I was thinking about how to secure the Data Layer in a C# Application, the layer could in this case be either a LINQ to SQL Model Diagram stored with the Application itself containg the connection string to the SQL Server Database. Or it could be connectivity between the application and webservices. Either you need to impement some sor...
I am coding a site that has video and audio files, I need people to be able watch/listen to the files if they are logged in php/mysql login but I don't want people who haven't register to be able to download the files, I need to be able to block direct access to the file and only let them access by the user with accounts. ...
I'm building a client-side ajax login for Asp.Net MVC by doing jquery posts to the controller to log in the user. What I'm wondering is when the user goes to log out, should the page refresh? (for security reasons) This tutorial here says: There will always be a page refresh on logout. This is necessary to ensure that any user...
I noticed that when I added the FogBugz RSS Feed to my iGoogle page I had to embed my username and password in the feed URL. So are there any security risks associated with doing this? EDIT: Yes, my question should have specifically stated https and whether or not the query string portion of the url is encrypted. ...
Hi Guys, Many of us must have done a Man-in-the-middle (MITM) attack on their internal networks- nothing serious, just for learning :) Now there are a number of protocol vulnerabilities which make MITM possible - ARP Poison Routing, STP Claiming Root Role dual home, HSRP active router... There are also a large number of network securi...
I've decided to encrypt my entire site with SSL, even if only parts of it are actually necessary. End result being that the site is now a bit slower. So, my questions are: Should I have only encrypted the members section of the site (keeping in mind I do have login forms on the frontpage)? Should I perhaps decrease the encryption to 12...
How do I make script delete itself after it'll finish its work? edit: It's for my installation script, I want it to delete itself for security reasons (so attacker won't be able to overwrite existing site). I forgot to mention that it has its 'includes' directory that i would like to be deleted too... Could someone add how to also del...
<?php $id = intval($_GET['id']); $sql = mysql_query("SELECT username FROM users WHERE id = $id"); $row = mysql_fetch_assoc($sql); $user = htmlspecialchars($row['username']); ?> <h1>User:<?php echo $user ?></h1> Can you see any threats in the above code? Do I have to use htmlspecialchars on everything I output? And should i use i...
ok, I start with a very simple method: alert(someText); "someText" is a variable, which users will pass a value in by a form. Will there a chance that the user pass following text, and inject some code in my Javascript? For example, can the user pass this in this method: "anotherText"); alert("the nextText" If so, how can I prev...
It seems that most major websites will use a secure domain, but there are a few major exceptions, notably facebook and twitter. The benefits of using a secure domain are obvious I suppose - your login credentials are never transmitted in plain text. So how do major sites like facebook and twitter get away with it? If a secure doma...
I've always used a proper per-entry salt string when hashing passwords for database storage. For my needs, storing the salt in the DB next to the hashed password has always worked fine. However, some people recommend that the salt be stored separately from the database. Their argument is that if the database is compromised, an attacker...
Hi. I was recently asked to provide a quote on integrating a security solution like most Online Banks use, where there is a security token which key/numbers are randomly changing. The portal is an ASP.NET website, 2.0... I haven't implemented this type of security authentication before. Can anyone provide guidance, suggestions, experi...
Is there a way to create Security Editor dialog using C#, similar to CreateSecurityPage() method available in aclui.dll? ...
How to associate permissions available for a user using a security descriptor? Given a user how to decide whether the user is having particular permission with the help of security descriptor? ...
Currently when user logged in, i created 2 sessions. $_SESSION['logged_in'] = 1; $_SESSION['username'] = $username; // user's name So that, those page which requires logged in, i just do this: if(isset($_SESSION['logged_id'])){ // Do whatever I want } Is there any security loopholes? I mean, is it easy to hack my session? How does...
I’m currently writing a pair of client/server applications. I was recently posed with the question of “how do I prevent someone from writing their own client application and using our server?” I really didn’t have an answer to that question because all of the secure communication stuff I have done to date is to ensure the communication...
I am interested in help selecting one of the common symmetric encryption algorithms (Twofish, AES, etc) based on performance criteria (fastest encryption/decryption). We are currently leaning toward AES, but since the communications we are sending back and forth don't really need that level of encryption, a less secure algorithm would b...
Hi. I need to know how to go about implementing general security for a C# application. What options do I have in this regard? I would prefer to use an existing framework if it meets my needs - I don't want to re-invent the wheel. My requirements are as follows: the usual username/password authentication manageing of users - assign pe...
Has anybody experienced Sharepoint always returning true for rlAuthorizationModule.CheckUrlAccessForPrincipal even if the virtual path is not configured to allow anonymous access. Is there an alternative method to check for anon access in SharePoint? ...
Do any current operating systems (windows, linux, BSD) provide drivers that enable user-mode programs to execute partly in the trusted execution mode (isolated from everything else running on the computer)? If so, where can the documentation be found? ...