Search Results

Search found 2316 results on 93 pages for 'credentials'.

Page 60/93 | < Previous Page | 56 57 58 59 60 61 62 63 64 65 66 67 | Next Page >

Replay attacks for HTTPS requests

- by MatthewMartin

Let's say a security tester uses a proxy, say Fiddler, and records an HTTPS request using the administrator's credentials-- on replay of the entire request (including session and auth cookies) the security tester is able to succesfully (re)record transactions. The claim is that this is a sign of a CSRF vulnerability. What would a malicious user have to do to intercept the HTTPS request and replay it? It this a task for script kiddies, well funded military hacking teams or time-traveling-alien technology? Is it really so easy to record the SSL sessions of users and replay them before the tickets expire? No code in the application currently does anything interesting on HTTP GET, so AFAIK, tricking the admin into clicking a link or loading a image with a malicious URL isn't an issue.

Read the article
IE 8 Errors for Group Permissions for access

- by Jeff P.

Hello, The company I work for is about to begin testing for a transition from IE6 to IE8. One of our main concerns is about using permissions to control intranet access to internal sites,etc. This was a problem we encountered during testing for IE7 and scrapped it all together. However, IE6 has more than its foot in the grave, its head is peeking out. Microsoft is only supporting IE6 until 2014 when they also abandon support for Windows XP. IE7 just came up with a box asking for you to enter your credentials. It didn't matter if you had permissions, it always said access denied. We have yet to begin testing but I was hoping someone has encountered this issue as well and may be able to shed some light on the subject.

Read the article
Servlet Session - switch from URL Rewriting to Cookie

- by lajuette

Situation: I have a "dumb" Javascript frontend that can contact some kind of SSO middleware (MW). The MW can obtain sessions by issuing requests that contain authentication credentials (username, password). I.e. the session will be created for a certain user. My frontend needs to "restart" the session to gain the user's permissions to the target system. For that i need a valid session cookie. The target system is not under my control (could be a more or less public WFS, WMS, etc.), so i cannot add any SSO mechanism to it. Question: Is it possible to "steal" a Session forging a request which URL contains a valid session ID in the jsessionid parameter? Goal : Issue such a request to a Servlet and make it respond with a Set-Cookie header that contains the same id. That way the frontend joins the session and may do whatever the user, which was used to create the session, is able to do.

Read the article
can't login to phpmyadmin

- by user574383

Hi, i am new at linux but i need phpmyadmin on my centos server. I did this: cd /var/www/html/ (document root of apache) wget http://sourceforge.net/projects/phpmyadmin/path/to/latest/version tar xvfz phpMyAdmin-3.3.9-all-languages.tar.gz mv phpMyAdmin-3.3.9-all-languages phpmyadmin rm phpMyAdmin-3.3.9-all-languages.tar.gz cd phpmyadmin/ cp config.sample.inc.php config.inc.php Ok so then i just got to a webbrowser and go to www.$ip/phpmyadmin and i am presented with a login screen asking for username and password. How can i get these credentials to log in? I'd like to log in as root i guess. But i don't know how to setup a root account and create a password for root using the cli and mysql. Please help? Thanks.

Read the article
is JsonP working with Opera, Chrome & Safari ?

- by Tom

Hi, On a web site that I am building , when you log in (because the database is on an other server), I use json padding to check if the user as the right credentials. It's working flawlessly (ie7,ie8 & FF), until I tried it on chrome, safari & opera where it's a complete disaster. $.ajax({ type: "GET", dataType: "jsonp", url: "http://someurl.com", data: aRequestData, cache: false, error: function (XMLHttpRequest, textStatus, errorThrown) { // typically only one of textStatus or errorThrown // will have info alert("Error occured textStatus=" + textStatus + " errorThrown=" + errorThrown); }, success: function(data) { alert('success'); } }); Plain and simple and it works in browser window, however, to my big surprise it did not work in chrome, safari & opera, never got to the success alert. Does anyone know how to solve this issue? Thanks.

Read the article
Verifying university membership/attendance via email address

- by mettadore

My client's web app allows members to sign up (Rails using AuthLogic) and those signups are limited in that they must be under the auspices of a university. To wit: A university organizer can sign up to be the representative of a university, and students can sign up as "attendees" of that university. I've been tasked with finding if there is a programmatic way to verify university membership/attendance. The only way I can see doing this is having a database of universities and a database of associated emails, and verifying that the student's email address is part of this database. That doesn't help if using Facebooker and AuthLogic's "sign up with Facebook credentials" ability, however. I suspect the answer to this is "via human intervention," and that this is something we can't solve programmatically. Either we, or the university, will have to bite the bullet and check records. However, I'd thought I'd ask if anyone else has run into the issue of verification of university membership before.

Read the article
Requesting information from the user inside a GTK main loop

- by Victor Stanciu

Hello, I am learning Python by building a simple PyGTK application that fetches data from some SVN repositories, using pysvn. The pysvn Client has a callback you can specify that it calls when Subversion needs authentication information for a repository. When that happens, I would like to open a dialog to ask the user for the credentials. The problem is, it seems the callback is called inside the GTK main loop, so it's basically called on every tick. Is there a way to prevent this? Perhaps by opening the dialog in a new thread? But then how do I return the tuple with the user data to the callback so it can return it to the pysvn.Client?

Read the article
Restfull authentication between two GAE apps.

- by user259349

Hello everyone, i am trying to write a restful google app engine application (python) that accepts requests only from another GAE that i wrote. I dont like any of the ways that i thought of to get this done, please advice if you know of something better than: Get SSL setup, and simply add the credentials on the request that my consuming app will send. I dont like it cause SSL will slow things down. Security by obsecurity. Pass a long number by my consuming app that is in Xmod0, where X is a secret number that both applications know. I just,,,, dont like this. Check the HTTP header to see where is the request coming from. This option is the one that i hate the least, not alot of processing, and spoofing an HTTP request is not really worth it, for my application's data. Is there any other clean solution for this?

Read the article
URL Encoding of Characters in a password field

- by Alavoil

I am trying to pass login credentials to a PHP script that I have in my iPhone app. When I pull a password with special characters the password is missing certain characters especially the percent sign. I am trying to encode the text but even before I send it, the percent sign is missing. //password_field is a UITextField holding the password: !@#$%^&*() NSString *tmpPass = [password_field.text stringByAddingPercentEscapesUsingEncoding:NSUTF8StringEncoding]; NSLog(p_field.text); NSLog(tmpPass); This is what appears in the console: !@#$^&*() [email protected]&*() Is there any reason why it would be dropping the percent sign?

Read the article
RESTFul, statelesness and sessions

- by Per Arneng

RESTFul service has a rule that it should be stateless. By beeing that it does not allow a session to be created and maintained by sending a session key between the client and the server and then holding a session state on the server. If i look at the definition in wikipedia of stateless server http://en.wikipedia.org/wiki/Stateless_server "A stateless server is a server that treats each request as an independent transaction that is unrelated to any previous request" It states that it should be unrelated to any previous request. In practice this means that any type of authentication will be comparing the credentials of a user to a state on the server that was created by a previous operation. So a service called login is related to and dependent on the state that has been created by previous requests (ex: create_user and/or change_password). In my view you are breaking statelessnes by doing authentication. My point is that people are complaining about having sessions in RESTFul is breaking statelesness but doing authentication is also breaking the same rule. What do you think?

Read the article
Determine if count of related model > 0

- by Lowgain

I have a model called Stem. I need a 'thumbs up' feature, so I have created a second model called Thumb, which consists of stem_id and user_id. I'm also using the restful authentication plugin for user credentials. I have the 'thumbs up' button working, which adds a row to the thumbs table fine, but I'd like to be able to check if the currently logged in user has already given a thumbs up to this particular stem. I tried adding this to the Stem model: def thumbed Thumb.count_by_sql ["SELECT COUNT(*) FROM thumbs WHERE user_id = ? AND stem_id = ?", current_user.id, self.id ] end The problem here is that the stem model has no access to the current_user variable the the controllers have. Is there a way I can get access to this property, or alternatively, is there another way I could go about checking this? I was hoping to get this as a property in the model because the stems are passed over to a Flex app using RubyAMF. Thanks!

Read the article
How do I authenticate a Twitter user and access the API without leaving my iPhone app?

- by thebossman

I'd like to allow users to send out Tweets from my iPhone app. That's all the functionality I need at the moment. From what I know of the Twitter API, there's a standard authentication mechanism, which allows the developer to include the user's name and password in the request string that the application sends to Twitter. This method will no longer be supported come June 30, 2010. Given the timeframe, the better other choice is oAuth. One of the caveats of oAuth is that it requires a UIWebView to pop up within the app to allow the user to enter his or her credentials or a PIN number. None of the Twitter apps on my phone do this, however: Tweetie, TweetDeck and Twitterific. I assume they're using the first authentication method, but it seems like Twitter wouldn't deprecate an API that would hurt the user experience across the board. There must be an alternative method--what am I missing?

Read the article
Calling https process from ASP Net

- by David M

I have an ASP NET web server application that calls another process running on the same box that creates a pdf file and returns it. The second process requires a secure connection via SSL. The second process has issued my ASP NET application with a digital certificate but I still cannot authenticate, getting a 403 error. The code is a little hard to show but here's a simplified method ... X509Certificate cert = X509Certificate.CreateFromCertFile("path\to\cert.cer"); string URL = "https://urltoservice?params=value"; HttpWebRequest req = HttpWebRequest.Create(URL) as HttpWebRequest; req.ClientCertificates.Add(cert); req.Credentials = CredentialCache.DefaultCredentials; req.PreAuthenticate = true; /// error happens here WebResponse resp = req.GetResponse(); Stream input = resp.GetResponseStream(); The error text is "The remote server returned an error: (403) Forbidden." Any pointers are welcome.

Read the article
Create, Delete and Use e-mail accounts within a website! Is it possible?

- by BitDrink

Hello! I'm developing an administration panel (in php), for a website (in a shared host), to let the administrator to manage the personal infos of the employees! With this panel should be possible to create or delete an e-mail account for an employee and if the employee logs in the admin panel, he/she should be able to access to his/her e-mail account! I had thought to install Horde WebMail on the website to let the employees use their e-mail accounts ... but how can I pass the login credentials to Horde? And what you suggest to create and delete the e-mails account that can be read by Horde? Any other suggestion is greatly appreciated! Thanks in advance!!! EDIT: Or are there better alternatives to Horde to accomplish, at least, the e-mail account access from within the web site?

Read the article
Is Eclipse Remote System Explorer broken on Windows?

- by Kev

I have the following setup on Windows 7 Ultimate x64: Eclipse Indigo 2.7.2 (Build: M20120208-0800) Remote System Explorer 3.3.2 (see screenshot) (Oracle/Sun) Java 1.6 Update 31 (x86) Despite all my best efforts I am unable to connect to a remote system (a Centos 5.6 server on my local LAN) using a Remote System Explorer SSH connection - I've tried both password authentication and using my SSH private key. Here is a screenshot of both the Eclipse error dialogue and what is logged in my /var/log/secure log file: /var/log/secure: Apr 1 12:00:21 nagios sshd[6176]: Received disconnect from 172.16.3.88: 3: com.jcraft.jsch.JSchException: Auth fail When I connect for the first time I do get prompted to verify the authenticity of the remote host and the RSA key fingerprint. But that's as far as things go. Performing the same operation with the same credentials on my Fedora Core 16 box (also running the same version of Eclipse and Java) to the same server is successful. This leads me to believe that RSE SSH support on Windows is either broken or there's some piece of the SSH-on-Windows puzzle I'm missing. Is this the case?

Read the article
Dollar ($) sign in password string treated as variable

- by ncatnow

Spent some time troubleshooting a problem whereby a PHP/MySQL web application was having problems connecting to the database. The database could be accessed from the shell and phpMyAdmin with the exact same credentials and it didn't make sense. Turns out the password had a $ sign in it: $_DB["password"] = "mypas$word"; The password being sent was "mypas" which is obviously wrong. What's the best way to handle this problem? I escaped the $ with a \ $_DB["password"] = "mypas\$word"; and it worked. I generally use $string = 'test' for strings which is probably how I avoided running into this before. Is this correct behavious? What if this password was stored in a database and PHP pulled it out - would this same problem occur? What am I missing here...

Read the article
Email goes to spam

- by VICKY Shastri

i am creating an simple mail sending application in c# windows form application. My application works well but when i send email to my yahoo account it goes to spam not in inbox but if i send email to gmail it goes to inbox. please tell me what i need to do to send email in inbox below is my code: try { // setup mail message MailMessage message = new MailMessage(); message.From = new MailAddress(textBox1.Text); message.To.Add(new MailAddress(textBox2.Text)); message.Subject = textBox3.Text; message.Body = richTextBox1.Text; // setup mail client SmtpClient mailClient = new SmtpClient("smtp.mail.yahoo.com"); mailClient.Credentials = new NetworkCredential(textBox1.Text, "password"); // send message mailClient.Send(message); MessageBox.Show("Sent"); } catch(Exception) { MessageBox.Show("Error"); }

Read the article
codeigniter: how to redirect after login to current controller (php_self in regular php)

- by krike

Well it's not really a problem but I check if the user exist and log them in and redirect to site/members_area, but I don't want to send the user to a specific page but i want to reload the current controller. So if I login in index/home I would like to be redirected at index/home, how should I proceed? in regular php I would put in the action to redirect to current page <?php echo $_SERVER['PHP_SELF']; ?> This is the code in the framework function validate_credentials() { $this->load->model('membership_model'); $query = $this->membership_model->validate(); if($query) // if the user's credentials validated... { $data = array( 'username' => $this->input->post('username'), 'is_logged_in' => true ); $this->session->set_userdata($data); redirect('site/members_area'); //<-- this line here should be dynamic } else // incorrect username or password { $this->index(); } }

Read the article
How to assign permissions for Copy/Paste on windows

- by jalchr

Well, as everyone knows there is no way you can assign permissions for Copy/Paste of files on windows platform. I need to control the copy process from a central file server, in a way that helps me know: which user performed the copy Which files were copied where did he pasted them Total size of data copied Time of copy operation If user exceeds the allowed "Copy-Limit", a dialog box requests him to enter administrative credentials or deny him (as it would be configured) Store all this data in a file for later review or send by email. I need to collect this data by putting a utility program on the server itself, without any other installation on client computers. I know about monitoring the Clipboard, but which clipboard would it be? the user's clipboard or the server's clipboard ? And what about drag-drop operation, which doesn't even pass through the clipboard? Any knowledge of whether SystemFileWatcher is useful in such case ? Any ideas ?

Read the article
Get HttpResponse from a page in the same web application

- by tivo

I have the following code: HttpWebRequest myHttpWebRequest = (HttpWebRequest)WebRequest.Create("http://mycomputer/myWebApp/WebPage2.aspx"); myHttpWebRequest.Credentials = CredentialCache.DefaultNetworkCredentials; HttpWebResponse myHttpWebResponse = HttpWebResponse)myHttpWebRequest.GetResponse(); The last line of code throws a (500) Internal Server Error... This code is part of myWebApp/WepPage1.aspx, yes both aspx pages are on the same webapp. What I want to accomplish is to get WebPage2.aspx html response, put it on an email and send it from WebPage1.aspx. I would really appreciate any tips.. Thanks!!!

Read the article
How to lock non-browser clients from submitting a request?

- by Thomas Kohl

I want to block non-browser clients from accessing certain pages / successfully making a request. The website content is served to authenticated users. What happens is that our user gives his credentials to our website to 3rd party - it can be another website or a mobile application - that performs requests on his behalf. Say there is a form that the user fills out and sends a message. Can I protect this form so that the server processing the submission can tell whether the user has submitted it directly from the browser or not? I don't want to use CAPTCHA for usability reasons. Can I do it with some javascript?

Read the article
GData API works in Android 2.0 SDK & up?

- by user266361

I used GData API to pull in Calender info. It works fine if I use 1.6. But the same code, if I change to Android 2.0 & up, it would throw AuthenticationException. Below is my code for ur ref: CalendarService myService = new CalendarService("My Application"); myService.setUserCredentials(args[0],args[1]); // Set up the URL and the object that will handle the connection: URL feedUrl = new URL("http://www.google.com/calendar/feeds/"+args[0]+"/private/full"); args[0] & args[1] are the credentials. AuthenticationException will be thrown when calling myService.setUserCredentials(). Anybody has any clue?

Read the article
Sign in as different user when using Integrated Windows Authentication

- by Sam

I have restricted access to a site by using Integrated Windows Authentication and turning off anonymous access. This way I can then show them their real name (from looking up on Active Directory and using the server variable LOGON_USER) and do other related Active Directory tasks. How can I then prompt again for their user credentials, through a 'sign in as other user' link , showing the browser prompt (like you would get on a browser like Chrome or Firefox, or if the site was not in the 'Intranet' zone in IE) rather than a Web Form? Since SharePoint offers this functionality, I assume there is a way to do this through code, but I don't know what code can do this (using C#). I can send a 401 header which makes the prompt appear, but how do you then confirm if they are logged in?

Read the article
VB.Net 2008 Chrome or Firefox control

- by AndyD273

I'm trying to figure out a way to have multiple sessions at the same website at the same time. I've been using the SHDocVw.InternetExplorer control in Visual Studio 2008 to open a web browser and log in, but at times we need to use a separate login. I haven't found a way to do this using just internet explorer (it just uses the credentials of the first login), so I figure if I can find a similar control for another brower that allows DOM level access then I can just use that. If anyone knows of anything I can try that would be very helpful.

Read the article
How can one make a web-site accessible only when someone has a dongle?

- by Brian M. Hunt

Suppose you want to add an extra layer of credentials on top of a SSL-encrypted login/password, but you don't want to increase complexity to the user. Is there a way to add the requirement of the possession of a dongle to web-server authentication schemes with existing cross-platform browser capabilities? In other words, to get access to the web-site, you would need a username, password, and a USB dongle that has been plugged into the client computer. The dongle would presumably do some sort of challenge/response. It'd be ideal if this dongle solution worked with Firefox automatically or with the simple addition of a plugin. Thoughts and suggestions are appreciated.

Read the article

< Previous Page | 56 57 58 59 60 61 62 63 64 65 66 67 | Next Page >