The answer to this question: http://stackoverflow.com/questions/1210609 Doesn't really tell me much... doesn't tell me anything at all to be blunt. I came across a blog about performance in .NET and it mentioned this: Do You Use Declarative Security? Where possible, it is recommended that you use declarative security instead of impera...
I am making a custom ftp client that logs onto a single ftp site and goes to a specific folder to avoid users' putting files in the wrong place. I'm not super concerned about it, but the password is just a string to initiate the new ftp object. FtpClient ftp = new FtpClient("www.markonsolutions.com", "user", "password"); What is the ...
Hello and thanks to everyone for reading my question. I've been working on a PHP web program for a little while and was wondering what measures should I take to protect the source before putting it on a live server. The source isn't being distributed, it's being accessed through a website (users log into the website to use it). First...
Yesterday I asked Are GUIDs generated on Windows 2003 safe to use as session IDs? and the answer combined with combined with this article GUIDs are globally unique, but substrings of GUIDs aren't prompted me to think about replacing my current mechanism of using GUIDs as session ID's in cookies. Because it's a bit of work to make that c...
in asp.net mvc 1.0, there is a new feature for handling cross site request forgery security problem: <%= Html.AntiForgeryToken() %> [ValidateAntiForgeryToken] public ViewResult SubmitUpdate() { // ... etc } and i found the token generated in html form keep changing every time a new form is rendered. I want to know how these token...
I'm developing an asp.net intranet website with a ActiveDirectoryMembershipProvider and a SqlProfileProvider. One of the requirements of my website is to have a "Birthdays" page, which would require me to list all profiles and retrieving the birthday information from it. I approached the problem as follows: Invoke the Membership.GetA...
Hi I'm really stuck on getting my SOAP messages to work. I've tried many approaches but they all have the same problem in common: they don't have a security header. The security header needs to contain a username and password. In VB.Net this is done by: userNameAssertion.UsernameTokenProvider = new UsernameTokenProvider(username, pass...
My WindowsForms application needs to access the Internet, but when I try to open a WebRequest the application crashes. I noticed when I run the application from a simple folder (My Documents for example) it works, but if I run from "Program Files" folder it doesn't. I know that the problem resides in the UAC permissions, but I don't unde...
So I have a form that accepts some input from a user that may at a later time be represented on the page. The way I'm thinking of doing this from a security point of view is to take the input, apply the mysql_real_escape_string() function to all input, then insert using a prepared statement. When retrieving the data, I'll do a htmlspec...
I have some sequential id which can be easily guessed. If some want to see data related to this id he has to prove his access by token I gave him before. token = md5(secret_key + md5(id)) Is MD5 good enough for this job? ...
I am using sharepoint solely as a repository to store and retrieve large files (~100 MBs). How can I authenticate a web application such that it can upload and download files to a document list on Sharepoint 2007 without using Windows intergrated authentication? The web application will handle the authorization - it'll figure out which...
Due to some restrictions, we have to run the service as LocalSystem. I have generated a certificate and placed them in the following stores: Certificates (Local Computer) Certificates - Service (SQL Server (MSSQLSERVER)) Certificates - Service (SQL Server (MSSQLSERVER)) Certificates - Current User I am a domain admin. Everytime I go ...
In asp.net Webforms apps, is there not any kind of maintenance UI page to edit and maintain the Profile properties of a User (I'm using VS2008 and the Web Application template), like in the WSAT Web Site Administratration Tool where you already can edit the basic Membership and Role properties for a User? I'm using the basic SQL Express ...
My company has a large application we are finishing up. It utilizes WCF as the back-bone with Active Directory for authentication. This works perfectly for one of the two sites as the authentication model is Windows and you have to be part of the domain to sign into the site. The question I have relates to the other site which is externa...
This is the scenario: -Hosted web application. -Application trust level is full trust, because of external components. -Customer should be able to customize some web pages. I thought about using an html template that they can modify. But it is not flexible enough. For example if there is logic things get messy and difficult: if u...
Hello, Firstly, I do not have any malicious intent out of this question. I would like to know what text to copy paste and test in my text areas and text boxes to see if they are stripped correctly. Currently I use something as limited as: <script> alert('xss'); </script> <a href="www.test.com" onclick="javascript:alert('xss');">test</...
How to add a host to MySQL's list of hosts it can accept connections from. ...
Currently, we have an .hta file that employees use to update certain elements of their active directory profile. This alleviates system administrators from having to deal with that issue. The reasoning for a .hta file is obvious. It lifts a lot of the security blockades in place and allows a machine to do things (such as update an ac...
What is generally accepted as the best practice for an ASP.NET site to implement security authentication and authorization that is not based on Windows AD and stores account information in a database? Is it to use the built in Forms Authentication, a stock or custom rolled MembershipProvider, the Enterprise Library Security Block? Are ...
What is the best thing to store in a cookie to keep a persistent logged-in state? I have seen many websites (and beginner tutorials!) that simply store something like validUser=1 in a cookie. Clearly I could spoof that and the website would think I was a valid user. If the username is stored in the cookie I could masquerade as any user...