I intend to use SSL on the login form so that the username and password is encrypted during user login. But, after the user has been authenticated, if I return to HTTP, the Autentication Cookie will be passed from client to server on each request. How safe is this? Obviously i'll use SSL on pages where the user is entering sensitive in...
Folks, We have an intriguing technical challenge. How to write a secure audit file that tracks usage of a software so license fees can be based on usage thereby making it more affordable to those who use it less. Specifically, TickZoom sells a alpha generation trading platform for hedge funds which presently costs $2,000/month to licen...
I'm trying to lock down a registry key with some important information that must be accessible at the client machine, I do not wan't non-administrators to have access to this key. If you are an admin you'll already be able to do more damage than what I'm storing in the key. What I'm currently looking to do is this: //Allow access only...
What is a secured login? How do I develop one in PHP? Please keep in mind that I'm just a beginner in PHP. ...
I want the clients of several related web apps to hold their own authentication state. This improves scalability, because no session replication between cluster nodes is needed. And it makes integration of different server technologies like Java Servlets and PHP easier. My plan is as follows: Set a signed and encrypted cookie with th...
As you might know, browser's security model does not allow a script loaded in a page from http://www.example.com to make cross-domain requests (no AJAX calls to any other domain other than www.example.com). The Javascript file itself could have been served from a different domain altogether (www.javascript.com/myscript.js) and that is ir...
Is it possible to sign a document stored in DB on server using CAPICOM+javascript on client ? I´m developing web/intranet application. User need to attach his signature to document stored in server database - detached signature (p7s file) and upload this signature back on server. How to get document on client ? Is it possible to hash d...
We are using c# webservice hosted in IIS. Webservice uses WSE3 extensions for Kerberos authentication. Sometimes webservice crashes with unhandled exception, which is loged in event log: Ereignistyp: Fehler Ereignisquelle: ASP.NET 2.0.50727.0 Ereigniskategorie: Keine Ereigniskennung: 1334 Datum: 22.01.2010 Zeit: 08:39:49 Benutzer: Nicht...
I have a normal HTML page in a normal Apache http server (http://yyy.yyy.yyy.yyy/index.html ), with an authentication form, with that form I need to access with the credentials to an application located in other server with diferent IP , that server have a secured application with tomcat: here is the login form in the apache http server:...
Hi I cant seem to find the old mscorcfg.msc snap in to give .net permission to access a shared network drive. Ive downloaded the Windows SDK 2008 which superseded .NET 2.0 SDK (Where it used to be) but cant find it. Does anyone know if it has been deprecated? Is there a new way to give .Net permissions to a shared network drive? ...
I'm looking for a key exchange solution between a .NET app and an embedded device. The two endpoints have a shared secret key, making the Elliptic Curve Diffie-Hellman (ECDH) algorithm excellent for securely exchanging a master secret for the session. There is a good C++ library, crypto++, which implements ECDH and is suitable for the e...
Hi all, MY PLATFORM: PHP & mySQL MY SITUATION: I am building an app. where users can sign up for an account for the services that I provide. I want to restrict a user from signing up for multiple accounts and users from all over the world can create an account of their own. That being said: What can I do to prevent multiple accounts...
Is there a way how I can check programmatically which user is used when my application accesses resources? I have a production system which only our admin can access. Sometimes it is not clear what part of the system is wrong: Lets say when logging is not working. It is always possible that the web.config is wrong, but sometimes the dir...
I'm attempting to do some soon-to-be-routine testing for cookie value injection for some of my web apps (ASP.NET, if that ends up mattering). I'm trying to insert some Javascript and SQL-specific code for this, but having some problems. I have FireFox, IE 7 and 8, and Chrome. FireFox's Add N Edit Cookies extension won't allow me to chan...
I built a search provider for Windows 7. (using .osdx file and RSS web site) the element in the returned RSS contains local file path. example: <link>c:\windows\win.ini</link> The problem is that the files shown in the search result window with the following message: This item was blocked because of your Internet security settings...
Hi, I'm using the annotations provided by the Spring Security (AKA Acegi) plugin. I have controller actions annotated with @Secured(['ROLE_ADMIN', 'ROLE_USER']) To indicate that they should be available to administrators and regular users. But now I need to indicate that an action is available to administrators and unregistered user...
Is there a way to restrict what an iframe is allowed to do in the parent? What I am looking for is a security model surrounding Javascript that looks something like: ... <script type="text/javascript" src="jquery-1.3.2.min.js"></script> <script type="text/javascript"> function AllowedToAccess() { } function NotAllowedToAccess() { } </...
Hi, I am developing a PHP Application on Linux server. my application user are stored in LDAP Directory with their domain logins. Now, what i need to do is to give them SSO, attached with there domain credential so when a user logs in to the domain they will not be asked to provide their loginname and password. To do this, I have impl...
If your website is providing an OpenId only authentication method (e.g. SO), what would be a best practice for handling a user whose openId account is lost or stolen or whatever...effectively preventing them from using your site. If the user had associated two open ids to their account then they could use the other login etc but in the ...
Hello, I'm working on a project in GWT, however, I need to store the uploaded files on my personal web server. The user will upload the files using GWT, my back end will store the files information in AppEngine's database and send the file to the server. I'm thinking of creating a PHP script on the web server that will handle the file...