Search Results

Search found 89593 results on 3584 pages for 'just user'.

Page 386/3584 | < Previous Page | 382 383 384 385 386 387 388 389 390 391 392 393  | Next Page >

  • How can I reliably check client identity whilst making DCOM calls to a C# .Net 3.5 Server?

    - by pionium
    Hi, I have an old Win32 C++ DCOM Server that I am rewriting to use C# .Net 3.5. The client applications sit on remote XP machines and are also written in C++. These clients must remain unchanged, hence I must implement the interfaces on new .Net objects. This has been done, and is working successfully regarding the implementation of the interfaces, and all of the calls are correctly being made from the old clients to the new .Net objects. However, I'm having problems obtaining the identity of the calling user from the DCOM Client. In order to try to identify the user who instigated the DCOM call, I have the following code on the server... [DllImport("ole32.dll")] static extern int CoImpersonateClient(); [DllImport("ole32.dll")] static extern int CoRevertToSelf(); private string CallingUser { get { string sCallingUser = null; if (CoImpersonateClient() == 0) { WindowsPrincipal wp = System.Threading.Thread.CurrentPrincipal as WindowsPrincipal; if (wp != null) { WindowsIdentity wi = wp.Identity as WindowsIdentity; if (wi != null && !string.IsNullOrEmpty(wi.Name)) sCallingUser = wi.Name; } if (CoRevertToSelf() != 0) ReportWin32Error("CoRevertToSelf"); } else ReportWin32Error("CoImpersonateClient"); return sCallingUser; } } private static void ReportWin32Error(string sFailingCall) { Win32Exception ex = new Win32Exception(); Logger.Write("Call to " + sFailingCall + " FAILED: " + ex.Message); } When I get the CallingUser property, the value returned the first few times is correct and the correct user name is identified, however, after 3 or 4 different users have successfully made calls (and it varies, so I can't be more specific), further users seem to be identified as users who had made earlier calls. What I have noticed is that the first few users have their DCOM calls handled on their own thread (ie all calls from a particular client are handled by a single unique thread), and then subsequent users are being handled by the same threads as the earlier users, and after the call to CoImpersonateClient(), the CurrentPrincipal matches that of the initial user of that thread. To Illustrate: User Tom makes DCOM calls which are handled by thread 1 (CurrentPrincipal correctly identifies Tom) User Dick makes DCOM calls which are handled by thread 2 (CurrentPrincipal correctly identifies Dick) User Harry makes DCOM calls which are handled by thread 3 (CurrentPrincipal correctly identifies Harry) User Bob makes DCOM calls which are handled by thread 3 (CurrentPrincipal incorrectly identifies him as Harry) As you can see in this illustration, calls from clients Harry and Bob are being handled on thread 3, and the server is identifying the calling client as Harry. Is there something that I am doing wrong? Are there any caveats or restrictions on using Impersonations in this way? Is there a better or different way that I can RELIABLY achieve what I am trying to do? All help would be greatly appreciated. Regards Andrew

    Read the article

  • ContentType Issue -- Human is an idiot - Can't figure out how to tie the original model to a Content

    - by bmelton
    Originally started here: http://stackoverflow.com/questions/2650181/django-in-query-as-a-string-result-invalid-literal-for-int-with-base-10 I have a number of apps within my site, currently working with a simple "Blog" app. I have developed a 'Favorite' app, easily enough, that leverages the ContentType framework in Django to allow me to have a 'favorite' of any type... trying to go the other way, however, I don't know what I'm doing, and can't find any examples for. I'll start off with the favorite model: favorite/models.py from django.db import models from django.contrib.contenttypes.models import ContentType from django.contrib.contenttypes import generic from django.contrib.auth.models import User class Favorite(models.Model): content_type = models.ForeignKey(ContentType) object_id = models.PositiveIntegerField() user = models.ForeignKey(User) content_object = generic.GenericForeignKey() class Admin: list_display = ('key', 'id', 'user') class Meta: unique_together = ("content_type", "object_id", "user") Now, that allows me to loop through the favorites (on a user's "favorites" page, for example) and get the associated blog objects via {{ favorite.content_object.title }}. What I want now, and can't figure out, is what I need to do to the blog model to allow me to have some tether to the favorite (so when it is displayed in a list it can be highlighted, for example). Here is the blog model: blog/models.py from django.db import models from django.db.models import permalink from django.template.defaultfilters import slugify from category.models import Category from section.models import Section from favorite.models import Favorite from django.contrib.auth.models import User from django.contrib.contenttypes.models import ContentType from django.contrib.contenttypes import generic class Blog(models.Model): title = models.CharField(max_length=200, unique=True) slug = models.SlugField(max_length=140, editable=False) author = models.ForeignKey(User) homepage = models.URLField() feed = models.URLField() description = models.TextField() page_views = models.IntegerField(null=True, blank=True, default=0 ) created_on = models.DateTimeField(auto_now_add = True) updated_on = models.DateTimeField(auto_now = True) def __unicode__(self): return self.title @models.permalink def get_absolute_url(self): return ('blog.views.show', [str(self.slug)]) def save(self, *args, **kwargs): if not self.slug: slug = slugify(self.title) duplicate_count = Blog.objects.filter(slug__startswith = slug).count() if duplicate_count: slug = slug + str(duplicate_count) self.slug = slug super(Blog, self).save(*args, **kwargs) class Entry(models.Model): blog = models.ForeignKey('Blog') title = models.CharField(max_length=200) slug = models.SlugField(max_length=140, editable=False) description = models.TextField() url = models.URLField(unique=True) image = models.URLField(blank=True, null=True) created_on = models.DateTimeField(auto_now_add = True) def __unicode__(self): return self.title def save(self, *args, **kwargs): if not self.slug: slug = slugify(self.title) duplicate_count = Entry.objects.filter(slug__startswith = slug).count() if duplicate_count: slug = slug + str(duplicate_count) self.slug = slug super(Entry, self).save(*args, **kwargs) class Meta: verbose_name = "Entry" verbose_name_plural = "Entries" Any guidance?

    Read the article

  • Login From Multiple Services, Keeping Profiles in Sync

    - by viatropos
    Given the following: I have an application that allows people to login through twitter, myspace, yahoo, and google User creates initial account by logging in through Google User logs out User logs back in using Yahoo. ...is there a recommended way for the application to associate those two accounts together? Stack Overflow has this functionality but it seems like they need the user to manually say "this account google account is associated with that yahoo one". Is there no way to do this automatically?

    Read the article

  • Filter chain halted as [:login_required] rendered_or_redirected

    - by Magicked
    Hopefully I can explain this well enough, but please let me know if more information is needed! I'm building a form where a user can create an "incident". This incident has the following relationships: belongs_to: customer (customer has_many incidents) belongs_to: user (user has_many incidents) has_one: incident_status (incident_status belongs to incident) The form allows the user to assign the incident to a user (select form) and then select an incident status. The incident is nested in customer. However, I'm getting the following in the server logs: Processing IncidentsController#create (for 127.0.0.1 at 2010-04-26 10:41:33) [POST] Parameters: {"commit"=>"Create", "action"=>"create", "authenticity_token"=>"YhW++vd/dnLoNV/DSl1DULcaWq/RwP7jvLOVx9jQblA=", "customer_id"=>"4", "controller"=>"incidents", "incident"=>{"title"=>"Some Bad Incident", "incident_status_id"=>"1", "user_id"=>"2", "other_name"=>"SS01-042310-001"}} User Load (0.3ms) SELECT * FROM "users" WHERE ("users"."id" = 2) LIMIT 1 Redirected to http://localhost:3000/session/new Filter chain halted as [:login_required] rendered_or_redirected. Completed in 55ms (DB: 0) | 302 Found [http://localhost/customers/4/incidents] It looks to me like it's trying to gather information about the user, even though it already has the id (which is all it needs to create the incident), and the user may not have permission to do a select statement like that? I'm rather confused. Here is the relevant (I think) information in the Incident controller. before_filter :login_required, :get_customer def new @incident = @customer.incidents.build @users = @customer.users @statuses = IncidentStatus.find(:all) respond_to do |format| format.html # new.html.erb format.xml { render :xml => @incident } end end def create @incident = @customer.incidents.build(params[:incident]) respond_to do |format| if @incident.save flash[:notice] = 'Incident was successfully created.' format.html { redirect_to(@incident) } format.xml { render :xml => @incident, :status => :created, :location => @incident } else format.html { render :action => "new" } format.xml { render :xml => @incident.errors, :status => :unprocessable_entity } end end end Just as an FYI, I am using the restful_authentication plugin. So in summary, when I submit the incident creation form, it does not save the incident because it halts. I'm still very new to rails, so my skill at diagnosing problems like this is still very bad. I'm going in circles. :) Thanks in advance for any help. Please let me know if more information is needed and I'll edit it in!

    Read the article

  • MySQL Basic about relationship

    - by Roberto
    Hi all! My doubt is about how to treat the follow thing: I have a system where a user belong to a company, and this user have their clients. How is the right way to get a list of all company clients and the follow user name?? In the client table where i have a field with the one of this relations: A company_id and user_id field Just company_id field Just user_id field cause user table have the company_id??? Something else... Tkz Roberto

    Read the article

  • Making only a part of model field available in Django

    - by Hellnar
    Hello I have a such model: GENDER_CHOICES = ( ('M', 'Male'), ('F', 'Female') ) class Profile(models.Model): user = models.ForeignKey(User) gender = models.CharField(max_length=1, choices=GENDER_CHOICES) class FrontPage(models.Model): female = models.ForeignKey(User,related_name="female") male = models.ForeignKey(User,related_name="male") Once I attempt to add a new FrontPage object via the Admin page, I can select "Female" profiles for the male field of FrontPage, how can I restrict that? Thanks

    Read the article

  • Insert default value if input-text is deleted

    - by Kim Andersen
    Hi all I have the following piece of jQuery code: $(".SearchForm input:text").each(function(){ /* Sets the current value as the defaultvalue attribute */ if(allowedDefaults.indexOf($(this).val()) > 0 || $(this).val() == "") { $(this).attr("defaultvalue", $(this).val()); $(this).css("color","#9d9d9d"); /* Onfocus, if default value clear the field */ $(this).focus(function(){ if($(this).val() == $(this).attr("defaultvalue")) { $(this).val(""); $(this).css("color","#4c4c4c"); } }); /* Onblur, if empty, insert defaultvalue */ $(this).blur(function(){ alert("ud"); if($(this).val() == "") { $(this).val($(this).attr("defaultvalue")); $(this).css("color","#9d9d9d"); }else { $(this).removeClass("ignore"); } }); } }); I use this code to insert some default text into some of my input fields, when nothing else is typed in. This means that when a user sees my search-form, the defaultvalues will be set as an attribute on the input-field, and this will be the value that is shown. When a user clicks inside of the input field, the default value will be removed. When the user sees an input field at first is looks like this: <input type="text" value="" defaultvalue="From" /> This works just fine, but I have a big challenge. If a user have posted the form, and something is entered into one of the fields, then I can't show the default value in the field, if the user deletes the text from the input field. This is happening because the value of the text-field is still containing something, even when the user deletes the content. So my problem is how to show the default value when the form is submitted, and the user then removes the typed in content? When the form is submitted the input looks like this, and keeps looking like this until the form is submitted again: <input type="text" value="someValue" defaultvalue="From" /> So I need to show the default value in the input-field right after the user have deleted the content in the field, and removed the focus from the field. Does everyone understand what my problem is? Otherwise just ask, I have struggled with this one for quite some times now, so any help will be greatly appreciated. Thanks in advance, Kim Andersen

    Read the article

  • How do i deserialize an object with pyYaml using safe_load?

    - by systempuntoout
    Having a snippet like this: import yaml class User(object): def __init__(self, name, surname): self.name= name self.surname= surname user = User('spam', 'eggs') serialized_user = yaml.dump(user) deserialized_user = yaml.load(serialized_user) print "name: %s, surname %s" % (deserialized_user.name, deserialized_user.surname) Yaml docs says that it is not safe to call yaml.load with any data received from an untrusted source; so, what do i need to modify to my snippet\class to use safe_load method? Is it possible?

    Read the article

  • What is the best way to use a SSRS report viewer in a WPF application using MVVM

    - by Emad
    I have a WPF application using MVVM. I have some user controls that show some SSRS reports in a ReportViewer control hosted within a windows forms host control. The User Control has a simple combobox where the user selects a criteria and therefore the report satisfying this criteria will be loaded, its data fetched from the database and then the report is shown to the user. What is the best approach to implement such scenario in WPF using MVVM? Any samples are greatly appreciated

    Read the article

  • Ruby 'if' condition in rjs

    - by ash34
    Hi, I want to insert a user in the userlist only if the user object (@row) is not nil. How do I do the insert conditionally in an rjs template? page.insert_html :bottom, :userlist, render(:partial = "user", :locals = { :user = @row, :myid = @row.id }) thanks much.

    Read the article

  • Using OpenID as the only authentication method

    - by iconiK
    I have read the other questions and they mostly talk about the security of doing so. That's not entirely my concern, mostly because the website is question is a browser-based game. However, the larger issue is the user - not every user is literate enough to understand OpenID. Sure RPX makes this pretty easy, which is what I'll use, but what if the user does not have an account at Google or Facebook or whatever, or does not trust the system to log in with an existing account? They'd have to get an account at another provide - I'm sure most will know how to do it, let alone be bothered to do it. There is also the problem of how to manage it in the application. A user might want to use multiple identities with a single account, so it's not as simple as username + password to deal with. How do I store the OpenID identities of a user in the database? Using OpenID gives me a benefit too: RPX can provide extensive profile information, so I can just prefill the profile form and ask the user to edit as required. I currently have this: UserID Email ------ --------------- 86000 [email protected] 86001 [email protected] UserOpenID OpenID ---------- ------ 86000 16733 86001 16839 86002 19361 OpenID Provider Identifier ------ -------- ---------------- 16733 Yahoo https:\\me.yahoo.com\bob#d36bd 16839 Yahoo https:\\me.yahoo.com\bigbobby#x75af 19361 Yahoo https:\\me.yahoo.com\alice#c19fd Is that the right way to store OpenID identifiers in the database? How would I match the identifier RPX gave me with one in the database to log in the user (if the identifier is known). So here are concrete questions: How would I make it accessible to users not having an OpenID or not wanting to use one? (security concerns over say, logging in with their Google account for example) How do I store the identifier in the database? (I'm not sure if the tables above are right) What measures do I need to take in order to prevent someone from logging in as another user and happily doing anything with their account? (as I understand RPX sends the identifier via HTTP, so what anyone would have to do is to just somehow grab it then enter it in the "OpenID" field) What else do I need to be aware of when using OpenID?

    Read the article

  • How to ignore blank elements in linq query

    - by Maestro1024
    How to ignore blank elements in linq query I have a linq query var usersInDatabase = from user in licenseUserTable where user.FirstName == first_name && user.LastName == last_name select user; But if I get here and first_name or last_name is blank then I want to still evaluate the other data item.

    Read the article

  • Delete manytomanyfield in Django

    - by Mike
    I have the following models class Database(models.Model): user = models.ForeignKey(User) name = models.CharField(max_length=100) created = models.DateTimeField(auto_now_add=True) updated = models.DateTimeField(auto_now=True) class DatabaseUser(models.Model): user = models.ForeignKey(User) name = models.CharField(max_length=100) password = models.CharField(max_length=100) database = models.ManyToManyField(Database) created = models.DateTimeField(auto_now_add=True) updated = models.DateTimeField(auto_now=True) One DatabaseUser can have many Databases under it's control. The issue I have if I go to delete a Database it wants to Delete the DatabaseUser also.. Is there a way to stop this from happening easily?

    Read the article

  • How to deserialize an object with pyYaml using safe_load?

    - by systempuntoout
    Having a snippet like this: import yaml class User(object): def __init__(self, name, surname): self.name= name self.surname= surname user = User('spam', 'eggs') serialized_user = yaml.dump(user) #Network deserialized_user = yaml.load(serialized_user) print "name: %s, sname: %s" % (deserialized_user.name, deserialized_user.surname) Yaml docs says that it is not safe to call yaml.load with any data received from an untrusted source; so, what do i need to modify to my snippet\class to use safe_load method? Is it possible?

    Read the article

  • management users with Zend_Auth and Zend_Session

    - by user1400
    I want to Zend_Auth and Zend_Session to save user sessions and logins information whats the easy and best way for implements following items: 1-Disallow multiple concurrent logins for the specific user 2-List all of all user currently logged in 3-Admin could logout of specific user or destroy specific session Is there any special ZF or PHP API or library that can do the above? thanks

    Read the article

  • PHP Sort Array based on values in another.....

    - by Fearghal
    Need some help regarding array sorting.... I have two arrays. The main one (where the key is the user id) : $user[31] = 'Tom' $user[43] = 'Jane' and another array with the order they should be displayed (where key is the order and value is the user id) : $order[1] = 43 $order[2] = 31 How can I apply the ordering to the main array using the ordering one? Thanks guys!

    Read the article

  • Django authentication

    - by webvulture
    In my base.html file, I am using {% if user.is_authenticated %} <a href="#">{{user.username}}</a> {% else %} <a href="/acc/login/">log in</a> Here, even if the user is logged in, the log in button shows up. Now when I click on the log in link, it shows the username and also the normal login view, saying user is logged in. So, what's wrong?

    Read the article

  • Using Hibernate to do a query involving two tables

    - by Nathan Spears
    I'm inexperienced with sql in general, so using Hibernate is like looking for an answer before I know exactly what the question is. Please feel free to correct any misunderstandings I have. I am on a project where I have to use Hibernate. Most of what I am doing is pretty basic and I could copy and modify. Now I would like to do something different and I'm not sure how configuration and syntax need to come together. Let's say I have two tables. Table A has two (relevant) columns, user GUID and manager GUID. Obviously managers can have more than one user under them, so queries on manager can return more than one row. Additionally, a manager can be managing the same user on multiple projects, so the same user can be returned multiple times for the same manager query. Table B has two columns, user GUID and user full name. One-to-one mapping there. I want to do a query on manager GUID from Table A, group them by unique User GUID (so the same User isn't in the results twice), then return those users' full names from Table B. I could do this in sql without too much trouble but I want to use Hibernate so I don't have to parse the sql results by hand. That's one of the points of using Hibernate, isn't it? Right now I have Hibernate mappings that map each column in Table A to a field (well the get/set methods I guess) in a DAO object that I wrote just to hold that Table's data. I could also use the Hibernate DAOs I have to access each table separately and do each of the things I mentioned above in separate steps, but that would be less efficient (I assume) that doing one query. I wrote a Service object to hold the data that gets returned from the query (my example is simplified - I'm going to keep some other data from Table A and get multiple columns from Table B) but I'm at a loss for how to write a DAO that can do the join, or use the DAOs I have to do the join. FYI, here is a sample of my hibernate config file (simplified to match my example): <hibernate-mapping package="com.my.dao"> <class name="TableA" table="table_a"> <id name="pkIndex" column="pk_index" /> <property name="userGuid" column="user_guid" /> <property name="managerGuid" column="manager_guid" /> </class> </hibernate-mapping> So then I have a DAOImplementation class that does queries and returns lists like public List<TableA> findByHQL(String hql, Map<String, String> params) etc. I'm not sure how "best practice" that is either.

    Read the article

  • Jersey Rest : How to send Object to a Jersey Service class

    - by Preethi Jain
    I have this functionality in my Application implemented using Jersey Rest WebServices . Once the user is logged into the application , i am creating DTO Object and setting some User Specific Data inside it . Please let me know how can i pass this User Specific DTO Object to the Jersey Service class ?? Please note that , I dont want to use HttpSession to store Data (Because in our Application we have a facility where a User can enter with Multiple ID's in one browser as a result same sessionId will be created by the browser )

    Read the article

  • fast retrieval from MYSQL DB

    - by trojanwarrior3000
    I have a table of users - It contains around millions of rows (user-id is the primary key). I just want to retrieve user-id and their joining date. using "select user-id,joining date from table user" requires lot of time.Is there a fast way to query/retrieve the same data from this table?

    Read the article

  • Get selected Value from dropdownlist after submit?

    - by sam
    Hi guys, I populate dropdownlist in ASP.NET webforms: <asp:DropDownList runat="server" ID="salesman"></asp:DropDownList> users= Buslayer.GetSalesRep(); foreach (userentity user in users) { salesman.Items.Add(new ListItem(user.FirstName + " " + user.LastName, user.UserID.ToString())); } after submission, I am still getting selected index = 0, I tried all of this: Response.Write("" + salesman.SelectedValue); Response.Write("" + salesman.SelectedItem.Value); Response.Write("" + salesman.SelectedIndex); none works, ????????????????????????????? thanks

    Read the article

  • Auto update the content in ASP.NET

    - by Zerotoinfinite
    I have to design a website where user can update their status, just like facebook and twitter and other social networking sites. Now my requirement is to refresh the feed with new user updates. Ex: when the new status comes facebook automatically add that on the top of the feed. on the other hand twitter shows the number of updates which is ready to be load. both ways are acceptable to me Now, I have to decide what is the best way to achieve this functionality. I am open to use ASP.NET. So I am confused that regular repeater control with timer and auto refresh or any other way? (I am wondering that if I set repeater for auto update and meanwhile if user is performing some action on any status it will lost). or do I need to change my framework from ASP.NET to ASP.NET MVC (I am little afraid with MVC as I have very less knowledge regarding it and I know it has a learning curve to master ajax/Jquery things) Any suggestion how I can I achieve it in a better and feasible way? EDIT1 I am not looking for a code but I want advice to achieve this. Supporting URL's would be appreciated. EDIT2 I am open to JQuery which can regularly check the database and fill the section. But my concern is this that if user is updating any comment and want to load/feed is automatically generated. his textbox text shouldn't be disappear (just like facebook, twitter or Linkedin) EDIT3 I have seen that on Stack overflow when any other user has modified the question/answer, I got notification like this question/answer is modified. and when I clicked on that notification only that section got reloaded. I am curious to know how to achieve this functionality. So that when user is commenting on a status/post and if meanwhile someone has updated the content then it would show the other user comment. Edit4 Could someone please recommend me an example of ASP.NET MVC 3+ which can do similar kind of activity (i.e. one input box and once user insert an text it will add the item in the list (with JQuery).

    Read the article

  • want to fetch the friends list of facebook thorough fbconnect in iphone using objective-c ?

    - by uttam
    how to fetch the friends list of facebook in iphone through fbconnect in objective-c? I am using this code (void)getUserName { NSString *fql = [NSString localizedStringWithFormat: @"SELECT uid FROM user WHERE is_app_user = 1 AND uid IN (SELECT uid2 FROM friend WHERE uid1 = %lld)",[FBSession session].uid]; NSDictionary* params = [NSDictionary dictionaryWithObject:fql forKey:@"query"]; [[FBRequest requestWithDelegate:self] call:@"facebook.friends.get" params:params]; } - (void)request:(FBRequest*)request didLoad:(id)result { if ([request.method isEqualToString:@"facebook.fql.query"]) { NSArray* users = result; NSDictionary* user = [users objectAtIndex:0]; NSString* name = [user objectForKey:@"name"]; _label.text = [NSString stringWithFormat:@"Logged in as %@", name]; } else if ([request.method isEqualToString:@"facebook.users.setStatus"]) { NSString* success = result; if ([success isEqualToString:@"1"]) { _label.text = [NSString stringWithFormat:@"Status successfully set"]; } else { _label.text = [NSString stringWithFormat:@"Problem setting status"]; } } else if ([request.method isEqualToString:@"facebook.freinds.get"]) { if(myList==nil) { NSArray* users = result; myList =[[NSArray alloc] initWithArray: users]; for(NSInteger i=0;i<[users count];i++) { NSDictionary* user = [users objectAtIndex:i]; NSString* uid = [user objectForKey:@"uid"]; NSString* fql = [NSString stringWithFormat: @"select name from user where uid == %@", uid]; NSDictionary* params = [NSDictionary dictionaryWithObject:fql forKey:@"query"]; [[FBRequest requestWithDelegate:self] call:@"facebook.fql.query" params:params]; } } else { NSArray* users = result; NSDictionary* user = [users objectAtIndex:0]; NSString* name = [user objectForKey:@"name"]; //txtView.text=[NSString localizedStringWithFormat:@"%@%@,\n",txtView.text,name]; NSLog(name); }} I want to get the friends list from facebook and then search/modify then add it to my addressbook. I know this code is doing this but I don't know how to use it or where do I use it.. If you could please post something or just elaborate on how do I use your code thru fbconnect framework. I have implemented upto get permissions and publish feeds one's wall. But please can you post here about the layout details of the results, like what do Ineed to use on the layout point of view.

    Read the article

  • MVC 2 AntiForgeryToken - Why symmetric encryption + IPrinciple?

    - by Brad R
    We recently updated our solution to MVC 2, and this has updated the way that the AntiForgeryToken works. Unfortunately this does not fit with our AJAX framework any more. The problem is that MVC 2 now uses symmetric encryption to encode some properties about the user, including the user's Name property (from IPrincipal). We are able to securely register a new user using AJAX, after which subsequent AJAX calls will be invalid as the anti forgery token will change when the user has been granted a new principal. There are also other cases when this may happen, such as a user updating their name etc. My main question is why does MVC 2 even bother using symmetric encryption? Any then why does it care about the user name property on the principal? If my understanding is correct then any random shared secret will do. The basic principle is that the user will be sent a cookie with some specific data (HttpOnly!). This cookie is then required to match a form variable sent back with each request that may have side effects (POST's usually). Since this is only meant to protect from cross site attacks it is easy to craft up a response that would easily pass the test, but only if you had full access to the cookie. Since a cross site attacker is not going to have access to your user cookies you are protected. By using symmetric encryption, what is the advantage in checking the contents of the cookie? That is, if I already have sent an HttpOnly cookie the attacker cannot override it (unless a browser has a major security issue), so why do I then need to check it again? After having a think about it it appears to be one of those 'added layer of security' cases - but if your first line of defence has fallen (HttpOnly) then the attacker is going to get past the second layer anyway as they have full access to the users cookie collection, and could just impersonate them directly, instead of using an indirect XSS/CSRF attack. Of course I could be missing a major issue, but I haven't found it yet. If there are some obvious or subtle issues at play here then I would like to be aware of them.

    Read the article

< Previous Page | 382 383 384 385 386 387 388 389 390 391 392 393  | Next Page >