I think i am missing something in https... Currently i am using this to redirect the desired page from http to https If Not Request.IsSecureConnection Then Dim serverName As String = HttpUtility.UrlEncode(Request.ServerVariables("SERVER_NAME")) Dim filePath As String = Request.FilePath Response.Redirect(("https://" & serverName...
How do you setup a git repository where some users can see certain parts of the source code and other users can see all of it? I've seen lots of guides for only giving certain users commit access, but these assume everyone should have read access. I've also heard of gitosis, but I'm not sure it supports this and it hasn't had any commits...
Our ASP.Net application uses SQL Server 2008. Most of the time the application connects to SQL Server using a SQL account with very limited access rights. However once in a while we need to be able to create a new database on the fly. As such we need elevated permissions and I am a little nervous about storing this connection string in...
Hi, One of the reason I use StAX is because of it low memory consumption in processing large xml files. I've been requested to encrypt the whole xml files, and decrypt them later. The easier solution I can come up with, without having major change to existing code, is encrypt content only. xsw.writeStartElement("row"); xsw.writeC...
I know the general definition but I need more details on how to implement them in general and PHP in specific, and what exactly are the features I gain from them? ...
In addition to standard form authentication, IP address has been added as the security factor. Means change of IP address drops user session. Personally I think this is overhelmed solution and does not provide real value. Also something tells me that possible situations when IP address could be changed legally. Need to mention, that we...
Hi, Is there any ability to mark site as trusted? For example - somebody have some sites - auth.site.com (as oauth provider) and s1.site.com, s2.site.com etc as consumers. Of course - owner would like to skip step "Do you agree to add site s1.site.com as trusted?", but for security reason would like to not mark other sites like othersite...
For a web application database, from a security standpoint only, what are arguments counter to the point for an sp only solution where the app db account has no rights to tables and views and only exec on sps? If someone intercepts the app db account, the surface area exposed to an attack is much less then when tables and views aren't e...
I'm trying to secure the kiosk my application runs on. As part of that process, I've decided to kill explorer.exe and task manager. If I minimize an application while explorer.exe is dead it will show up as a minimized task-bar sitting on top of the desktop. The problem is that these title-bars sit on top of any foreground windows so the...
Hello, I've been working on a program to extract information from a dynamic web application, and the program worked fine until I set my tomcat server to use SSL using a self-signed(thus, untrusted) certificate. The stack trace of the error is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path bui...
How secure is this MySQL statement built in a PHP? Would it be vulnerable to an SQL injection? $sql = sprintf("INSERT IGNORE INTO my_table VALUES(%d, %d, 1, NOW())", mysql_escape_string($_SESSION['client']['id']), mysql_escape_string($_POST['id'])); ...
If a site uses a persistent login feature that's set up according to the best practices defined here, are there any potential security issues with dropping the persistent login cookie right at the account creation step? (Immediately upon validating the new account data on the server.) The site does not require that users verify new accou...
I have a web application that is secured and stores user detail information in a session object. I am building a Silverlight control to view images that are stored in the database and access to those images needs to be secured. I am not trying to prevent copying or anything like that but I need to make sure that the user accessing the ...
I have a database of hashed passwords that had no salt added before they were hashed. I want to add salt to new passwords. Obviously I can't re-hash the existing ones. How would you migrate to a new hashing system? ...
We'd like to implement a workflow that requires multiple people to digitallly sign a document. If I have multiple secret keys in my own keychain, I can do something as simple as: gpg --sign -u userid1 -u userid2 filename But what do I do if I've got an already signed document and I want to add a signature? One solution would be to h...
I know this is probably easy but I just don't know that much about .NET security so here goes: I have a VS2008 VB solution that contains 4 projects. Windows Service, Forms Application a Class Library and an install. The service installs fine and runs under the system account. However, as the service starts I call a method in the librar...
I'm writing a piece of software that runs as a system service in Mac OSX and cannot seem to find out how to get the 'active' user. There appears to be APIs to iterate through the list of logged-in users and be able to tell from a value which one has the machine console... however I cannot find any documentation on these APIs. Looking a...
I'd like to improve my understanding of NTFS semantics; ideally, I'd like some kind of specification document(s). I could (in theory) figure out the basics by experimentation, but there's always the possibility that I'd be ignoring some important variable. For example, I'm having difficulty finding definitive information on the followi...
I need to pass the content of the textbox into a variable. i.e. whatever typed in the texbox of the html page needs to be pass to a variable. This is because I am calling HTML (CGI as well) inside linux shell programming. I need to manipulate that variable as I want. Do you have any idea to do it? What I need to do is, I want to get the...
I've come across a serious security flaw in one of the B2B web service providers that we operate on behalf a client. Essentially, one can upload and execute arbitrary code as administrator if they monkey with the parameters in the URL. Many other organizations also this service as well, so this flaw effects their security as well. Norma...