I am trying to use username message security in WCF. I am trying to find out if using transport credential type of None/Anonymous will pose a definite security risk. My concern is with the initial exchange where binary data is tunneled through using the WS-trust specification (TLS negotiation). Will this attempt to authenticate my user...
and here comes the situation... A customer has installed my super dooper winforms application. The username and password are authenticated on the app startup with my MSSQL server. I would like to redirect the user in my webpage and have him as "logged-in" when he clicks the "Update subscription" button within my app (without the need o...
Hit a roadblock while implementing a sub domain based language switcher (en.domain.com loads English, jp.domain.com loads Japanese). How do I get a single membership system to work across multiple sub domains (ASP.NET MVC C#)? Saw something about adding domain="domain.com" to <forms > entry in web.config. Did that, but does that work w...
I'm developing on the Google App Engine and I would like to integrate Facebook Connect into my site as a means for registering and authenticating. In the past, I relied on Google's Accounts API for user registration. I'm trying to use Google's webapp framework instead of Django but it seems that all the resources regarding Facebook conne...
Creating a default ASP.NET MVC project in Visual Studio sets up a basic project where you can register a user. How would I go on changing this to use a MySQL server instead of SQLServer ? ...
What is the ASP.NET Membership framework's reputation as far as security goes? Are there any typical default configuration settings that are problematic? What best practices are there? Are there any built-in methods to combat things like session hijacking? ...
What is the best way to go about implementing authentication and authorization for a JSF web application? Preferrably I'd still want to use container-based security, as I need to call EJBs that require the principal. I realize form-based authentication is a major struggle with JSF, but can I perhaps use a PhaseListener or something simi...
Duplicate: this must be a duplicate of one of the questions that come up in the following search: http://stackoverflow.com/questions/tagged/rest+authentication. Please close it as a duplicate if you agree, and add any answers to one of the other questions. What is the most RESTful form of authentication? What websites use it? (so I ca...
I'd like to write my own authentication instead of using one of the plugins. Should my authenticate method go in the application_controller? My idea is to place it there and then in each of the controllers use a before_filter before_filter :authenticate So my authenticate method would just check if the user_id is present in the sess...
Here's how it works: User makes a payment User receives a password Their user name will be their email A folder will be created for that user, which contains the files the user paid to have access to. My main problem is that the software needs to be protected, and the password will be dynamically created. So I'm wondering if I need t...
We currently have a group of web-services exposing interfaces to a variety of different client types and roles. Background: Authentication is handled through SSL Client Certificate Verification. This is currently being done in web-service code (not by the HTTP server). We don't want to use any scheme less secure than this. This post ...
Ever visit a website such as myspace where they leverage CAPTCHA to prevent spam? The typical pattern is to present a challenge to each URL that is opened, yet the challenge doesn't actually belong to the page itself which causes additional bandwidth usage. So, if I open up six pages at the same time and want to present a challenge on e...
Is it possible to instruct the jabber/xmpp server to delegate authentication to another module? We are building an internal application using XMPP and it would be fantastic if we could let users keep their standard username/password that they use in our web-apps. The web-apps are currently hashing passwords, and so the passwords in the...
In addition to standard form authentication, IP address has been added as the security factor. Means change of IP address drops user session. Personally I think this is overhelmed solution and does not provide real value. Also something tells me that possible situations when IP address could be changed legally. Need to mention, that we...
What is the best practice for user website/REST authentication in ZV MVC? How and where to put the code in the ZF framework? Can you provide me a code example? I have a website and a REST server written in Zend Framework but no user session jet implemented. THX! ...
Hello ! I have a question about HTTP auth in a non browser env. If i have an Air app which takes user/pass to "login" to a web app. THe login action would be done with a request from Air to http://foo.bar/session/create and the uname/pass as POST var. Now i can keep the answer and add it to the headers for my next requests ? If the...
If a site uses a persistent login feature that's set up according to the best practices defined here, are there any potential security issues with dropping the persistent login cookie right at the account creation step? (Immediately upon validating the new account data on the server.) The site does not require that users verify new accou...
During a post for a new model, I am checking for authentication via Authlogic. There is a before_filter on the create request. It is calling require_user. After the user session has been successfully created, the redirect_back_or_default(default) method is called. The problem is, The request needs to be posted to the stored uri. I ha...
Hi, My website uses Sys.Services.AuthenticationService in order to do an ajax style login. Right now it's contained within $(document).ready(function() { }); here's the very beginning of the javascript code... (You can read the full implementation here) alert("1"); var ssa = Sys.Services.AuthenticationService; alert("2"); The fir...
Hi everybody, We're currently using amazon-a2s-2007-10-29-java-library.jar to interact with the Amazon Webservices or Product Advertising API, respectively. We don't see a way how to implement signed requests (mandatory from Aug 15) using this library, nor can we find an updated version supporting signed requests. There does not seem ...