I am considering adding OpenID to our customer facing admin and control panel areas... 1 - Associating OpenID's With Existing Accounts For customers that already have accounts with us, I'm thinking they would need to login using their existing account number that we issue and then I'd have a mechanism to associate their OpenID with tha...
Django comes with CSRF protection middleware, which generates a unique per-session token for use in forms. It scans all incoming POST requests for the correct token, and rejects the request if the token is missing or invalid. I'd like to use AJAX for some POST requests, but said requests don't have the CSRF token availabnle. The pages h...
I have Apache running on a public-facing Debian server, and am a bit worried about the security of the installation. This is a machine that hosts several free-time hobby projects, so none of us who use the machine really have the time to constantly watch for upstream patches, stay aware of security issues, etc. But I would like to keep t...
I'm trying to find a way to invoke the Ctrl+Alt+Delete dialog on a Windows 2000 computer that I'm connected to via Remote Desktop. Windows XP and 2003 include a new start menu command called "Windows Security" that does this, but Windows 2000 has no such option. It appears that Ctrl+Alt+End will do this, but it only goes to the outermos...
OK, probably best to give an example here of what I mean. Imagine a web based forum system, where the user authentication is done by some external method, which the system is aware of. Now, say for example, a user enters the URL for a thread that they do not have access to. For this should I return a 403 (Forbidden), letting the user k...
I'm experimenting with OpenSSL on my network application and I want to test if the data sent is encrypted and can't be seen by eavesdropper. What tools can you use to check? Could this be done programmatically so it could be placed in a unit test? ...
I'm fairly new to the AJAX methodologies (I only recently discovered jQuery a short time ago). I am interested to know if there is anyway to authenticate a user on a PHP setup; securely. Does jQuery have any special options to allow use of HTTPS (or any other way to encrypt my ajax call)? Yes, I could very well just post data back to t...
What is a strong way to protect against sql injection for a classic asp app? FYI I am using it with an access DB. (I didnt write the app) ...
I'm used to doing basic password protection for Apache w/ the following method in Apache config files: AuthType Basic AuthName "By Invitation Only" AuthUserFile /path/to/.htpasswd Require valid-user However, I've been asked to put some protection on a subdirectory of a site running ColdFusion on top of IIS6, and I'm unfamil...
We have 5 balanced web servers with various websites. What I am trying to achieve is to ensure a single login. i.e. the same user account cannot login to the same website more than once at any given time. The method i'm considering for solving this, is to share session amongst the servers so I can control which session is assigned to w...
We have a service that handles authorization based on a User Name and Password. Instead of making the username and password part of the call, we place it in the SOAP header. In a typical scenario, a Web Service calls the Authorization service at the start of execution to check that the caller is allowed to call it. The problem is tho...
HxD (hex editor) allows to search/view/edit RAM. How can I protect a EXE against such editor? Data is encrypted inside INI/registry/DB, but is decoded at RAM. What is the solution? At runtime decode, use and recode data inside RAM ASAP? ...
I notice that Rails 2.2 (currently edge) supports setting HttpOnly on the session cookie. Is there a way of setting it on a Rails 2.1 application without moving to edge/2.2? ...
Is it possible to apply DRM forward lock to windows mobile applications? ...
I have little knowledge of Flash but for a little Flash game I have to store score and successful tries of users in a database using PHP. Now the Flash runs locally on the users computer and connects to a remote server. How can I secure against manipulation of game scores. Is there any best practice for this use case? ...
I've working on a WinForms in VB.NET (3.5) application that requires the user to enter domain administrator credentials. To make things easier on the user, they should only have to enter the user name and password once, and then just rely on my app to save these credentials. I'd like to save these credentials with the other user settings...
In my php web app, suppose I want to go the extra mile and in addition to going gangbusters and being anal-retentive about sanitizing my inputs, I also want to ensure that no javascript is being output in strings I am inserting into templated html. Is there a standard way to make sure I don't put javascript in the generated html conten...
How do you setup an asp.net sql membership role/membership provider on a production machine? I'm trying to setup BlogEngine.NET and all the documentation says to use the ASP.NET Website Administration tool from Visual Studio but that isn't available on a production machine. Am I the first BlogEngine user to use it on a non-development bo...
I have got a python script which is creating an ODBC connection. The ODBC connection is generated with a connection string. In this connection string I have to include the username and password for this connection. Is there an easy way to obscure this password in the file (just that nobody can read the password when I'm editing the fi...