account security - Page 34

ASP.Net Roles: Page-Level Security Question

- by jlrolin

We're currently in the process of re-creating a brand new security model that dwarfs our existing process. Right now, we plan on grabbing a user's roles during the login process and then using a Base Page class to check if the user has the role of the corresponding page the user is navigating to. We can limit the menu's options by the user's roles as well, but we have had problems with users navigating to pages in our system by typing them in or having old bookmarks. Obviously, we need some sort of page level access. A simple function in our Base Page class that checks the role in the Arraylist against the page's assigned role would work, but I was wondering if there was any built-in functionality to support this or a cleaner solution possibly.

Read the article

Handling user security scope with nHibernate or other ORM

- by Schotime

How should one handle the situation where you may need to filter by a group of users. Here is the scenario. I have an administrator role in my company. I should be able to see all the data belonging to me plus all the other users who I have control over. A plain old user however should only be able to access their own data. If you are writing regular sql statements then you can have a security table with every user and who they have access too but i'm not sure how to handle this situation in the OO and ORM world. Any one dealt with this scenario in a web application using an ORM? Would love to hear your thoughts!

Read the article

help in security assignment

- by scatman

i have to write a program that sniffs network packets (part1-the simple part). and i have to update the program (part2) so that it will be able to terminate connections. the specific requirements are: construct raw packets by specifying data link layer and network layer information including appropriate source and destination MAC and IP addresses. These packets are intended to terminate the connection. To do so, you should used SOCK_RAW as the socket type to be able to set the header information by yourself. can anybody give me some ideas on the second part? should i hijack the session,apply a dos attack on one of the users?? all i need is some tips of how to terminate the connection. i am using c programming language. and this is a course assignment for the security course.

Read the article

Form Security (discussion)

- by Eray Alakese

I'm asking for brain storming and sharing experience. Which method you are using for form submiting security ? For example , for block automatically sended POST or GET datas, i'm using this method : // Generating random string <?php $hidden = substr(md5(microtime()) ,"-5"); ?> <form action="post.php" .... // assing this random string to a hidden input <input type="hidden" value="<?php echo $hidden;" name="secCode> // and then put this random string to a session variable $_SESSION["secCode"] = $hidden; **post.php** if ($_POST["secCode"] != $_SESSION["secCode"]) { die("You have to send this form, on our web site"); }

Read the article

global security manager in flex

- by ron

hi, I made a swf that interacts with other site on the internet (which has a crossdomainfile for me). in the main.mxml there is a definition of webservice (mx:WebService)(which is not in my domain). Therefore when loading the swf, there is a first call to crossdomainfile.xml. I put this swf on my server so that my clients can get it. When i connect to my server to download the swf, i expect to be asked if i want to allow the swf connect to foreign webservice domain. But i am not being asked. Do i always need to define exception in Global Security Settings panel? I don't want my client do define special things.. Is there a best practice for that? Why when i surfing the net other swf can do this? I read about the FlashPlayerTrust, can i define there a website i trust my swf will connect to? anyone knows?

Read the article

Security question

- by Syom

in my cms i have index.php, where client must enter username and password. if they are correct, he'll moove to admin.php, where the cms is. but now hacker can enter to cms/admin.php, so my security now is awful. i know, that i can use $_SESSION variable. index.php - i can give some value to $_SESSION['success']: $_SESSION['success'] = TRUE, and in admin.php just verify it admin.php if($_SESSION['success'] == TRUE) { my script here... } else header("Location: index.php"); but i want to rich this effect without SESSION. could you give me an idea, how can i do it? thanks

Read the article

Security of PHP script, embedded or otherwise

- by typoknig

Hi all, I am curious about the security of PHP on an HTML webpage where PHP code is embedded (a webpage that would exist on the server as "webpage.php") or on a PHP script that may be referenced by an HTML page (that is, a PHP script that is not actually part of a webpage that exists on the server as "something.php" and is referenced by "webpage.html"). Getting to the point, let us say that if the source code of my PHP script is known by anyone it would be a very big problem. I know that when you view the source of a PHP page in a browser the PHP script is not shown, but what if the PHP server failed and the HTML still loaded (is this even possible), would a user be able to see the PHP script? To be more general, is there ANY possible way that a user could access the source of a PHP script from a web browser, and if so, how do I prevent it?

Read the article

WebService Security

- by LauzPT

Hello, I'm developing an project, which consists in a webservice and a client application. It's a fair simple scenario. The webservice is connected to a database server, and the client consumes from the webserver in order to get information retrieved from the database. The thing is: 1. The client application can only display data after a previous authentication; 2. All the data transferred between Web Service and clients must be confidential; 3. Data integrity shouldn’t be compromised; I'm wondering what is the best way to achieve these requirements. The first thing I thought about, was sending the server a digital signature containing a client certificate, to be stored in the server, and used as comparison for authentication. But I investigated a little about webservice security, and I'm no longer certain that this is the best option. Can anyone give me an opinion about this? TIA

Read the article

PHP Security checklist (injection, sessions etc)

- by NoviceCoding

So what kind of things should a person using PHP and MySql be focused on to maximize security. Things I have done: -mysql_real_escape_string all inputs -validate all inputs after escaping em -Placed random alpha numerics before my table names -50character salt + Ripemd passwords Heres where I think I am slacking: -I know know nothing about sessions and securing them. How unsafe/safe is it if all you are doing is: session_start(); $_SESSION['login']= $login; and checking it with: session_start(); if(isset($_SESSION['login'])){ -I heard something about other forms of injection like cross site injection and what not... -And probably many other things I dont know about. Is there a "checklist"/Quicktut on making php secure? I dont even know what I should be worried about.I kinda regret now not building off cakephp since I am not a pro.

Read the article

OpenId authentication and automatic registration with Spring Security 3.0.2

- by xlluch

I'm implementing an app using spring security 3.0.2 with OpenId login and registration. I can login succesfully, but if the user isn't registered i want to do: 1) Get some OpenId attributes like email and name. 2) Show to the user a registration form with just these two fields and the OpenId URI filled. I've been searching a lot but i didn't find an "ellegant" way of doing this. I wonder if some of u can come out with a solution to implement this strategy in my app. Thanks in advance.

Read the article

Security issues in accepting passwords vs auto generating the password

- by Vivekanand Poojari

Hi, I am developing a console application. This application generates a self signed certificate and installs it in the current machine's certificate store. The steps invlolved are :- Generate a certificate Create a pfx file Install the pfx file For these steps i would need a password for protecting the private key and the pfx file. However these passwords are used only during the execution of the exe. Should I auto generate a password using some random number generation algorithm or accept the password as input from the user? What are the security issues involved in both the scenarios ? Thanks Vivekanand

Read the article

Spring security with database and multiple roles?

- by Joe

I'm trying to make an application using spring 3.0. Now I've decided to try my hand at spring-security and hibernate. I've already seen that it's possible to back it with a databasem and I've seen a reference to defining your own queries? Now the problem I have is that the tutorials I've been finding aren't too clear and that they assume that a user can only have one role. I want to give some users multiple roles. So I was thinking about a database scheme along the lines of: User: user_id username password registrationDate User_Role: user_id role_id Role: role_id rolename Now I was wondering if anyone had some pointers to some usefull tutorials/advice/comments.

Read the article

Windows 7 locked out account

- by Lukas

I have a Win7 x64 computer. There was only one account (mine, created at installation, password protected, full administrative access with UAC enabled). To speed up the startup + login process I went to control userpasswords2 and unchecked that users need to enter password. By this operation my account has been changed to Guest type and an Administrator account has been created. This Administrator account has a small overlay icon with a downwards pointing arrow. My original password did not work; if I try leaving the password blank it says something like "Your account has been disabled. Contact your administrator." Contacting myself surprisingly did not help. As my account (which I am still able to access) is Guest, I have no rights to do anything. Is there a way to get my access back without reinstalling?

Read the article

Necesity of ModSecurity if Apache is behind Nginx

- by Saif Bechan

I have my Apache installed behind Nginx. So every request that comes in is first handeled by Nginx. If there is dynamic content needed the request is send to Apache which listens on port 8080. Pretty basic reverse proxy setup. Now with this setup the first entry point is Nginx. Is it still needed to install ModSecurity to protect Apache against unwanted request. Or should I just focus on protecting Nginx as this is the first entry point. All suggestions are welcome.

Read the article

Securing an SVN only server

- by Webnet

Everything's running off of self-secured https. Aside from setting up user authentication, what steps should I take to be sure we're secured?

Read the article

Do browsers allows pages loaded on one tab to access/intercept/inject data in other tabs?

- by jairo

I was surprised to hear from this Reuters video that it was possible for a page loaded on one tab to access and/or inject data onto another page loaded on a different tab. TL;DW (too lazy; didn't watch) The interviewee in the video suggests that when doing online banking, the user exit his browser (thus closing all windows) and start a new browser session with just your banking page/tab open. Allegedly, malicious sites can check if you have your banking site open and inject commands onto those sites. Can someone confirm and/or deny this claim? Is it only possible even if there is not parent/child relationship between windows/tabs?

Read the article

How can I have APF block script kiddies that mod_security detects?

- by Gaia

Read the article

Why is the "Standard Account" option disabled (grayed-out)

- by Clayton Hughes

I just installed Win7 64bit on a new hard drive, and I created a user account through the OOBE. I want to make my user account a standard user. However, if I go into "User Accounts" and select "Change my account type", the standard user option is greyed out--this account apparently has to be an administrator. I thought maybe it was the only admin account on the machine, so I tried to create a new user account named "Administrator", but was told I couldn't, because one already exists. What gives? What do I have to do to run as a standard user?

Read the article

Changing administrator for hosted Exchange account

- by RussSchick

We are using a hosted MS Exchange provider, and they claim that our account can only have one administrator. They also claim that they cannot change which login is granted administrator privileges. This means that the user account that was initially created five years ago is the only account that can change our billing information, among other things. The employee associated with the current admin account is no longer with the company, so we'd like to move the admin privileges to a new "sysadmin" account, and delete this employee's account. Shouldn't this be really easy to do? Is my hosted exchange provider telling the truth?

Read the article

HOw to secure whm/cpanel centos server from javascript malacious code virus

- by Master

Recently my sites index.php code was replaced some malacious javascript virus code. I really don't know how did that entered into that page. Today when i tried to download that file via ftp then antivirus gave me the warning. So it means it was not entered from my computer. Is there any way to install some antivirus on VPS server with centos 5 , cpanel/whm so that those code should not be allowed to add. also what is mod_security . will it be helpful.

Read the article

Cannot schedule task to run under domain user account other than current user

- by Filburt

On our Win 2008 machines I can't schedule tasks for domain users because the domain name does not resolve to network name but the AD dc name. The "network name" looks like ABCDEFGE-HIJKLM and the "dc" / "name" would look like ABCDEFGE-HIJKLMN. When selecting the domain user account the account qualifier will look like ABCDEFGE-HIJKLMN\task.user. This results in an "invalid account" error. When however keeping the currently logged in user it will display ABCDEFGE-HIJKLM\current.user. Does this behaviour result from the presumable "illegal" domain name? Is there a workaround for this? update I could of course log in as the desired domain account and create the task but since this account is a account used for running services I want to avoid creating a user profile on the machine.

Read the article

Options for PCI-DSS on AWS - file integrity monitoring and intrusion detection

- by Brill Pappin

I need to deploy some file integrity monitoring and intrusion detections software on AWS instances. I really wanted to use OSSEC, however it does not work well in an environment where servers can auto deploy and shut down based on load, because it requires server managed keys to be generated. Including the agent in the AMI will not allow monitoring as soon as it comes up because of that. There are many options out there, and several are listed in other posts on this site, however none that I've seen so far deal with the unique problems inherent in AWS or cloud based deployments in general. Can anyone point me at some products, preferably open source, that we might use to cover those portions of PCI DSS that require this software? Has anyone else achieved this on AWS?

Read the article

How does Antimalware Doctor infect computers?

- by Pyrolistical

I didn't do anything stupid like run random .exe or visit questionable websites, but as I was just Googling I get infected by Antimalware Doctor. At that point I just shutdown my computer and reformatted, so I didn't check if I had the latest version of Flash or Firefox. Is it possible to get infected just because I didn't have my Flash newer than 10.1 and some random flash ad infected me? There doesn't seem to be any information on how Antimalware Doctor works asides from how to remove it.

Read the article

Is it a good practice to run identd in 2010?

- by Alex R

I know in the "old days" it was good practice to shut this off. But nowadays I have heard that it improves deliverability of email. In the old days people were not worried about spam (or having their outbound email rejected), so that made sense. Of course, the question is only relevant to servers that send email. What is the current, common practice among discerning Linux admins? Run identd or leave it off? Thanks

Read the article

Grandma's Computer - Can a user that belongs only to the "Users" group in Windows XP install malware, virus or IE addons?

- by DanC

I am trying to figure out if having a user in the "Users" group will be enough to prevent her from install unwanted software. The things that I don't want the user to be able to install are: virus malware bandoo stuff Internet Explorer Addons To put you in context, I am thinking of my grandma's computer, I want her to be able to read all her email stuff and attachments, but without the hassle of needing to reinstall the whole computer every few months. The computer will run Windows XP, with some free antivirus. It will not be part of any domain. It is just a home computer. Linux, I have tried making her use it, but she was already accustomed to Windows and was not really an option to have her re-learn where was the shutdown button. So, are these considerations enough to prevent her installing unwanted software? What other options come to you mind? Thanks

Search Results

Search found 21071 results on 843 pages for 'account security'.

Page 34/843 | < Previous Page | 30 31 32 33 34 35 36 37 38 39 40 41 | Next Page >

- by jlrolin

- by Schotime

- by scatman

- by Eray Alakese

- by ron

- by Syom

- by typoknig

- by LauzPT

- by NoviceCoding

- by xlluch

- by Vivekanand Poojari

- by Joe

- by Lukas

- by Saif Bechan

- by Webnet

- by jairo

- by Gaia

- by Clayton Hughes

- by RussSchick

- by Master

- by Filburt

- by Brill Pappin

- by Pyrolistical

- by Alex R

- by DanC

< Previous Page | 30 31 32 33 34 35 36 37 38 39 40 41 | Next Page >