We are currently having an issue with cache settings on a shared workstation at one of our client sites. Basically, they had set their IE browser on their machine to "never" for when to check for new versions of a site. This causes some of our pages to show another user's data after one user logs out and logs back in. What are my options...
I understand there isn't a way to interrogate a users IE settings directly due to security reasons, but is there a way to derive this answer with some other mechanism? I would like to stop a user from using my site if the setting "Check for newer versions of stored pages" is set to "Never". Any suggestions? Is there a way I could te...
I just wondered whether (with some serious paranoia and under certain circumstances) the use of the QuickSort algorithm can be seen as a security risk in an application. Both its basic implementation and improved versions like 3-median-quicksort have the peculiarity of behaving deviant for certain input data, which means that their runt...
I am somewhat new to PHP coding and I am aware that malicious users can hack a website if you have not sanitized your PHP code. What I am wondering is whether they need a data entry box (like for file submissions, or user-name/password entry fields)?. Do commands like "include (header.php)" also need some sort of security or are they inn...
Hi! I'm working on this project that an admin user can create some User's Groups that will be working as the project roles. So, the admin will create a User Group named "SuperAdmin" and will select in a dropdownlist the users that will be part of this group. I've worked before in a solution using RoleProvider and using Controller's At...
I'm trying to make a "normal" username/password login form secure, without needing HTTPS. My idea is this: Server generates a keypair for some kind of assymetric encryption algorithm. It stores this keypair in a temporary table of sorts (or perhaps the local session data). Server sends the form to the client and includes the public key...
Hi all, I have a pre-existing public/private key pair for RSA encryption which I need to use in .net . All the examples I can find online demonstrate how to generate a new private/public pair and then encrypt/decrypt. ie. something like this: const int PROVIDER_RSA_FULL = 1; const string CONTAINER_NAME = "SpiderContainer"; CspParameters...
What API's Cocoa or Core Foundation, can I use to make sure that when I write back to a file that already exists on the storage device, that the bits get written over? The idea is to clear out the bits for security reasons. ...
I currently have a website (ASP.NET 3.5, IIS 7.0) that allows users to upload excel files for processing, should i be concerned with viruses and malicious code being executed when the document is opened. We are currently using the .net office interop assemblies to fetch the information from the document, the information isn't exactly ta...
I'm thinking about creating a 'session' table that contains a random #, User ID, Date/Time that is populated when a user logs in and the random # used in each displayed page to uniquely identify the person. Each time the user displays a page the record will be updated with the most recent date/time activity, if there has been no activit...
I have a program that's creating a secure directory for user output. This is working correctly, but the files I create in it (or copy to it) are ending up with only administrator access. DirectoryInfo outputDirectory = baseOutputDirectory.CreateSubdirectory(outputDirectoryName, GetDirectorySecurity(searchHits.R...
I've been asked to implement some changes/updates to an intranet-site; make it 'future proof' as they call it. We found that the passwords are hashed using the MD5 algorithm. (the system has been around since 2001 so it was adequate at time). We would now like to upgrade the hashing-algorithm to a stronger one (BCrypt-hash or SHA-256)...
This desktop app written in VB.Net within VStudio 2008 fails when one of our "power users" tries to run the program: Select permission denied on object 'AcctLogon', database 'MDS', owner 'dbo'. The author of the app is out for a few weeks and I am the "fixer" while she's out. Both of our logins for SQL have permissions for db_owner i...
I'm new at php and I'm trying to figure out of this is a bad idea or a security risk. I have a table of data that I provide to a user, it has a default stylesheet that it loads, but if the user wants to include their own, I've made it so they can just point to their stylesheet instead: http://www.mysite.com/info.php?css=http://www.some...
I came across aSSL, which appears to be a couple of years old and was wondering if anyone has other examples of "secure" AJAX connection code? Obviously, this wouldn't be as secure as using a SSL certificate, but with the null character SSL attack out there (recently demonstrated against PayPal), would it be worthwhile to revisit someth...
I know SO isn't traditionally used this way (or maybe it is), but I've been learning about webapp security and was thinking it would be nice and encouraging to hear from SO experts what they think of this article (I'm reading it now, it's on session security). http://carsonified.com/blog/dev/how-to-create-bulletproof-sessions/ Maybe w...
I am using .Net Remoting to handle intra-process communication between a master service and numerous (sometimes 50+) instances of a small client library. From a security standpoint, it is imperative that the service only accepts connections from the local machine, and noone else -- yet I cannot find any information on how one does this, ...
We're trying to "lock down" a computer such that we have a generic login account for Windows XP that has very few permissions. Our software is then launched via a launcher that runs it as more privileged user, allowing it to access the file system. Then, an operator will login to our software and we were hoping to authenticate their cr...
Is there a best practice way to store username and password on the iPhone? I am looking for something that is obviously secure but will also keep the info between app updates. ...
I work for company A. Company A has a sister company B. Both companies A and B use the same ERP database. I have created an SSRS 2005 report that can be used by both companies. It has a CompanyID parameter that determines whether to display data for company A or company B. For most reports this will be OK, but for company sensitive info...