Search Results

Search found 15558 results on 623 pages for 'basic authentication'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 89/623 | < Previous Page | 85 86 87 88 89 90 91 92 93 94 95 96  | Next Page >

  • Problem with Validate Anti Forgery

    - by Mikael Egnér
    Hi! I have a problem regarding MVC Anti forgery token. When I do my authentication I have pseudo code like this: var user = userRepository.GetByEmail(email); System.Threading.Thread.CurrentPrincipal = HttpContext.Current.User = user; by doing so I'm able to get the current user in my code like this: var user = HttpContext.Current.User as EntityUser; This works fine until I add the [ValidateAntiForgeryToken] attribute to an action. When I add the attribute I get A required anti-forgery token was not supplied or was invalid. If I comment out this line: System.Threading.Thread.CurrentPrincipal = HttpContext.Current.User = user; The antiforgery validation works fine, but the I don't have my convenient way of getting my "EntityUser" from the HttpContext. Any ideas of how to work around this? Best regards Mikael

    Read the article

  • Fully customized login system in Django?

    - by user367817
    Hey, I am currently writing an application which I plan to sell as SaaS. Without giving away "secrets," I can say that it is basically a "document editing system" in which many users will be submitting documents. The basic heirarchy is this: Institution Individual Document Sub-document So each Individual should be able to BROWSE all documents that were submitted by anybody in their institution, but should only be able to EDIT documents that they created. No individual should even be aware of the existence of another Institution--that should all be completely hidden. I have written a Django/Python class that would facilitate this, but every document regarding authentication that I have read requires that I use the User object. Is this just a limitation of Django, or is there a way to do this? If there is a way, how can I get my own "Individual" class details attached to the "request" objects so I can validate the things I should be showing the users?

    Read the article

  • Invoke an action that is using ASP.NET MVC [Authorize] from outside the application

    - by Nate Bross
    Is this possible? I'd like to expose a URL (action) such as http://mysever/myapp/UpdateHeartbeat/. In my MVC application it looks like [Authorize] [AcceptsVerbs(HttpVerbs.Post)] public ActionResult UpdateHeartbeat() { // update date in DB to DateTime.Now } Now, in my MVC application the user has logged in via FORMS authentication and they can execute that action to their hearts content. What I want to do, is hit that URL progromatically (as part of an API that I wouldl like to build) -- is there a way I can do that without removing the [Authorize] attribute and adding username/password as parameters to the POST?

    Read the article

  • asp.net: Is it possible to have multiple login forms to access different subfolders?

    - by Anthony
    Hi, Is it possible to have multiple login pages for different folders within an asp.net application? Say I have this structure: /admin /customer /login-admin.aspx /login-customer.aspx I have 2 different login forms. One for the admin people and one for the customers (the forms are different as the customers need to provide extra information on their login page). In the authentication section of the webconfig file (which is at the root of the web app), I can only specify one Login page. So how can I make sure thaf if anyone tries to access a webpage in /admin they will be redirected to /login-admin.aspx and if they try to access a webpage in /customer they will be redirected to /login-customer.aspx ? Thanks, Anthony

    Read the article

  • Sending a signup confirmation email with having to confirm using Devise

    - by slythic
    Hi all, I'm using devise to handle user authentication with my rails app. I'd like to allow my users to sign up and be instantly logged in and receive a confirmation email. Devise has the Confirmable module which sends out an email but requires the user to open up their mail application, find the email and click a link which then leads them to the site again. I'd like to just email the user a confirmation that they signed up and that's it. Is there a way for devise to do this or do I need to resolve to handling ActionMailer myself (if so, is there a quick and non-complex example)? Many thanks! -Tony

    Read the article

  • losing session in rails 2.3.2 app using subdomain

    - by mike in africa
    i have a 2.2.3 app which i upgraded to 2.3.2 it's a multi-site (using subdomain) that creates one top level session for all sites. this is how i change the domain in production.rb: ActionController::Base.session_options[:domain] = "xxx.com" # in rails 2.2.2, this is what i used to do: # ActionController::Base.session_options[:session_domain] = "xxx.com" strange things started to happen after i upgraded i can no longer login using restful authentication; it does authenticate me, but as soon as i'm redirected, it would ask me to login again. as i said, i use restful_authentication and i also use passenger 2.1.2. anyone can help?

    Read the article

  • How can I make a security token automatically expire in a passive STS setup?

    - by Rising Star
    I have a passive STS set up for a new application I'm working on. I've noticed that when a user's session expires, the user is still authenticated. I would have thought that when the session expires, the user would no longer be authenticated. My boss discussed this with me as I am currently charged with setting up the authentication. He says that it would be good if we could make the user's log on expire after a certain period of inactivity similar to how the session expires. I am familiar with how to sign a user out with a few lines of code. How can I make it so that the user is automatically signed out after a specified period of inactivity? Currently, I have some code in the global.asax file that programmatically checks when the last request was and compares it to the current time; it then signs the user out if a certain period of time has expired.

    Read the article

  • Why Shouldn't I Programmatically Submit Username/Password to Facebook/Twitter/Amazon/etc?

    - by viatropos
    I wish there was a central, fully customizable, open source, universal login system that allowed you to login and manage all of your online accounts (maybe there is?)... I just found RPXNow today after starting to build a Sinatra app to login to Google, Facebook, Twitter, Amazon, OpenID, and EventBrite, and it looks like it might save some time. But I keep wondering, not being an authentication guru, why couldn't I just have a sleek login page saying "Enter username and password, and check your login service", and then in the background either scrape the login page from say EventBrite and programmatically submit the form with Mechanize, or use an API if there was one? It would be so much cleaner and such a better user experience if they didn't have to go through popups and redirects and they could use any previously existing accounts. My question is: What are the reasons why I shouldn't do something like that? I don't know much about the serious details of cookies/sessions/security, so if you could be descriptive or point me to some helpful links that would be awesome. Thanks!

    Read the article

  • .NET ORM and Security

    - by Sphynx
    We're going to use an ORM tool with a .NET desktop application. The tool allows creation of persistent classes. It generates all database tables automatically. In addition to other data, our system needs to store user credentials, and deliver access control. The question is, is there any possibility of access control by means of ORM, without creating the database authentication mechanisms manually? Is there any product on the market which allows this? We thought of limiting the access in the program itself, but users can easily access the database directly, and bypass the program limitations. Thanks.

    Read the article

  • How can one make a web-site accessible only when someone has a dongle?

    - by Brian M. Hunt
    Suppose you want to add an extra layer of credentials on top of a SSL-encrypted login/password, but you don't want to increase complexity to the user. Is there a way to add the requirement of the possession of a dongle to web-server authentication schemes with existing cross-platform browser capabilities? In other words, to get access to the web-site, you would need a username, password, and a USB dongle that has been plugged into the client computer. The dongle would presumably do some sort of challenge/response. It'd be ideal if this dongle solution worked with Firefox automatically or with the simple addition of a plugin. Thoughts and suggestions are appreciated.

    Read the article

  • In Django, why is user.is_authenticated a method and not a member variable like is_staff

    - by luc
    Hello all, I've lost some time with a bug in my app due to user authentication. I think that it's a bit confusing but maybe someone can explain the reason and it will appear to me very logical. The user.is_staff is a member variable while user.is_authenticated is a method. However is_authenticated only returns True or False depending if the class is User or AnonymousUser (see http://docs.djangoproject.com/en/dev/topics/auth/) Is there a reason for that? Why user.is_authenticated is a method? Thanks in advance

    Read the article

  • How do I protect static files with ASP.NET form auhentication on IIS 7.5?

    - by Egil Hansen
    Hi all I have a website running on a IIS 7.5 server with ASP.NET 4.0 on a shared host, but in full trust. The site is a basic "file browser" that allows the visitors to login and have a list of files available to them displayed, and, obviously, download the files. The static files (mostly pdf files) are located in a sub folder on the site called data, e.g. http://example.com/data/... The site uses ASP.NET form authentication. My question is: How do I get the ASP.NET engine to handle the requests for the static files in the data folder, so that request for files are authenticated by ASP.NET, and users are not able to deep link to a file and grab files they are not allowed to have? Best regards, Egil.

    Read the article

  • Custom User Management for Google App Engine Java

    - by Gopi
    I am using GAE Java for a multi-user application. There are multiple users with different roles. Each user can login, do some operations and logout. The business restricts me from using Google User Service and I need to implement my own for authentication and session management. Can anyone please share with me how should I go about implementing my own user management? I have read its very tricky to implement own user management. Any pointers in terms of best approaches/ design / existing frameworks if any ? I could see some similar posts but they are for python.

    Read the article

  • Manually logging in a user without password

    - by Agos
    Hi everybody; I hope you can help me figure the best way to implement a manual (server-side initiated) login without using the password. Let me explain the workflow: User registers Thank you! An email with an activation link has been sent blablabla (Account now exists but is marked not enabled) User opens email, clicks link (Account is enabled) Thank you! You can now use the site What I'm trying to do is log in the user after he has clicked the email link so he can start using the website right away. I can't use his password since it's encrypted in the DB, is the only option writing a custom authentication backend?

    Read the article

  • Strange Error - "Object moved to here."

    - by Dkong
    I get the strange error "Object moved to here." on a blank white page when I try to login on a site I created. It works fine locally but not when I deploy it to the test or production server. I am not doing anything odd, just using basic authentication code in a helper function as follows... public static bool AuthenticateUser(string Username, string Password, bool PersistLogin, string RedirectionURL) { if (Membership.ValidateUser(Username, Password)) { FormsAuthentication.SetAuthCookie(Username, PersistLogin); HttpContext.Current.Response.Redirect(RedirectionURL,true); return true; } else return false; }

    Read the article

  • Client-side session timeout redirect in ASP.Net

    - by Mercury821
    I want to build a way to automatically redirect users to Timeout.aspx when their session expires due to inactivity. My application uses forms authentication and relies heavily on update panels within the same aspx page for user interaction, so I don't want to simply redirect after a page-level timer expires. For the same reason, I can't use '<meta http-equiv="refresh"/>' What I want to do is create a simple ajax web service with a method called IsSessionTimedOut(), that simply returns a boolean. I will use a javascript timer to periodically call the method, and if it returns true, then redirect to Timeout.aspx. However, I don't want calling this method to reset the session timeout timer, or the session would never time out because of the service call. Is there a clean way to avoid this catch-22? Hopefully there is an easy solution that has so far eluded me.

    Read the article

  • Replicating Active Directory - testing scenarios

    - by Naeem Sarfraz
    Replicating a production server's Active Directory is possible through a number of approaches as mentioned here and here. I'm looking for a simpler approach if one exists. I have a mixed-mode authentication site that I need to test. Quite simply AD users (internal) will have more privilege's than someone who logs in via forms (external). We have a web service that cache's an AD structure (users & groups). I'm thinking of building a module (http handler I guess?) that will pick up my specially formed URL (http://impersonateduser@localhost/mywebapp) and use the bit before the @ as the username. That will be the username I use for any subsequent operations. How does that sound? Has anyone got other proposals for testing scenarios like this?

    Read the article

  • pyramid view redirection

    - by ascobol
    This question title may be slightly incorrect but I could not find a better one (yet). I'm trying to integrate Mozilla Persona (browserid) into a Pyramid application. The login process is: user can login on any page by clicking on the login button a popup then shows a login form when the users enters correct login/password, an ajax call is made by the popup to a pyramid view that checks users credentials, and calls pyramid remember function if the check succeeded the browserid javascript code then reloads the current page Now I want to handle the case of a new user subscribing to the web app and present a new view asking for a few more details (desired username, etc) Since the "remember" function is called by an ajax call from the popup, I cannot redirect the user the the "/newuser" page. So every view needs to redirect new users to the "/newuser" url whenever the remembered browserid has no corresponding user in the database. Is there a way to intercept user requests before calling a view to call the "new_user" view instead ? Or maybe my authentication approach is fundamentally incorrect and I should rely on another approach ?

    Read the article

  • OAuth 2.0: Can a user-agent client avoid forwarding fragments?

    - by Bosh
    In the OAuth 2.0 draft specification, user-agent clients receive authorization in the form of a bearer token via redirection (from an authentication server) to a URL such as HTTP/1.1 302 Found Location: http://example.com/rd#access_token=FJQbwq9&expires_in=3600 According to Section 3.5.2 it is then the user-agent's job to GET the URL in question, but "The user-agent SHALL NOT include the fragment component with the request." In other words, as a result of the example redirection above, the user-agent should GET /rd HTTP/1.1 Host: example.com without passing #access_token to the server. My question: what user agents behave this way? I thought redirection in Firefox, for example, would (logically) include the fragment in the GET request. Am I just wrong about this, or does the OAuth 2.0 specification rely on non-standard user-agent behavior?

    Read the article

  • Backup Google Calendar programmatically: https://www.google.com/calendar/exporticalzip

    - by Michael
    I'm struggling with writing a python script that automatically grabs the zip fail containing all my google calendars and stores it (as a backup) on my harddisk. I'm using ClientLogin to get an authentication token (and successfully can obtain the token). Unfortunately, i'm unable to retrieve the file at https://www.google.com/calendar/exporticalzip It always asks me for the login credentials again by returning a login page as html (instead of the zip). Here's the critical code: post_data = post_data = urllib.urlencode({ 'auth': token, 'continue': zip_url}) request = urllib2.Request('https://www.google.com/calendar', post_data, header) try: f = urllib2.urlopen(request) result = f.read() except: print "Error" Anyone any ideas or done that before? Or an alternative idea how to backup all my calendars (automatically!)

    Read the article

  • What is the current standard for authenticating Http requests (REST, Xml over Http)?

    - by CodeToGlory
    The standard should solve the following Authentication challenges like- Replay attacks Man in the Middle Plaintext attacks Dictionary attacks Brute force attacks Spoofing by counterfeit servers I have already looked at Amazon Web Services and that is one possibility. More importantly there seems to be two most common approaches: Use apiKey which is encoded in a similar fashion like AWS but is a post parameter to a request Use Http AuthenticationHeader and use a similar signature like AWS. Signature is typically obtained by signing a date stamp with an encrypted shared secret. This signature is therefore passed either as an apiKey or in the Http AuthenticationHeader. I would like to know weigh both the options from the community, who may have used one or more and would also like to explore other options that I am not considering. I would also use HTTPS to secure my services.

    Read the article

  • IIS Active Directory double handshake hickup

    - by AngryHacker
    I have a .net 2.0 click-once application that connects to IIS web services on Windows 2003 R2 64-bits. The IIS is setup with Integrated Windows Authentication. So whenever a web service call is made to IIS web services, there is a double handshake taking place: Client Request #1 GetEmployeeList Server Response #1 <- 401 HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate WWW-Authenticate: NTLM Client Request #2 REQUEST Header... Server Response #2 <- 200 Data Received Lately, however, Server Response #1 will sometimes (a good 20 percent of the calls) take a massive amount of time (like 25 to 30 seconds). How do I debug this problem? Is this a Active Directory problem or a Domain Controller problem?

    Read the article

  • last_login_at not working (null) w/ Authlogic Magic Columns...

    - by bgadoci
    I am using the Authlogicgem for authentication and most of it seems to be working great. Authlogic provides several columns that you can add to your Users table (for example) that it knows to fill in if they are present. i.e. login_count, current_login_ip, last_request_at and last_login_at. All seem to be working fine with the exception of the last_login_at field which is null for each user. Is there anything specific that could be causing this perhaps having to do with the user sessions, etc? I can post code if needed but wasn't sure what would relate to this.

    Read the article

  • How to bind to current riacontext user in xaml

    - by Jakob
    Hi. I Have a datacontext that has a "getuserbyguid" method, i want to pass in the current logged in user.userid as a parameter, but I don't know how to bind to the current logged in user through xaml. I've tried {Binding Path=User.UserId} but without any luck. I'm using the built in riaservices authentication methods, so the userinfo should be exposed in the riacontext, or am I wrong about this? I have this for instance <riaControls:DomainDataSource x:Name="FollowingGridData" AutoLoad="True" QueryName="GetUsersFollowedByIDQuery" LoadSize="20"> <riaControls:DomainDataSource.DomainContext> <my:NotesDomainContext /> </riaControls:DomainDataSource.DomainContext> <riaControls:DomainDataSource.QueryParameters> <riaControls:Parameter ParameterName="userguid" Value="{Binding Path=User.UserId}" /> </riaControls:DomainDataSource.QueryParameters> </riaControls:DomainDataSource> But it gives me an error saying that it's not a guid, meaning that it must not be binding correctly

    Read the article

  • OpenID PAM module

    - by Harvey Kwok
    I am looking for a PAM module that can use OpenID to do the authentication. My idea is that I want to logon my Linux box using my gmail account and password. I found there is a open source project in Google Code which seems to be doing the things I want but I don't see any code available for download. I saw there are so many examples or implementations but they are all about web apps. Is there any non-web based OpenID applications in the world? Is it technically possible to make a non-web based OpenID application? I naively think that it should be possible. I can emulate whatever packets the browser send out to the OpenID provider and get back the result. As long as my Linux box is connected to the Internet, I should be able to use my OpenID to login. Appreciate any comments, suggestions or pointers on how to make an OpenID PAM module. Thanks!

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 85 86 87 88 89 90 91 92 93 94 95 96  | Next Page >