page >

  • Is Rails default CSRF protection insecure

    - by schickb
    By default the form post CSRF protection in Rails creates an authenticity token for a user that only changes when the user's session changes. One of our customers did a security audit of our site and flagged that as an issue. The auditor's statement was that if we also had a XSS vulnerability that an attacker could grab another user's authenticity token and make use of it for CSRF attacks until the user's session expired. But is seems to me that if we had an XSS vulnerability like that an attacker could just as easily grab another user's session cookie and login as that user directly. Or even just make call to our REST Api as the user being attacked. No secondary CSRF attack needed. Have I missed something? Is there a real problem with the default CSRF protection in Rails?

    Read the article

  • oauth process for twitter. the difference between client and web application

    - by Radek
    I managed to make the oauth process work for PIN kind of verification. My twitter application is client type. When enter authorize url into web browser and grant the application access then I have to enter pin in my ruby application. Can I finish the process of getting access token without the pin thing? My current code is like. What changes do I need to do to make it work without pin? gem 'oauth' require 'oauth/consumer' consumer_key = 'w855B2MEJWQr0SoNDrnBKA' consumer_secret ='yLK3Nk1xCWX30p07Id1ahxlXULOkucq5Rve28pNVwE' consumer=OAuth::Consumer.new consumer_key, consumer_secret, {:site=>"http://twitter.com"} request_token = consumer.get_request_token puts request_token.authorize_url puts "Hit enter when you have completed authorization." pin = STDIN.readline.chomp access_token = request_token.get_access_token(:oauth_verifier => pin) puts puts access_token.token puts access_token.secret

    Read the article

  • Displaying map stl

    - by BSchlinker
    Declared a map early on: map<char*,char*> rtable; // used to store routing information Now I'm attempting to display the contents of the map: void Routes::viewroutes(){ typedef map<char*, char*>::const_iterator iter; for (iter=rtable.begin(); iter != rtable.end(); ++iter) { cout << iter->second << " " << iter->first << endl; } } Receiving the error "expected primary-expression before '!=' token and for '-' token. Can't seem to understand the error I'm making here. Any ideas?

    Read the article

  • Python.expat can't parse XML file with bad symbols. How to go around?

    - by culebrón
    I'm trying to parse an XML file with expat, and here's the line where I get bad token exception: <tag k="name" v="???????????????????????????????????????????????????????????????????" /> xml.parsers.expat.ExpatError: not well-formed (invalid token): line 610127, column 37 The symbols in hex look like: \xd1? Seems like someone wrote this string (Russian alfabet) hitting backspace a few times. I set parser.returns_unicode = True, but this didn't help. The 1st line is <?xml version="1.0" encoding="UTF-8"?>. I work with a bz2 file. (bz2.BZ2File) How can I parse the file?

    Read the article

  • Making GWT application crawlable by a search engine.

    - by Philippe Beaudoin
    I want to use the #! token to make my GWT application crawlable, as described here: http://code.google.com/web/ajaxcrawling/ There is a GWT sample app available online that uses this, for example: http://gwt.google.com/samples/Showcase/Showcase.html#!CwRadioButton Will serve the following static webpage to the googlebot: http://gwt.google.com/samples/Showcase/Showcase.html?_escaped_fragment_=CwRadioButton I want my GWT app to do something similar. In short, I'd like to serve a different flavor of the page whenever the _escaped_fragment_ parameter is found in the URL. What should I modify in order for the server to serve something else (a static page, or a page dynamically generated through a headless browser like HTML Unit)? I'm guessing it could be the web.xml file, but I'm not sure. (Note: I thought of checking the Showcase app provided with the GWT SDK, but unfortunately it doesn't seem to support serving static files on _escaped_fragment_ and it doesn't use the #! token..)

    Read the article

  • Parsing Indentation-based syntaxes in Haskell's Parsec

    - by pavpanchekha
    I'm trying to parse an indentation-based language (think Python, Haskell itself, Boo, YAML) in Haskell using Parsec. I've seen the IndentParser library, and it looks like it's the perfect match, but what I can't figure out is how to make my TokenParser into an indentation parser. Here's the code I have so far: import qualified Text.ParserCombinators.Parsec.Token as T import qualified Text.ParserCombinators.Parsec.IndentParser.Token as IT lexer = T.makeTokenParser mylangDef ident = IT.identifier lexer This throws the error: parser2.hs:29:28: Couldn't match expected type `IT.TokenParser st' against inferred type `T.GenTokenParser s u m' In the first argument of `IT.identifier', namely `lexer' In the expression: IT.identifier lexer In the definition of `ident': ident = IT.identifier lexer What am I doing wrong? How should I create an IT.TokenParser? Or is IndentParser broken and to be avoided?

    Read the article

  • The remote server returned an error: NotFound.

    - by xscape
    Hi, I'm trying to retrieve a string in my old webservice but it give me an error of The remote server returned an error: NotFound. and its InnerException is {System.Net.WebException: The remote server returned an error: NotFound. --- System.Net.WebException: The remote server returned an error: NotFound. at System.Net.Browser.BrowserHttpWebRequest.InternalEndGetResponse(IAsyncResult asyncResult) at System.Net.Browser.BrowserHttpWebRequest.<c_DisplayClass5.b_4(Object sendState) at System.Net.Browser.AsyncHelper.<c_DisplayClass2.b_0(Object sendState) --- End of inner exception stack trace --- at System.Net.Browser.AsyncHelper.BeginOnUI(SendOrPostCallback beginMethod, Object state) at System.Net.Browser.BrowserHttpWebRequest.EndGetResponse(IAsyncResult asyncResult) at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelAsyncRequest.CompleteGetResponse(IAsyncResult result)} this is the method which error prompted, this method returns a string format void client_ValidateUserEncryptedCompleted(object sender, DummyWS.ValidateUserEncryptedCompletedEventArgs e) { object token = e.Result; client = new DummyWS.MachineHistoryWSSoapClient(); if (token != null) { client.GetSummaryXMLAsync(token, "", ""); } } I am currently using Silverlight 4.0 and my ServiceReferences.ClientConfig is <configuration> <system.serviceModel> <bindings> <basicHttpBinding> <binding name="MachineHistoryWSSoap" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647"> <security mode="None" /> </binding> </basicHttpBinding> </bindings> <client> <endpoint address="http://localhost/MHVwsModified/MachineHistoryWS.asmx" binding="basicHttpBinding" bindingConfiguration="MachineHistoryWSSoap" contract="DummyWS.MachineHistoryWSSoap" name="MachineHistoryWSSoap" /> </client> </system.serviceModel> My Web.Config in my web service is <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> <system.web> <compilation debug="true"> <assemblies> <add assembly="System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" /></assemblies></compilation> <authentication mode="Windows" /> </system.web> <system.webServer> <directoryBrowse enabled="true" /> </system.webServer> Any help will be aprreciated thank you.

    Read the article

  • Authenticated Referrals & Server-Side Auth Flow - What is the redirect_uri?

    - by Brian P. Hamachek
    From an authenticated referral (such as from a timeline story) to my website, I am trying to use the server-side authentication flow to obtain an access token for the referred user. I need to pass my app secret, the auth code, and the original redirect URI to the Facebook access token endpoint. Since I did not initiate the authentication request, how do I determine the original redirect_uri? The link from the Facebook timeline looks like: http://www.facebook.com/connect/uiserver.php?app_id=153644678059870&method=permissions.request&redirect_uri=http%3A%2F%2Fwww.wnmlive.com%2Fpost%2F141833948%3Ffb_action_ids%3D10100708033267487%26fb_action_types%3Dwnm-live%253Acomment%26fb_source%3Drecent_activity&response_type=code&display=page&auth_referral=1 So I figure that the redirect URI I need to pass is: http%3A%2F%2Fwww.wnmlive.com%2Fpost%2F141833948%3Ffb_action_ids%3D10100708033267487%26fb_action_types%3Dwnm-live%253Acomment%26fb_source%3Drecent_activity The URI that the user is ultimately redirected to is: http://www.wnmlive.com/post/141833948?fb_action_ids=10100708032119787&fb_action_types=wnm-live%3Apost&fb_source=recent_activity&code=AQALK-Mwb_Nwi4z7FWnFaL6tEXvNtVJiRKrgarG9X73sp22TJyk8v2GWKtuXuevJk4hPSRNnuNpEgZXLFdOS_k-pY-mE15DYytIa8Y7VdSw3VL-XYi-CR9BCqRQGq4uBJvSSdZayCp6MWzDMaNqWd5r8OhKVnOhg_yDlvfoLl21N2SMwkJaOfD5mlPnPb5A-Q4A#_=_ Is it safe to assume that I can just chop off everything starting with the "&code=" and use that as the redirect URI?

    Read the article

  • where should we place HIDDEN variable in JSP

    - by micheal
    I need to use Hidden variables in my JSP for session tracking. this is the code: <input type="hidden" name="REQ_TOKEN" value="<%=session.getAttribute("SESN_TOKEN").toString()%>" /> i am using this to compare the request token with session token, so only when both are equal i will evaluate that request otherwise i will throw an error. Now the problem is, when i place this code inside <form></form> tags, it is working fine. Unfortunately there are some JSPs in my application where we dont have tag(I know that sounds weird!). where can i place my code so that it will work? Cant i use Hidden variables without FORM tag???

    Read the article

  • Twitter oauth_callback parameter being ignored!

    - by Astrofaes
    Hi guys, I'm trying to get Twitter authentication working on my ASP.NET site. When you create the app on the Twitter website, you have to specify a callback URL, which for sake of argument, I have set to http://mydomain.com I've read the oAuth 1.0a spec, and to override this callback URL with your own custom one you have to send the oauth_callback parameter in the request_token phase (url-encoded of course). So my request URL looks like this: http://twitter.com/oauth/request_token?oauth_callback_url=http%3A%2F%2Fmydomain.com%2Ftwittercallback Supposedly, if all goes to plan, in your response data, you are supposed to receive a new parameter of oauth_callback_confirmed=true in addition to your token and token secret parameters. However, my response comes through as: oauth_token=MYTOKEN&oauth_token_secret=MYTOKENSECRET I know I haven't given you guys the greatest amount to go on, but I'm at my wits end as to why I am not receiving the oauth_callback_confirmed parameter. Without this, my application keeps defaulting back to the callback URL hard-coded on the Twitter website. Please if anyone could help me out, I will be eternally grateful! Thanks, A.

    Read the article

  • Doesn't get into Debug Mode

    - by Grace Jones
    When I Press F5 on my VS2005 to debug the application, it launches the web app window but it is coming out of debug mode. When I tried to trace the Error in the EventViewer, this was the error: Failed in Token.vb(GetToken). The token was not in memory and the identity of the authenticated IIS caller was not permitted. The session may have unexpectedly terminated. The specific error message included: Session state can only be used when enableSessionState is set to true, either in a configuration file or in the Page directive. Please also make sure that System.Web.SessionStateModule or a custom session state module is included in the \\ section in the application configuration. I don't have any httpModules section in my config file and the sessionState mode="InProc"...

    Read the article

  • Problem with Validate Anti Forgery

    - by Mikael Egnér
    Hi! I have a problem regarding MVC Anti forgery token. When I do my authentication I have pseudo code like this: var user = userRepository.GetByEmail(email); System.Threading.Thread.CurrentPrincipal = HttpContext.Current.User = user; by doing so I'm able to get the current user in my code like this: var user = HttpContext.Current.User as EntityUser; This works fine until I add the [ValidateAntiForgeryToken] attribute to an action. When I add the attribute I get A required anti-forgery token was not supplied or was invalid. If I comment out this line: System.Threading.Thread.CurrentPrincipal = HttpContext.Current.User = user; The antiforgery validation works fine, but the I don't have my convenient way of getting my "EntityUser" from the HttpContext. Any ideas of how to work around this? Best regards Mikael

    Read the article

  • Flickr API automated login using Python library flickrapi

    - by Dave Aaron Smith
    I have a web application that I want to sync with Flickr. I don't want the users to have to log into Flickr so I plan to use a single login. I believe I'll need to do something like this: import flickrapi flickr = flickrapi.FlickrAPI(myKey, mySecret) (token, frob) = flickr.get_token_part_one(perms='write', my_auth_callback) flickr.get_token_part_two((token, frob,)) flickr.what_have_you(... I don't know what my_auth_callback should look like though. I suspect it will have to post my login information to flickr. Could I do the get_token_part_one step just once manually perhaps and then re-use it in get_token_part_two?

    Read the article

  • How to query a date in HQL (Hibernate) with Joda Time?

    - by fabien7474
    I am sure that someone familiar with HQL (I am myself a newbie) can easily answer this question. In my Grails application, I have the following domain class. class Book { org.joda.time.DateTime releaseDate //I use the PersistentDateTime for persisting via Hibernate (that use a DATETIME type for MySQL DB) } In my HQL query, I want to retrieve books whose release date is included in range date1..date2 For instance I tried: DateTime date1, date2 ... def queryStr = "select * from Book as b where b.releaseDate > $date1 and b.releaseDate < $date2" def res = Book.executeQuery(queryStr) But I got the exception ...caused by: org.springframework.orm.hibernate3.HibernateQueryException: unexpected token: The error token points to date format (for instance 2009-11-27T21:57:18.010+01:00 or Fri Nov 27 22:01:20 CET 2009) I have also tried to convert date1 into a Date class without success So what is the correct HQL code ? Should I convert to a specific format (which one?) using the patternForStyle method or is there another -cleaner- way to do it? Thanks, Fabien.

    Read the article

  • How to do call function after client finishes download from tornado web server?

    - by Shabbyrobe
    I would like to be able to run some cleanup functions if and only if the client successfully completes the download of a file I'm serving using Tornado. I installed the firefox throttle tool and had it slow the connection down to dialup speed and installed this handler to generate a bunch of rubbish random text: class CrapHandler(BaseHandler): def get(self, token): crap = ''.join(random.choice(string.ascii_uppercase + string.digits) for x in range(100000)) self.write(crap) print "done" I get the following output from tornado immediately after making the request: done I 100524 19:45:45 web:772] 200 GET /123 (192.168.45.108) 195.10ms The client then plods along downloading for about 20 seconds. I expected that it would print "done" after the client was done. Also, if I do the following I get pretty much the same result: class CrapHandler(BaseHandler): @tornado.web.asynchronous def get(self, token): crap = ''.join(random.choice(string.ascii_uppercase + string.digits) for x in range(100000)) self.write(crap) self.finish() print "done" Am I missing something fundamental here? Can tornado even support what I'm trying to do? If not, is there an alternative that does?

    Read the article

  • "Invalid signature": oAuth provider with Django-piston

    - by Martin Eve
    Hi, I'm working with django-piston to attempt to create an API that supports oAuth. I started out using the tutorial at: http://blog.carduner.net/2010/01/26/django-piston-and-oauth/ I added a consumer to piston's admin interface with key and secret both set to "abcd" for test purposes. The urls are successfully wired-up and the oAuth provider is called. However, running my get request token tests with tripit (python get_request_token.py "http://127.0.0.1:8000/api" abcd abcd), I receive the following error: Invalid signature. Expected signature base string: GET&http%3A%2F%2F127.0.0.1%3A8000%2Fapi%2Foauth%2Frequest_token%2F&oauth_consumer_key%3Dabcd%26oauth_nonce%3D0c0bdded5b1afb8eddf94f7ccc672658%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1275135410%26oauth_version%3D1.0 The problem seems to lie inside the _check_signature method of Piston's oauth.py, where valid_sig = signature_method.check_signature(oauth_request, consumer, token, signature) is returning false. I can't, however, work out how to get the signature validated. Any ideas? -----Update----- If I remove the test consumer from piston's backend, the response returned is correctly set to "Invalid consumer", so this lookup appears to be working.

    Read the article

  • Is using GET with a tokenID for security a good idea?

    - by acidzombie24
    I was thinking about this and it appears POST only a little less vulnerable and somewhat harder (do to requiring the user to click something). I read about token ids and double submitted cookies and i am not sure what the difference is http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Double_Submit_Cookies Right now i have the user id (PK in my table) and a session id so you cant simply change your cookie ID and act like someone else. Now it seems like i put the session id as a token in each of my forms and check them bc attackers cant guess these tokens. However i dislike the idea of putting the session id into the page for ppl to see. But really, is there a problem with that? short of having the user copy/pasting the html is there any attacks that can happen due to the session id being in plain view in html?

    Read the article

  • Authlogic: Create records on other users' behalf

    - by Friðrik
    Hi Using Authlogic, what is the best way to create a record in rails on other users' behalf? Description: I have a c++ server which handles Tcp connections from many c++ clients, and I want the c++ server to create a new record in the rails database using its REST api. However, the c++ server needs to be authenticated before creating that record. What I want is to attach the original user ID (from the c++ client) to the record (but not the servers) so I know from which user the record came from. One way is for the c++ client to send its persistence token over to the c++ server which sends that token as a parameter to the create action, does that make sense? or are there maybe some better ways to do this? I have a rails app which uses authlogic for authentication. I also have another c++ client which is logs in and provides I have a c++ server which uses

    Read the article

  • Basic Profanity Filter in Objective C for iPhone

    - by David van Dugteren
    How have you like minded individuals tackled the basic challenge of filtering profanity, obviously one can't possibly tackle every scenario but it would be nice to have one at the most basic level as a first line of defense. In Obj-c I've got NSString *tokens = [text componentsSeparatedByString:@" "]; And then I loop through each token to see if any of the keywords (I've got about 400 in a list) are found within each token. Realising False positives are also a problem, if the word is a perfect match, its flagged as profanity otherwise if more than 3 words with profanity are found without being perfect matches it is also flagged as profanity. Later on I will use a webservice that tackles the problem more precisely, but I really just need something basic. So if you wrote the word penis it would go yup naughty naughty, bad word written.

    Read the article

  • Paypal - DoExpressCheckoutPayment null pointer

    - by user969894
    String nvpstr = "&TOKEN=" + token + "&PAYERID=" + payerID + "&PAYMENTREQUEST_0_PAYMENTACTION=" + paymentType + "&PAYMENTREQUEST_0_AMT=" + finalPaymentAmount + "&PAYMENTREQUEST_0_CURRENCYCODE=" + currencyCodeType + "&IPADDRESS=" + serverName; Having done an earlier call to SetExpressCheckout, I had to change a few parameter names because Paypal had changed it in the documentation but not in the code from the integration wizard. Now for DoExpressCheckoutPayment I've modified a few but I get a null pointer at strAck: HashMap nvp = httpcall("DoExpressCheckoutPayment", nvpstr); String strAck = nvp.get("ACK").toString(); if (strAck.equalsIgnoreCase("Success")) { return nvp; } Not sure what is wrong, any suggestions for debugging this or possible solutions?

    Read the article

  • Rails: Generated tokens missing occasionally

    - by Vincent Chan
    We generate an unique token for each user and store it on database. Everything is working fine in the local environment. However, after we upload the codes to the production server on Engine Yard, things become weird. We tried to register an account right after the deploy. It is working fine and we can see the token in the db. But after that, when we register new accounts, we cannot see any tokens. We only have NULL in the db. Not sure what caused this problem because we can't re-produce this in the local machine. Thanks for your help.

    Read the article

  • How do I read input character-by-character in Java?

    - by Jergason
    I am used to the c-style getchar(), but it seems like there is nothing comparable for java. I am building a lexical analyzer, and I need to read in the input character by character. I know I can use the scanner to scan in a token or line and parse through the token char-by-char, but that seems unwieldy for strings spanning multiple lines. Is there a way to just get the next character from the input buffer in Java, or should I just plug away with the Scanner class? Edit: forgot to say where the input is coming from. The input is a file, not the keyboard.

    Read the article

  • Storing n-grams in database in < n number of tables.

    - by kurige
    If I was writing a piece of software that attempted to predict what word a user was going to type next using the two previous words the user had typed, I would create two tables. Like so: == 1-gram table == Token | NextWord | Frequency ------+----------+----------- "I" | "like" | 15 "I" | "hate" | 20 == 2-gram table == Token | NextWord | Frequency ---------+------------+----------- "I like" | "apples" | 8 "I like" | "tomatoes" | 12 "I hate" | "tomatoes" | 20 "I hate" | "apples" | 2 Following this example implimentation the user types "I" and the software, using the above database, predicts that the next word the user is going to type is "hate". If the user does type "hate" then the software will then predict that the next word the user is going to type is "tomatoes". However, this implimentation would require a table for each additional n-gram that I choose to take into account. If I decided that I wanted to take the 5 or 6 preceding words into account when predicting the next word, then I would need 5-6 tables, and an exponentially increase in space per n-gram. What would be the best way to represent this in only one or two tables, that has no upper-limit on the number of n-grams I can support?

    Read the article

  • Testing with Unittest Python

    - by chrissygormley
    Hello, I am runninig test's with Python Unittest. I am running tests but I want to do negative testing and I would like to test if a function throw's an exception, it passes but if no exception is thrown the test fail's. The script I have is: try: result = self.client.service.GetStreamUri(self.stream, self.token) self.assertFalse except suds.WebFault, e: self.assertTrue else: self.assertTrue This alway's passes as True even when the function work's perfectly. I have also tried various other way's including: try: result = self.client.service.GetStreamUri(self.stream, self.token) self.assertFalse except suds.WebFault, e: self.assertTrue except Exception, e: self.assertTrue Does anyone have any suggestions? Thanks

    Read the article

  • Approach for authentication and storing user details.

    - by cappuccino
    Hey folks, I am using the Zend Framework but my question is broadly about sessions / databases / auth (PHP MySQL). Currently this is my approach to authentication: 1) User signs in, the details are checked in database. - Standard stuff really. 2) If the details are correct only the user's unique ID is stored in the session and a security token (user unique ID + IP + Browser info + salt). The session in written to the filesystem. I've been reading around and many are saying that storing stuff in sessions is not a good idea, and that you should really only write a unique ID which refers back to the user's details and a security token to prevent session hijacking. So this is the approach i've taken, i use to write the user's details in session, but i've moved that out. Wanted to know your opinions on this. I'm keeping sessions in the filesystem since i don't run on multiple servers, and since i'm only writting a tiny tiny bit of data to sessions, i thought that performance would be greater keeping sessions in the filesystem to reduce load on the database. Once the session is written on authentication, it really is only read-only from then on. 3) The rest of the user's details (like subscription details, permissions, account info etc) are cached in the filesystem (this can always be easily moved to memory if i wanted even more performance). So rather than keeping the user's details in session, the user's details are cached in the file system. I'm using Zend_Cache and the unique cache id is something like md5(/cache/auth/2892), the number is the unique id of the user. I guess the benefit of this method is that once the user is logged in, there is essentially not database queries being run to get the user's details. Just wonder if this approach is better than keeping the whole lot in session... 4) As the user moves throughout the site the only thing that is checked is the ID in the session and the security token. So, overall the first question is 1) is the filesystem more efficient than a database for this purpose 2) have i taken enough security precautions 3) is separating user detail's from the session into a cached file a pointless task? Thanks.

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 29 30 31 32 33 34 35 36 37 38 39 40  | Next Page >