Search Results

Search found 1485 results on 60 pages for 'encrypted'.

Page 54/60 | < Previous Page | 50 51 52 53 54 55 56 57 58 59 60  | Next Page >

  • C# Byte[] to Url Friendly String

    - by LorenVS
    Hello, I'm working on a quick captcha generator for a simple site I'm putting together, and I'm hoping to pass an encrypted key in the url of the page. I could probably do this as a query string parameter easy enough, but I'm hoping not too (just because nothing else runs off the query string)... My encryption code produces a byte[], which is then transformed using Convert.ToBase64String(byte[]) into a string. This string, however, is still not quite url friendly, as it can contain things like '/' and '='. Does anyone know of a better function in the .NET framework to convert a byte array to a url friendly string? I know all about System.Web.HttpUtility.UrlEncode() and its equivalents, however, they only work properly with query string parameters. If I url encode an '=' inside of the path, my web server brings back a 400 Bad Request error. Anyways, not a critical issue, but hoping someone can give me a nice solution **EDIT: Just to be absolutely sure exactly what I'm doing with the string, I figured I would supply a little more information. The byte[] that results from my encryption algorithm should be fed through some sort of algorithm to make it into a url friendly string. After this, it becomes the content of an XElement, which is then used as the source document for an XSLT transformation, and is used as a part of the href attribute for an anchor. I don't believe the xslt transformation is causing the issues, since what is coming through on the path appears to be an encoded query string parameter, but causes the HTTP 400 I've also tried HttpUtility.UrlPathEncode() on a base64 string, but that doesn't seem to do the trick either (I still end up with '/'s in my url)**

    Read the article

  • BN_hex2bn magically segfaults in openSSL

    - by xunil154
    Greetings, this is my first post on stackoverflow, and i'm sorry if its a bit long. I'm trying to build a handshake protocol for my own project and am having issues with the server converting the clients RSA's public key to a Bignum. It works in my clent code, but the server segfaults when attempting to convert the hex value of the clients public RSA to a bignum. I have already checked that there is no garbidge before or after the RSA data, and have looked online, but i'm stuck. header segment: typedef struct KEYS { RSA *serv; char* serv_pub; int pub_size; RSA *clnt; } KEYS; KEYS keys; Initializing function: // Generates and validates the servers key /* code for generating server RSA left out, it's working */ //Set client exponent keys.clnt = 0; keys.clnt = RSA_new(); BN_dec2bn(&keys.clnt->e, RSA_E_S); // RSA_E_S contains the public exponent Problem code (in Network::server_handshake): // *Recieved an encrypted message from the network and decrypt into 'buffer' (1024 byte long)* cout << "Assigning clients RSA" << endl; // I have verified that 'buffer' contains the proper key if (BN_hex2bn(&keys.clnt->n, buffer) < 0) { Error("ERROR reading server RSA"); } cout << "clients RSA has been assigned" << endl; The program segfaults at BN_hex2bn(&keys.clnt->n, buffer) with the error (valgrind output) Invalid read of size 8 at 0x50DBF9F: BN_hex2bn (in /usr/lib/libcrypto.so.0.9.8) by 0x40F23E: Network::server_handshake() (Network.cpp:177) by 0x40EF42: Network::startNet() (Network.cpp:126) by 0x403C38: main (server.cpp:51) Address 0x20 is not stack'd, malloc'd or (recently) free'd Process terminating with default action of signal 11 (SIGSEGV) Access not within mapped region at address 0x20 at 0x50DBF9F: BN_hex2bn (in /usr/lib/libcrypto.so.0.9.8) And I don't know why it is, Im using the exact same code in the client program, and it works just fine. Any input is greatly appriciated!

    Read the article

  • RSA_sign and RSACryptoProvider.VerifySignature

    - by Miky D
    I'm trying to get up to speed on how to get some code that uses OpenSSL for cryptography, to play nice with another program that I'm writing in C#, using the Microsoft cryptography providers available in .NET. More to the point, I'm trying to have the C# program verify an RSA message signature generated by the OpenSSL code. The code that generates the signature looks something like this: // Code in C, using the OpenSSL RSA implementation char msgToSign[] = "Hello World"; // the message to be signed char signature[RSA_size(rsa)]; // buffer that will hold signature int slen = 0; // will contain signature size // rsa is an OpenSSL RSA context, that's loaded with the public/private key pair memset(signature, 0, sizeof(signature)); RSA_sign(NID_sha1 , (unsigned char*)msgToSign , strlen(msgToSign) , signature , &slen , rsa); // now signature contains the message signature // and can be verified using the RSA_verify counterpart // .. I would like to verify the signature in C# In C#, I would do the following: import the other side's public key into an RSACryptoServiceProvider object receive the message and it's signature try to verify the signature I've got the first two parts working (I've verified that the public key is loading properly because I managed to send an RSA encrypted text from the C# code to the OpenSSL code in C and successfully have it decrypted) In order to verify the signature in C#, I've tried using the: VerifySignature method of the RSACryptoServiceProvider but that didn't work. And digging around the internet I was only able to find some vague information pointing out that .NET uses a different method for generating the signature than OpenSSL does. So, does anybody know how to accomplish this?

    Read the article

  • "Downloading" a computed value form JavaScript

    - by Travis Jensen
    I'm hoping you can prove me wrong here (please, please, please! ;). I have a situation where I need to download encrypted data from a Server D (for "Data"). Server K (for "Key") has the encryption key. For security sake, I would really prefer that Server D never know the key that Server K knows. What I want is my client (e.g. your browser) to connect to Server D for the data and Server K for the key and doe the decryption locally so the unencrypted stuff never leaves your computer. I can do this fine for text areas in the dom by replacing the contents of the HTML. However, sometimes, I would like to do larger files that I stream to the file system. For instance, perhaps I want to encrypt a movie and decrypt it and stream the contents to the my video player. I am not a JavaScript guru by any stretch, especially when it comes to the edge cases of things like the security sandbox. For Small D, I can handle the decryption, but I don't know how to save the decrypted file. Large D seems problematic as memory runs out. Anybody have any ideas that don't involve native plugins? Thanks!

    Read the article

  • Python IOError: Not a gzipped file (Gzip and Blowfish Encrypt/Compress)

    - by notbad.jpeg
    I'm having some problems with python's built-in library gzip. Looked through almost every other stack question about it, and none of them seem to work. MY PROBLEM IS THAT WHEN I TRY TO DECOMPRESS I GET THE IOError I'm Getting: Traceback (most recent call last): File "mymodule.py", line 61, in return gz.read() File "/usr/lib/python2.7/gzip.py", line 245, readself._read(readsize) File "/usr/lib/python2.7/gzip.py", line 287, in _readself._read_gzip_header() File "/usr/lib/python2.7/gzip.py", line 181, in _read_gzip_header raise IOError, 'Not a gzipped file'IOError: Not a gzipped file This is my code to send it over SMB, it might not make sense why i do things, but it's normally in a while loop and memory efficient, I just simplified it. buffer = cStringIO.StringIO(output) #output is from a subprocess call small_buffer = cStringIO.StringIO() small_string = buffer.read() #need a string to write to buffer gzip_obj = gzip.GzipFile(fileobj=small_buffer,compresslevel=6, mode='wb') gzip_obj.write(small_string) compressed_str = small_buffer.getvalue() blowfish = Blowfish.new('abcd', Blowfish.MODE_ECB) remainder = '|'*(8 - (len(compressed_str) % 8)) compressed_str += remainder encrypted = blowfish.encrypt(compressed_str) #i send it over smb, then retrieve it later Then this is the code that retrieves it: #buffer is a cStringIO object filled with data from smb retrieval decrypter = Blowfish.new('abcd', Blowfish.MODE_ECB) value = buffer.getvalue() decrypted = decrypter.decrypt(value) buff = cStringIO.StringIO(decrypted) buff.seek(0) gz = gzip.GzipFile(fileobj=buff) return gz.read() Here's the problem return gz.read()

    Read the article

  • wcf trying to set up tracing to debug, not writing to log file

    - by joey j
    here's my web.config, running a WCF service in an application on IIS7, but nothing is being written to the specified file. permission on the file has been granted for everyone. </listeners> I can add a service reference just fine. I then try to call the service from a windows app and, after a few minutes, get an error on the machine running the windows app "Client is unable to finish the security negotiation within the configured timeout (00:00:00). The current negotiation leg is 1 (00:00:00)." but absolutely nothing is written to the trace log file specified in config. Is there something else I need to do to enable tracing? thanks for your help EDIT: "sources" section now matches the section recommended here: http://msdn.microsoft.com/en-us/library/aa702726.aspx I've added the "diagnostics and the event viewer shows: "Message Logging has been turned on. Sensitive information may be logged in the clear, even if it was encrypted on the wire: for example, message bodies. Process Name: w3wp Process ID: 1784 " but the log file is still empty

    Read the article

  • How to achieve high availability?

    - by tanyehzheng
    My boss wants to have a system that takes into concern of continent wide catastrophic event. He wants to have two servers in US and two servers in Asia (1 login server and 1 worker server in each continent). In the event that earthquake breaks the connection between the two continents, both should work alone. When the connection is revived, they should sync each other back to normal. External cloud system not allowed as he has no confidence. The system should take into account of scalability which means addition of new servers should be easy to configure. The servers should be load balanced. The connection between the servers should be very secure(encrypted and send through SSL although SSL takes care of encryption). The system should let one and only one user log in with one account. (beware of latency between continent and two users sharing account may reach both login server at the same time) Please help. I'm already at the end of my wit. Thank you in advance.

    Read the article

  • Encrypt a file base upon a pregenerated "key" C#

    - by Anubis
    Hello everyone. I'm trying to determine the best course of action to implement a simple "licensing" system with a partner of mine. The concept is: Generate an encrypted value based upon several internal hardware components. Have the customer send this value to us which we will implement into our key generator. Once we have that, we add any other restrictions on the license (user, expires, etc.). From there we generate a file which we send to the customer they can add to their installation and voila, happy people about. I have the first part all done. My next part is trying to figure out which encryption methodology I would need to use. I already know Symmetric Encryption is pretty much the only route I can take. Most of the information I have found involves .NET already creating a key from its own internal methods. That's a bit of background, my question is: "Which encryption method could I use which would allow me to encrypt the restrictions based upon the "id" I was given from the customer's computer?" I'm writing this in C# by the way. Any ideas would be greatly appreciated! Take Care!

    Read the article

  • How to compare 2 lists and merge them in Python/MySQL?

    - by NJTechGuy
    I want to merge data. Following are my MySQL tables. I want to use Python to traverse though a list of both Lists (one with dupe = 'x' and other with null dupes). For instance : a b c d e f key dupe -------------------- 1 d c f k l 1 x 2 g h j 1 3 i h u u 2 4 u r t 2 x From the above sample table, the desired output is : a b c d e f key dupe -------------------- 2 g c h k j 1 3 i r h u u 2 What I have so far : import string, os, sys import MySQLdb from EncryptedFile import EncryptedFile enc = EncryptedFile( os.getenv("HOME") + '/.py-encrypted-file') user = enc.getValue("user") pw = enc.getValue("pw") db = MySQLdb.connect(host="127.0.0.1", user=user, passwd=pw,db=user) cursor = db.cursor() cursor2 = db.cursor() cursor.execute("select * from delThisTable where dupe is null") cursor2.execute("select * from delThisTable where dupe is not null") result = cursor.fetchall() result2 = cursor2.fetchall() for cursorFieldname in cursor.description: for cursorFieldname2 in cursor2.description: if cursorFieldname[0] == cursorFieldname2[0]: ### How do I compare the record with same key value and update the original row null field value with the non-null value from the duplicate? Please fill this void... cursor.close() cursor2.close() db.close() Thanks guys!

    Read the article

  • General String Encryption in .NET

    - by cryptospin
    I am looking for a general string encryption class in .NET. (Not to be confused with the 'SecureString' class.) I have started to come up with my own class, but thought there must be a .NET class that already allows you to encrypt/decrypt strings of any encoding with any Cryptographic Service Provider. Public Class SecureString Private key() As Byte Private iv() As Byte Private m_SecureString As String Public ReadOnly Property Encrypted() As String Get Return m_SecureString End Get End Property Public ReadOnly Property Decrypted() As String Get Return Decrypt(m_SecureString) End Get End Property Public Sub New(ByVal StringToSecure As String) If StringToSecure Is Nothing Then StringToSecure = "" m_SecureString = Encrypt(StringToSecure) End Sub Private Function Encrypt(ByVal StringToEncrypt As String) As String Dim result As String = "" Dim bytes() As Byte = Text.Encoding.UTF8.GetBytes(StringToEncrypt) Using provider As New AesCryptoServiceProvider() With provider .Mode = CipherMode.CBC .GenerateKey() .GenerateIV() key = .Key iv = .IV End With Using ms As New IO.MemoryStream Using cs As New CryptoStream(ms, provider.CreateEncryptor(), CryptoStreamMode.Write) cs.Write(bytes, 0, bytes.Length) cs.FlushFinalBlock() End Using result = Convert.ToBase64String(ms.ToArray()) End Using End Using Return result End Function Private Function Decrypt(ByVal StringToDecrypt As String) As String Dim result As String = "" Dim bytes() As Byte = Convert.FromBase64String(StringToDecrypt) Using provider As New AesCryptoServiceProvider() Using ms As New IO.MemoryStream Using cs As New CryptoStream(ms, provider.CreateDecryptor(key, iv), CryptoStreamMode.Write) cs.Write(bytes, 0, bytes.Length) cs.FlushFinalBlock() End Using result = Text.Encoding.UTF8.GetString(ms.ToArray()) End Using End Using Return result End Function End Class

    Read the article

  • how to edit a text message ( sms ) as it arrives in windows mobile 6 using managed code

    - by x86shadow
    I want to make an application to be installed on two pocket PCs and send Encrypted text messages and receive and decrypt them on the other device. I already made an application that gets special text messages ( starting with !farenc! ) and I know how to Encrypt/Decrypt the messages as well but I don't know how to edit a text message as it's arrive ( for decryption ). please help. thanks in advance and sorry for my bad English using System; using System.Linq; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Text; using System.Windows.Forms; using Microsoft.WindowsMobile; using Microsoft.WindowsMobile.PocketOutlook; using Microsoft.WindowsMobile.PocketOutlook.MessageInterception; namespace SMSDECRYPT { public partial class Form1 : Form { MessageInterceptor _SMSCatcher = new MessageInterceptor(InterceptionAction.Notify, true); MessageCondition _SMSFilter = new MessageCondition(); public Form1() { InitializeComponent(); _SMSFilter.Property = MessageProperty.Body; _SMSFilter.ComparisonType = MessagePropertyComparisonType.StartsWith; _SMSFilter.CaseSensitive = true; _SMSFilter.ComparisonValue = "!farenc!"; _SMSCatcher.MessageCondition = _SMSFilter; _SMSCatcher.MessageReceived += new MessageInterceptorEventHandler(_SMSCatcher_MessageReceived); } private void Form1_Load(object sender, EventArgs e) { //... } void _SMSCatcher_MessageReceived(object sender, MessageInterceptorEventArgs e) { SmsMessage mySMS = (SmsMessage)e.Message; string sms = mySMS.Body.ToString(); sms = sms.Substring(8); //Decryption //... //Update the received message and replace it with the decrypted text //!!!HELP!!! } } }

    Read the article

  • Are there more secure alternatives to the .Net SQLConnection class?

    - by KeyboardMonkey
    Hi SO people, I'm very surprised this issue hasn't been discussed in-depth: This article tells us how to use windbg to dump a running .Net process strings in memory. I spent much time researching the SecureString class, which uses unmanaged pinned memory blocks, and keeps the data encrypted too. Great stuff. The problem comes in when you use it's value, and assign it to the SQLConnection.ConnectionString property, which is of the System.String type. What does this mean? Well... It's stored in plain text Garbage Collection moves it around, leaving copies in memory It can be read with windbg memory dumps That totally negates the SecureString functionality! On top of that, the SQLConnection class is non-inheritable, I can't even roll my own with a SecureString property instead; Yay for closed-source. Yay. A new DAL layer is in progress, but for a new major version and for so many users it will be at least 2 years before every user is upgraded, others might stay on the old version indefinitely, for whatever reason. Because of the frequency the connection is used, marshalling from a SecureString won't help, since the immutable old copies stick in memory until GC comes around. Integrated Windows security isn't an option, since some clients don't work on domains, and other roam and connect over the net. How can I secure the connection string, in memory, so it can't be viewed with windbg?

    Read the article

  • Using PHP and cURL to login to indyarocks.com

    - by Divya
    I am new to cURL and don't know much about it. I basically want to login to my account on www.indyarocks.com through libcurl for PHP. I don't know what type of authentication it uses (I don't know how to find that out.). When I go to http://www.indyarocks.com, I get a login form which asks for my username and password. I put in my username and password and click login and everything is good. I tried to automate this using cURL. This is a snippet of my code. curl_setopt($curl_connection, CURLOPT_URL, "http://www.indyarocks.com/loginchk.php"); curl_setopt($curl_connection, CURLOPT_POST, 1); curl_setopt($curl_connection, CURLOPT_HTTPAUTH, CURLAUTH_ANY); curl_setopt($curl_connection, CURLOPT_USERPWD, $username.':'.$password); I looked at the source of the login page and found out the address of the page to which the username and password are sent (the action attribute of the form) which is "http://www.indyarocks.com/loginchk.php" and set it as the target url. When I run this, I get username or password is wrong error and the login fails. My username and password is correct. I don't know what the problem is. Can the password be encrypted? Can that be responsible for this failure? Please help me get around this problem. I'll be really thankful. Thanks in advance.

    Read the article

  • Codeigniter Session Data not available in other pages after login

    - by jswat
    So, I have set up a login page that verifies the user's credentials, and then sets codeigniter session data 'email' and 'is_logged_in' and a few other items. The first page after the login, the data is accessible. After that page, I can no longer access the session data. In fact, if I try reloading that first page, the session data is gone. I have tried storing it in the database, storing it unencrypted (bad idea I know, but it was for troubleshooting), and storing it encrypted. I have autoloaded the session library in config.php. Here's an example of the code I'm using to set the session data: $data = array( 'email' => $this->input->post('username'), 'is_logged_in' => true ); $this->session->set_userdata($data); And to retrieve it, I'm using : $this->session->userdata('email'); Or $this->session->userdata('is_logged_in'); I've done lots of work with PHP and cookies, and sessions before, but this is my first project with Codeigniter and I'm perplexed. Could it have something to do with directory issues? I have the login page and process controlled by a 'login' controller, and then it redirects to a 'site' controller. Thanks for your help, and please let me know if I need to clarify anything.

    Read the article

  • How to avoid hard-coded credentials in Sharepoint webpart?

    - by Bryan
    I am building a Sharepoint web part that will be used by all users, but can only be modified by admins. The web part connects to a web service which needs credentials. I hard coded credentials in the web part's code. query.Credentials = new System.Net.NetworkCredential("username", "password", "domain"); query is an instance of the web service class This may not be a good approach. In regard with security, the source code of the web apart is available to people who are not allowed to see the credentials. In normal ASP.net applications, credentials can be written into web.config and encrypted. A web part doesn't have a .config file associated. There is a application-level .config file for the whole sharepoint site, but I don't want to modify it for a single webpart. I wonder if there is a webpart-specific way to solve the credential problem? Say we provide a WebBrowsable property of that web part so that privileged users can modify credentials. If this is desirable, how should I make the property displayed in a password ("*") rather than in plain text? Thanks.

    Read the article

  • How can I edit an incoming text message (sms) as it arrives in windows mobile 6 using managed code

    - by x86shadow
    I want to make an application for pocket PCs to send and receive Encrypted text messages. I have already made an application that gets special text messages ( starting with !farenc! ) and I know how to Encrypt/Decrypt the messages as well. The problem is that I don't know how to edit a text message after it's arrived (for decryption). See code below for more info. using System; using System.Linq; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Text; using System.Windows.Forms; using Microsoft.WindowsMobile; using Microsoft.WindowsMobile.PocketOutlook; using Microsoft.WindowsMobile.PocketOutlook.MessageInterception; namespace SMSDECRYPT { public partial class Form1 : Form { MessageInterceptor _SMSCatcher = new MessageInterceptor(InterceptionAction.Notify, true); MessageCondition _SMSFilter = new MessageCondition(); public Form1() { InitializeComponent(); _SMSFilter.Property = MessageProperty.Body; _SMSFilter.ComparisonType = MessagePropertyComparisonType.StartsWith; _SMSFilter.CaseSensitive = true; _SMSFilter.ComparisonValue = "!farenc!"; _SMSCatcher.MessageCondition = _SMSFilter; _SMSCatcher.MessageReceived += new MessageInterceptorEventHandler(_SMSCatcher_MessageReceived); } private void Form1_Load(object sender, EventArgs e) { //... } void _SMSCatcher_MessageReceived(object sender, MessageInterceptorEventArgs e) { SmsMessage mySMS = (SmsMessage)e.Message; string sms = mySMS.Body.ToString(); sms = sms.Substring(8); //Decryption //... //Update the received message and replace it with the decrypted text //!!!HELP!!! } } }

    Read the article

  • Best practices for encrypting continuous/small UDP data

    - by temp
    Hello everyone, I am having an application where I have to send several small data per second through the network using UDP. The application need to send the data in real-time (no waiting). I want to encrypt these data and insure that what I am doing is as secure as possible. Since I am using UDP, there is no way to use SSL/TLS, so I have to encrypt each packet alone since the protocol is connectionless/unreliable/unregulated. Right now, I am using a 128-bit key derived from a passphrase from the user, and AES in CBC mode (PBE using AES-CBC). I decided to use a random salt with the passphrase to derive the 128-bit key (prevent dictionary attack on the passphrase), and of course use IVs (to prevent statistical analysis for packets). However I am concerned about few things: Each packet contains small amount of data (like a couple of integer values per packet) which will make the encrypted packets vulnerable to known-plaintext attacks (which will result in making it easier to crack the key). Also, since the encryption key is derived from a passphrase, this will make the key space way less (I know the salt will help, but I have to send the salt through the network once and anyone can get it). Given these two things, anyone can sniff and store the sent data, and try to crack the key. Although this process might take some time, once the key is cracked all the stored data will be decrypted, which will be a real problem for my application. So my question is, what is the best practices for sending/encrypting continuous small data using a connectionless protocol (UDP)? Is my way the best way to do it? ...flowed? ...Overkill? ... Please note that I am not asking for a 100% secure solution, as there is no such thing. Cheers

    Read the article

  • How do I add descriptive text to form link .gif ?

    - by erynion
    I want to make the descriptive text around a form link also open the form. I want to make it so you can click on "Some Text Here" (below) and open the form on somesomite.com just as if you clicked on the image below this text (somebut.gif, below) <DIV style="position: absolute; top:10px; right:10px; width:70px; height:25px"> <font color="white"><b>Some Text Here<b></font> </div> <DIV style="position: absolute; top:50px; right:10px; width:70px; height:25px"> <form action="https://www.somesite.com/cgi-bin/something" method="post"> <input type="hidden" name="cmd" value="_s-xclick"> <input type="image" src="https://www.somesite.com/somebut.gif" border="0" name="submit"> <input type="hidden" name="encrypted" value="-----BEGIN PKCS7-----LONG_KEY...> </form> </div> Thanks

    Read the article

  • Best practices for encrytping continuous/small UDP data

    - by temp
    Hello everyone, I am having an application where I have to send several small data per second through the network using UDP. The application need to send the data in real-time (on waiting). I want to encrypt these data and insure that what I am doing is as secure as possible. Since I am using UDP, there is no way to use SSL/TLS, so I have to encrypt each packet alone since the protocol is connectionless/unreliable/unregulated. Right now, I am using a 128-bit key derived from a passphrase from the user, and AES in CBC mode (PBE using AES-CBC). I decided to use a random salt with the passphrase to derive the 128-bit key (prevent dictionary attack on the passphrase), and of course use IVs (to prevent statistical analysis for packets). However I am concerned about few things: Each packet contains small amount of data (like a couple of integer values per packet) which will make the encrypted packets vulnerable to known-plaintext attacks (which will result in making it easier to crack the key). Also, since the encryption key is derived from a passphrase, this will make the key space way less (I know the salt will help, but I have to send the salt through the network once and anyone can get it). Given these two things, anyone can sniff and store the sent data, and try to crack the key. Although this process might take some time, once the key is cracked all the stored data will be decrypted, which will be a real problem for my application. So my question is, what is the best practices for sending/encrypting continuous small data using a connectionless protocol (UDP)? Is my way the best way to do it? ...flowed? ...Overkill? ... Please note that I am not asking for a 100% secure solution, as there is no such thing. Cheers

    Read the article

  • Is encrypting session id (or other authenticate value) in cookie useful at all?

    - by Ji
    In web development, when session state is enabled, a session id is stored in cookie(in cookieless mode, query string will be used instead). In asp.net, the session id is encrypted automatically. There are plenty of topics on the internet regarding how you should encrypt your cookie, including session id. I can understand why you want to encrypt private info such as DOB, but any private info should not be stored in cookie at first place. So for other cookie values such as session id, what is the purpose encryption? Does it add security at all? no matter how you secure it, it will be sent back to server for decryption. Be be more specific, For authentication purpose, turn off session, i don't want to deal with session time out any more store some sort of id value in the cookie, on the server side, check if the id value exists and matches, if it is, authenticate user. let the cookie value expire when browser session is ended, this way. vs Asp.net form authentication mechanism (it relies on session or session id, i think) does latter one offer better security?

    Read the article

  • Best Practice: Protecting Personally Identifiable Data in a ASP.NET / SQL Server 2008 Environment

    - by William
    Thanks to a SQL injection vulnerability found last week, some of my recommendations are being investigated at work. We recently re-did an application which stores personally identifiable information whose disclosure could lead to identity theft. While we read some of the data on a regular basis, the restricted data we only need a couple of times a year and then only two employees need it. I've read up on SQL Server 2008's encryption function, but I'm not convinced that's the route I want to go. My problem ultimately boils down to the fact that we're either using symmetric keys or assymetric keys encrypted by a symmetric key. Thus it seems like a SQL injection attack could lead to a data leak. I realize permissions should prevent that, permissions should also prevent the leaking in the first place. It seems to me the better method would be to asymmetrically encrypt the data in the web application. Then store the private key offline and have a fat client that they can run the few times a year they need to access the restricted data so the data could be decrypted on the client. This way, if the server get compromised, we don't leak old data although depending on what they do we may leak future data. I think the big disadvantage is this would require re-writing the web application and creating a new fat application (to pull the restricted data). Due to the recent problem, I can probably get the time allocated, so now would be the proper time to make the recommendation. Do you have a better suggestion? Which method would you recommend? More importantly why?

    Read the article

  • [C#] How to receive uncrackable data or so ? ;P

    - by Prix
    Hi, I am working on an C# application to communicate with my website and retrieve some information from it, using SSL which is working just fine. Now what i want/need is a way to receive encrypted or codified or obfuscated data that if some one cracks my application they will not be able to decrypt the data because it needs something from the server (api, website) but yet the application needs to decrypt it in order to use it... initally i was thinking of an inside RSA pair or keys, to send and receive the encrypt data but let's consider that someone has cracked the application, they could just replace those keys for keys they have made, so i was looking into some methods but havent found or been able to think of any way to harder this... I was learning about RSA, encryption and such and started developing this as a self learning and got involved with it and now i am trying to figure out a way to receive data like that... I have considered obfuscating and compiling my code with packers and etc but this is not about packing it etc... i am more interested in knowing a better way to secure what i described i know it may or is impossible but yet i am looking forward to some approch. I would appreciate advices, suggestions and C# code samples, if you need more information or anything please let me know.

    Read the article

  • Ruby on Rails login using legacy user database

    - by ricsmania
    Hello, I have a Rails application that connects to a legacy database (Oracle) and displays some information from a particular user. Right now the user is passed as a URL parameter, but this has obvious security issues because users should only be able to see their own data. To solve that, I want to implement a user login, and I did some research and came across 2 components for that, restful_authentication and authlogic. The problem is that I need to use an existing user/password database instead of creating a new one, which is the common way to use those components. The password is encrypted by a custom Oracle package, but let's assume it is stored as plain text to make things simpler. I only need very basic functionality, which is login a user and keep them logged in forever until logout. No changes to the database will be made by this application, so there's no need for sign up, e-mail activation, reset password, etc. Can someone point me in the right direction on how to do that? Is any of those 2 components a good solution? If not, what would be recommended? Thanks!

    Read the article

  • Python-based password tracker (or dictionary)

    - by Arrieta
    Hello: Where we work we need to remember about 10 long passwords which need to change every so often. I would like to create a utility which can potentially save these passwords in an encrypted file so that we can keep track of them. I can think of some sort of dictionary passwd = {'host1':'pass1', 'host2':'pass2'}, etc, but I don't know what to do about encryption (absolutely zero experience in the topic). So, my question is really two questions: Is there a Linux-based utility which lets you do that? If you were to program it in Python, how would you go about it? A perk of approach two, would be for the software to update the ssh public keys after the password has been changed (you know the pain of updating ~15 tokens once you change your password). As it can be expected, I have zero control over the actual network configuration and the management of scp keys. I can only hope to provide a simple utility to me an my very few coworkers so that, if we need to, we can retrieve a password on demand. Cheers.

    Read the article

  • Why doesn't this short php script send email?

    - by RoryG
    I can't seem to get my php script to send email. <?php echo "Does this page work?"; mail('my email address', 'test subject', 'test message'); ?> First, I have set the mail function settings in the php.ini file as follows: I checked my email account settings on outlook. It does not require authentication, its port is 25, and its type of encrypted connection is 'Auto'. Given this I configured my php.ini file accordingly: SMTP = ssl://smtp1.iis.com smtp_port = 25 Then I set: sendmail_from: my email address The echo statement prints out in the browser, so I know the php file is recognized and processed. But the browser also shows the following error: Warning: mail() [function.mail]: "sendmail_from" not set in php.ini or custom "From:" header missing in C:\xampp\htdocs\mailtest.php on line 3 I have clearly set the sendmail_from so I don't know what else to do. I have also tried removing the 'ssl://' part from the SMTP setting in the php.ini file, and configuring the php5.ini file. Which of these .ini files should I be configuring anyways?

    Read the article

< Previous Page | 50 51 52 53 54 55 56 57 58 59 60  | Next Page >