Search Results

Search found 27295 results on 1092 pages for 'cross site'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 663/1092 | < Previous Page | 659 660 661 662 663 664 665 666 667 668 669 670  | Next Page >

  • SINGLE SIGN ON SECURITY THREAT! FACEBOOK access_token broadcast in the open/clear

    - by MOKANA
    Subsequent to my posting there was a remark made that this was not really a question but I thought I did indeed postulate one. So that there is no ambiquity here is the question with a lead in: Since there is no data sent from Facebook during the Canvas Load process that is not at some point divulged, including the access_token, session and other data that could uniquely identify a user, does any one see any other way other than adding one more layer, i.e., a password, sent over the wire via HTTPS along with the access_toekn, that will insure unique untampered with security by the user? Using Wireshark I captured the local broadcast while loading my Canvas Application page. I was hugely surprised to see the access_token broadcast in the open, viewable for any one to see. This access_token is appended to any https call to the Facebook OpenGraph API. Using facebook as a single click log on has now raised huge concerns for me. It is stored in a session object in memory and the cookie is cleared upon app termination and after reviewing the FB.Init calls I saw a lot of HTTPS calls so I assumed the access_token was always encrypted. But last night I saw in the status bar a call from what was simply an http call that included the App ID so I felt I should sniff the Application Canvas load sequence. Today I did sniff the broadcast and in the attached image you can see that there are http calls with the access_token being broadcast in the open and clear for anyone to gain access to. Am I missing something, is what I am seeing and my interpretation really correct. If any one can sniff and get the access_token they can theorically make calls to the Graph API via https, even though the call back would still need to be the site established in Facebook's application set up. But what is truly a security threat is anyone using the access_token for access to their own site. I do not see the value of a single sign on via Facebook if the only thing that was established as secure was the access_token - becuase for what I can see it clearly is not secure. Access tokens that never have an expire date do not change. Access_tokens are different for every user, to access to another site could be held tight to just a single user, but compromising even a single user's data is unacceptable. http://www.creatingstory.com/images/InTheOpen.png Went back and did more research on this: FINDINGS: Went back an re ran the canvas application to verify that it was not any of my code that was not broadcasting. In this call: HTTP GET /connect.php/en_US/js/CacheData HTTP/1.1 The USER ID is clearly visible in the cookie. So USER_ID's are fully visible, but they are already. Anyone can go to pretty much any ones page and hover over the image and see the USER ID. So no big threat. APP_ID are also easily obtainable - but . . . http://www.creatingstory.com/images/InTheOpen2.png The above file clearly shows the FULL ACCESS TOKEN clearly in the OPEN via a Facebook initiated call. Am I wrong. TELL ME I AM WRONG because I want to be wrong about this. I have since reset my app secret so I am showing the real sniff of the Canvas Page being loaded. Additional data 02/20/2011: @ifaour - I appreciate the time you took to compile your response. I am pretty familiar with the OAuth process and have a pretty solid understanding of the signed_request unpacking and utilization of the access_token. I perform a substantial amount of my processing on the server and my Facebook server side flows are all complete and function without any flaw that I know of. The application secret is secure and never passed to the front end application and is also changed regularly. I am being as fanatical about security as I can be, knowing there is so much I don’t know that could come back and bite me. Two huge access_token issues: The issues concern the possible utilization of the access_token from the USER AGENT (browser). During the FB.INIT() process of the Facebook JavaScript SDK, a cookie is created as well as an object in memory called a session object. This object, along with the cookie contain the access_token, session, a secret, and uid and status of the connection. The session object is structured such that is supports both the new OAuth and the legacy flows. With OAuth, the access_token and status are pretty much al that is used in the session object. The first issue is that the access_token is used to make HTTPS calls to the GRAPH API. If you had the access_token, you could do this from any browser: https://graph.facebook.com/220439?access_token=... and it will return a ton of information about the user. So any one with the access token can gain access to a Facebook account. You can also make additional calls to any info the user has granted access to the application tied to the access_token. At first I thought that a call into the GRAPH had to have a Callback to the URL established in the App Setup, but I tested it as mentioned below and it will return info back right into the browser. Adding that callback feature would be a good idea I think, tightens things up a bit. The second issue is utilization of some unique private secured data that identifies the user to the third party data base, i.e., like in my case, I would use a single sign on to populate user information into my database using this unique secured data item (i.e., access_token which contains the APP ID, the USER ID, and a hashed with secret sequence). None of this is a problem on the server side. You get a signed_request, you unpack it with secret, make HTTPS calls, get HTTPS responses back. When a user has information entered via the USER AGENT(browser) that must be stored via a POST, this unique secured data element would be sent via HTTPS such that they are validated prior to data base insertion. However, If there is NO secured piece of unique data that is supplied via the single sign on process, then there is no way to guarantee unauthorized access. The access_token is the one piece of data that is utilized by Facebook to make the HTTPS calls into the GRAPH API. it is considered unique in regards to BOTH the USER and the APPLICATION and is initially secure via the signed_request packaging. If however, it is subsequently transmitted in the clear and if I can sniff the wire and obtain the access_token, then I can pretend to be the application and gain the information they have authorized the application to see. I tried the above example from a Safari and IE browser and it returned all of my information to me in the browser. In conclusion, the access_token is part of the signed_request and that is how the application initially obtains it. After OAuth authentication and authorization, i.e., the USER has logged into Facebook and then runs your app, the access_token is stored as mentioned above and I have sniffed it such that I see it stored in a Cookie that is transmitted over the wire, resulting in there being NO UNIQUE SECURED IDENTIFIABLE piece of information that can be used to support interaction with the database, or in other words, unless there were one more piece of secure data sent along with the access_token to my database, i.e., a password, I would not be able to discern if it is a legitimate call. Luckily I utilized secure AJAX via POST and the call has to come from the same domain, but I am sure there is a way to hijack that. I am totally open to any ideas on this topic on how to uniquely identify my USERS other than adding another layer (password) via this single sign on process or if someone would just share with me that I read and analyzed my data incorrectly and that the access_token is always secure over the wire. Mahalo nui loa in advance.

    Read the article

  • What's causing this background-image to display "incorrectly" in Opera and Firefox?

    - by Sukasa
    I know this is something I'm probably doing wrong, so please don't incinerate me for the thread title. I'm trying to put together a small personal website using HTML 5/CSS3. I've checked with the w3c validator and the site and CSS file fully conform according to the validator (However the validator has a warning attached that it might not be perfect). I'm not sure how to explain it without a picture, so here's a comparison of Chrome/Opera/Firefox: So, you can sorta see how in Chrome the background image is in one non-repeating piece, whereas in Opera/Firefox the image has, oddly, been broken up and placed slightly differently. I'm confident this is due to an error on my part, but I've had no luck at all figuring out why the image is being mangled in Opera and Firefox. Here's the CSS that's relevant to this issue: /* Content Pane */ .content { position: absolute; left: 220px; width: 800px; top: 80px; min-height: 550px; background-color: rgba(8,12,42,0.85); } /* Headers */ .content hgroup { background: url("Header_Flat.png") no-repeat left top; min-height: 38px; padding-left: 28px; text-shadow: 0 0 8px #FFA9FF; color: Black; text-decoration: none; } .content hgroup h1 { display: block; } .content hgroup h3 { display: inline; position: relative; top: -12px; left: 20px; text-shadow: 0 0 6px #AFF9FF; } .content hgroup h4 { display: inline; position: relative; top: -12px; left: 20px; font-size: xx-small; text-shadow: 0 0 6px #AFF9FF; } And the HTML: <hgroup> <h1>New Site!</h1> <h3>Now with Bloom!</h3> <h4> - Posted Tuesday, May 11th 2010</h4> </hgroup> Can anyone see what I'm doing wrong?

    Read the article

  • How do I trigger Google Website Optimizer code on download?

    - by Shane N
    I have a site that I'm optimizing using Google Website Optimizer where the goal is to have someone click on a link to download some software. But the google optimizer code that's provided will get triggered on any page where the link is on. Is there any way to have it execute only when someone actually clicks the download button? Thanks so much!

    Read the article

  • Safari doesn't display 'alt' text on Images?

    - by Nimbuz
    <img src="image_that_may_or_may_not_load.png" alt="Show this text if image not loaded" /> Safari doesn't seem to show 'alt' text in case the image is not loaded. I'm not sure about other browsers, but Firefox does show the alternate text. Its so important to display alt text in email templates where the images would be blocked by the client most likely, atleast until the user accepts to "display images from this user/site". Any workaround for this? Thanks

    Read the article

  • AJAX ASP.Net Remove URL ID

    - by Ioxp
    The site im working on is an Ajax enabled ASP.net/C# project and i have a URL like this: http://localhost:2531/(S(lfcvqc55wkabpp55o1x4pvq5))/Logon.aspx How do you get rid of the (S(lfcvqc55wkabpp55o1x4pvq5)) portion of the URL? I have a feeling its a web.config parameter however I'm not really sure what you call this part, GUID, Session ID?

    Read the article

  • Web developement learning env

    - by David Oneill
    I am currently learning Ruby on Rails. I currently do all my development on my laptop. However, I know in all "real world" situations, I will be connecting to a dedicated server that will hold the site. So here is my question: what are the pros and cons of developing on the machine I use vs running the website on a separate server?

    Read the article

  • WordPress create profile pages for users

    - by cosmorocket
    Is there a way to create a profile page for every user that is registered on my WordPress site? I need a feature that allows each registered user to fill in his profile - name, address, email, add photos. Then this data is populated to a user's profile page using a template so when anyone goes to, e.g. mysite.com/users/johndoe, he sees the user's profile page with all information. Thanks.

    Read the article

  • PHP Shared Sessions across Domain

    - by bigstylee
    Hi, I have seen a few answers to this on SOO but most of these are concerned with the use of subdomains, of which none have worked for me. The common one being that the use of session.cookie_domain, which from my understanding will only work with subdomains. I am interested in a solution that deals with deals with entirely different domains (and includes the possibility of subdomains). Unfortunately project deadlines being what they are, time is not on my side, so I turn to SOO's expertise and experience. The current project brief is to be able to log into one site which currently only stores the user_id in the session and then be able to retrieve this value while on a different domain within the same server enviroment. Session data is being stored/retrieved from a database where the session id is the primary key. I am hoping to find a "light wieght" and "easy" to implement solution. The system is utlising an in-house Model View Controller design pattern, so all requests (including different domains) are run through a single bootstrap script. Using the domain name as a variable, this determines what context to display to the user. One option that did look like to have potential is the use of a hidden image and using the alt tag to set the user id. My first impressions suggest this immediately seems "too easy" (if possible) and riddled with security flaws. Disscuss? Another option which I considered is using the IP and User Agent for authentication but again I feel this not going to be a reliable option due to shared networks and changing IP addresses. My third option (and preferred) which I considered and as yet not seen discussed is using htaccess to fool the user into thinking that they are on a different domain when infact apache is redirecting; something like www.foo.com/index.php?domain=bar.com&controller=news/categoires/1 but displays to the user as www.bar.com/news/categories/1 foo.com represents the "main site domain" which all requests are run through and bar.com is what the user thinks they are accessing. The controller request dictates the page and view being requested. Is this possible? Are there other options? Pros/Cons? Thanks in advanced!!!

    Read the article

  • Preview for create/edit content doesn't work

    - by Snazzy
    Hi! I'm configuring a DRUPAL site web (that it was previously created) and I'm testing the diferent options. When I create a new content or edit a old content and change anything and then I click on 'Preview' doesn't appear the recent changes (just appear the old values), I have to save it before. NOTE: I do the accions as ROOT (it not a privilege problem). Anyone knows what is happened?

    Read the article

  • CSS: right wrapper dropping off the end of the page

    - by user310606
    I have an issue with a site I am working on where the right wrapper keeps dropping down below the site. Obviously I want it to stay on the right hand side. I've coded up a test case which shows my issue (I think) and I'm wondering if there is a better way to do things. The website url is http://www.musicworkshop.co.nz/ Below is the test case which (I think) is the cause of my issue, however it may not be. The pink box drops down if it does not fit within the page width. Is there a better way to do this? John <html> <head> <title> Test page </title> <link rel="stylesheet" href="test.css" type="text/css" /> </head> <body> <div id="superbox"> <div id="box1"> </div> <div id="box2"> </div> <div id="box3"> </div> <div id="box4"> </div> <div id="box5"> </div> <div id="box6"> </div> </div> </body> </html> #outsidebox{ width: 100%; } #superbox{ width: 1000px; height: 100px; margin: 0 auto; } #box1{ height: 100px; width: 200px; background: red; float: left; } #box2{ height: 100px; width: 200px; background: yellow; float: left; } #box3{ height: 100px; width: 200px; background: blue; float: left; } #box4{ height: 100px; width: 200px; background: green; float: left; } #box5{ height: 100px; width: 200px; background: grey; float: left; } #box6{ height: 100px; width: 200px; background: pink; float: left; }

    Read the article

  • Pass windows authentication username to asp variable

    - by Darren Cook
    Hi, I have a site that processes orders taken by phone into a SQL database. Access to the portal uses Windows Authentication and I would like to pass the username of the order processor along with the order so that I can record who has taken the order. How can I pass the user name to a form element? The pages are written in classic asp. Thanks.

    Read the article

  • font face properties of font selector is not working in my website

    - by Mayur
    Hi All, I m getting a problem while embedding a font in my web site i m using a css3 rule of font selector code is @font-face { font-family:'VoltaEFTU-Regular'; src: url(/fonts/VoltaEFTU-Regular.ttf) format("truetype"); } .sample { font-family: 'VoltaEFTU-Regular'; font-size: 10em; } I put my volta font in truetype format in fonts folder of my website folder but its not working my html code is : typetrigger

    Read the article

  • How many rewrite rules should I expect to manage?

    - by Scott Ackerson
    I'm dealing with a hosting team that is fairly skiddish of managing many rewrite rules. What are your experiences with the number of rules your sites are currently managing? I can see dozens (if not more) coming up as the site grows and contracts and need to set expectations that this isn't out of the norm. Thanks

    Read the article

  • drupal open id - how to get details

    - by Arun
    I'm try to use drupal open id module. When i used to login using any provider id(yahoo,google..) the step it goes to registration page of my site. My question is how to populate details of the user to my form without additional burden to the user ?. For ex name,email-id etc. Is there any module associated with it ?

    Read the article

  • Need some quick C# regex help

    - by Steven
    I have this html: <a href="http://www.site.com/">This is the content.</a> I just need to get rid of the anchor tag html around the content text, so that all I end up with is "This is the content". Can I do this using Regex.Replace?

    Read the article

  • appending images into center inside div using jquery

    - by text
    I am using crossSlide jquery plugin for my slideshow. My container is bigger than the images inside it so the tendency of the images is positioned into left. Is there a way to position them centered to the container? here's the sample site using crosSlide since i don't have a website to upload my sample page. http://www.hashbangcode.com/blog/crossslide-jquery-plugin-test-348.html

    Read the article

  • Different coloured fly out menu

    - by Rob
    Hi All, I'm creating a custom master page for a MOSS publishing site. The designers have come up with this idea for the fly out menu... which uses graduated/different backgrond and text colours for each menu option. Does anyone know how to accomplish this?

    Read the article

  • muti user dungeon help

    - by mudman
    ive created a single user dungeon which i would like to create into a multi user dungoen so at least two plays can play how would i do that what code do i need to add can anyone help? i would show coding but if i do then everyone would see it and all my work will be copied as i know other students do use this site to so plz understand my situation and yes this is a homework/assignment work.

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 659 660 661 662 663 664 665 666 667 668 669 670  | Next Page >