I have a WCF client/service app that relies on secure communication between two machines and I want to use use x509 certificates installed in the certificate store to identify the server and client to each other. I do this by configuring the binding as <security authenticationMode="MutualCertificate"/>. There is only client machine. The...
On step 3 I have a form which accepts a credit card, Step 4 re-prints the information including the last 4 digits of the credit card, and Step 5 I need to know the full CC # to process it and send it through my https connection to a 3rd party vendor - should I store it through hidden inputs or $_SESSION so I can access it in between the ...
I was wondering what would be the safer option when users have forgotten their password Send a randomly generated new password to the email address (all email addresses in my database are confirmed to work). Or Send an email with a link that expires within a certain time frame where the user can reset their password. Aside from t...
I am having some issues with accessing files using JWS (Java Web Start). The program adds a new label and image. The program runs fine on my local computer but gives me pages of errors when I run the program on my remote server using JWS. Here's a sample of the error: Exception in thread "AWT-EventQueue-0" java.security.AccessControl...
Hi, Is it possible to restrict the access of an ASHX or WCF service to only AJAX calls from your own domain? In order to improve site performance, we want to use the full jQuery & MS AJAX 4.0 approach however exposing our retail data via an ASHX or WCF service makes it really easier for competitors to harvest our data. Yes it is a pub...
This is our setup - our customers will have a database server with our database on and multiple clients running our frontend. We have some WCF services to allow the clients to request info from the database and each WCF session is authenticated with a username/password stored (encrypted) in the database. This all works fine and has been ...
What's the best way to open a URL feed in codeigniter? I'm assuming I can't put the URL in a file upload input, so should I use a normal text input and then validate that the URL is not malicious? If so, what validation tests should I perform on the user inputted string? Would checking the file extension be enough or can this easily be m...
Hello, Two clients Alice and Bob use a server to login and exchange messages through the server. On login, they both send their public keys to be stored on the server. When Alice wants to speak to Bob, she enrypts a symmetric key with Bob's public key and sends it to Bob through the server. How can I make sure that the server doesn't...
I have a product in mind that would benefit from third-party developers being able to hook into the product with their own custom code. My product would call the developer's code. The trick of course is how? Embedding the code is a terrible idea as it is completely unsafe. A malicious developer could do all sorts of Bad Things. I could ...
I’m not speaking about Apple’s Keychain Services Programming Guide or the Certificate, Key, and Trust Services Programming Guide. The official reference is OK and points you in the right direction, but there aren’t any sophisticated examples I could find. It would be great to have more documentation about how you should handle cerfiticat...
I have an ASP.NET application running on a Windows Server 2008 box with IIS 7. The application started on Windows Server 2003 with IIS 6. When I changed servers I learned about how Microsoft changed the default settings for IIS 7 to be more secure. One of the changes was, the user account set as the identity for the Application Pool had...
As I continue to build more and more websites and web applications I am often asked to store user's passwords in a way that they can be retrieved if/when the user has an issue (either to email a forgotten password link, walk them through over the phone, etc.) When I can I fight bitterly against this practice and I do a lot of ‘extra’ pr...
An auditor reviewing our system was suggesting that our data should be stored on a separate physical server from the web server. We're running SQL 2008 on a Windows 2003 machine with IIS as the web server running ASP.NET 3.5 applications. I can't think of any significant reason that there would more security by having SQL on a separate ...
Hi, What I need to add data to SPList and update Membership account by anonymous account. Simpler: I'm trying to write activation procedure of anonymous user already registered account. I was trying to do this using mechanism of elevating permissions, but it fails. Is there any way to hard code credentials of some user, log in before s...
Hi! A user types a specific username and password, that username and password is in the program converted to something else! But... that password is in my program plain text, in the source code. Is that safe? Can people somehow get that out? What can I do to prevent that? Can people somehow decompile my program and read that password? ...
Hi, guys I am developing a web app by using Grails and using Grails LDAP as my Authentication mechanism. However, i always get following error: {Error 500: Cannot pass null or empty values to constructor Servlet: default URI: /ldap-app/j_spring_security_check Exception Message: Cannot pass null or empty values to constructor Caused by:...
I am currently looking to implement DUKPT (Derived Unique Key per Transaction) and am lost on how to successfully implement it. Does anyone know a step-by-step guide/existing implementation out there, or some more information on the actual implementation of the solution in a client-server application? An introduction to DUKPT: In cr...
Hi, really quick question please look at the following example $dbConnect = mysql_connect($host , $username , $password) or die ("BIT OF A PROBLEM PLEASE COME BACK LATER"); is this a good way to do it or should I maybe use $dbConnect = mysql_connect($host , $username , $password); if(!$dbConnect) { echo "COULD N...
Hi , Were is the safest place to store my values which will be used in mysql_connect also what is the safest way to call these variable would be better using a require , include or something else ? thanks :) ...
We're making a system as a group, and I'm the lead programmer. And I don't want that one of my group members will be able to steal my code and brag to others that they're the one who made it. Is there any technique that I could employ so that the code will be disarrange or encrypted or anything so that I'm the only one who could read the...