Hey everyone, I'm using ASP.NET and the AJAX toolkit and was wondering if there are any security aspects I should be concerned about. I've never used the AJAX toolkit before, and usually from standard controls, there are postbacks which I use to validate input. I assume this is the same with the AJAX controls, but are there any extra ...
Can someone explain "Authorizing Ownership"? I've been going through the Railscasts' - 7 Security tips, and was wondering how is the "current_user.projects.find" implemented? # projects_controller.rb def show @project = current_user.projects.find(params[:id]) end Thank you! ...
I'm working on a Java password manager and I currently have all of the user's data, after being decrypted from a file, sitting around in memory at all times and stored plainly as a String for displaying in the UI etc. Is this a security risk in any way? I'm particularly concerned with someone "dumping" or reading the computer's memory i...
Hello. i want to use the functionality of www.stopbadwares.com and implement it in my web app using php. so i can pass a url and check if it's contains badwares or it's dangerous for use. is there an api, or class, or something to do that ? or even if there isn't, is there a similar service, to protect my users from sharing bad links ...
I am designing a web site in which users solve puzzles as quickly as they can. JavaScript is used to time each puzzle, and the number of milliseconds is sent to the server via AJAX when the puzzle is completed. How can I ensure that the time received by the server was not forged by the user? I don't think a session-based authenticity to...
I have a web application written in Perl using PostgreSQL. When accessing the PostgreSQL database I need to supply both username and password. In order to have the password available for unattended start-ups of the system I need have that password embedded in my application or in a configuration file or as an environment variable confi...
In a web application written in Perl and using PostgreSQL the users have username and password. What would be the recommended way to store the passwords? Encrypting them using the crypt() function of Perl and a random salt? That would limit the useful length of passswords to 8 characters and will require fetching the stored password in ...
I'm looking at creating a decentralised role-management system which integrates with JEE roles. Does anything like this exist? Example use cases: System A is a limited-access system which uses corporate roles. John joins a team, and requires SYSTEM_A_READONLY to perform his function. He logs on to the decentralised role-management syst...
Hello, I am currently programming a Certification Authority for a uni class, I am currently struggling with the concept of creating the certificates. How does a CA usually decide if it should give a Certificate to an entity , is it enough to prove that the entity is the owner of a public key by signing a certificate-request with their ...
I'm looking for a method or current API that allows you to add on tokens to web app requests. Maybe within the session but not persisted. Or if you could help me by outlining an efficient method for doing this E.g. 1. GET request => Servlet generates a token and prints it in the view 2. returns a view with a hidden token <input typ...
More specifically, a class library assembly. My initial thoughts: Have some designated administrators do all the assembly signing. But then when bug fixes and new versions are written, the binaries would ultimately depend on them being around (even if its just a small change for private reasons). The key could be publicly available. Bu...
This is the first time I've to deploy an application on a VPS host somewhere around the globe. There are plenty of companies offering VPS services linode,slicehost... VPN looks to me like the most configurable/secure way of deploying my app (as I'm not a big Company with its own servers/upload bandwidth) My question is: Can we trust VPS...
I'm writing an ASP.net application and I'm working with the WindowsIdentity.GetCurrent() function. I want to know how (or if it's possible) to change what identity the ASP.net application runs as. I eventually want to run it as an account associated with the end-user. I understand I can do this with Windows Authentication in IIS, but ...
I am on a project that uses web services to communicate with hand held devices (Symbol MC70s running windows mobile 5). We need to make sure that others on the internet can't connect to the web services and start sending info. I have made a certificate so that the hand held will only connect to my services, but I don't know how to make...
Edit Jan 18th 2010, Is there any symbol that should NOT be allowed to use in a password? ========================================= Hi, I am wondering what 'common' policy out there for username/password for creating a new account on a website. This is currently what I have: ===========For username ================== Length between...
I would like to sign records in a database with a secure timestamp to prove they have not been altered by anyone after that date. What methods or services should I consider? RFC 3161? Does anyone provide that service /and/ have a reputable looking website? Is it possible to roll your own? ...
Greetings, I have an application that allows users to import libraries (.NET DLLs) they've created, as long as the library conforms to specific guidelines I've given them (use my namespace, decorate methods with my attribute, etc.). I copy each user lib to an internal directory and then load it into its own app domain (so user can unloa...
Hello, I'm running ASP.NET MVC and need a safe way to store credit-card data temporarily (I have a order confirmation page, which posts to an action that actually processes the order). I tried TempData, but it doesn't survive the post. Can I safely use session since it's stored on the server? Thanks. ...
Hello. While choosing between shared hosting and Cloud hosting I have always been inclined to go for the latter. However one aspect that always worries about Cloud is security. Here I'll try to be more specific. When I go for shared hosting, the foundation softwares are already there for me and they are configured to the best suitable...
I'm planning to make the database of a Rails project available for download publicly. This database contains an Authlogic users table, with crypted_password and password_salt fields. How securely are these passwords stored... is it safe to make them available publicly this way? Or should I look at implementing another authentication syst...