i have 2 pages : Login.aspx and Satis.aspx. i redirected from Login.aspx to Satis.aspx if authentication is correct . if i signout from satis i redirected to Login.aspx. But if i write satis.aspx' url on web scanner i entered satis.aspx. But i am not sign in Satis.aspx. i should't enter Satis.aspx directly. my web config: <authent...
What is the best practice when you need to authenticate specific OperationContracts, while using the default MembershipProvider for security (FormsAuthentication). I guess that doing Membership.ValidateUser and Membership.GetUser just won't cut it when using WebServices, right? In other words: How can I verify that a user is allowed to...
I'm using json to pass data between the browser and a java server. I'm using Json-lib to convert between java objects and json. I'd like to strip out susupicious looking stuff (i.e "doSomethingNasty().) from the user input while converting from json to java. I can imagine several points at which I could do this: I could examine the...
I am just wondering if you are supposed to write a sort of really secure application with data being transmitted over insecure networks, what kind of encryption algorithm will you use it in order to make it safe ? I know several c++ libraries for encryption providing nice functions with different algorithms, but i'm not quite sure which ...
How do I use the sha512 function for PHP? Can I replace all my md5 funtions with the sha512 function? Do I have to download something if so what? Can any one provide examples? Thanks! ...
I was wondering if I use PHP's hash() function to generate sha512 hashes how would my MySQL table field look like in-order to be capable of holding the hashed password. Here is my current MySQL password field layout char(40) ...
There are many security reasons why one would want to drop an HTTP connection with no response (eg. OWASP's SSL best practices). When these can be detected at the server level then it's no big deal. However, what if you can only detect this condition at the application level? Does Rails, or more generally Rack, have any standard way o...
I am in late testing phase of my web application. The application will be tested at a larger scale now. During this time I want to test my website against various types of known penetration tools. I am aware that it will be better to let a professional handle this subject, and this will be happening. But before I take that route I wan...
I want to let users create "apps" (like Facebook apps) for my website, and I'm trying to figure out the best way to make it secure. I have a REST api i want to run the user apps in an iframe on my own site (not a safe markup language like FBML) I was first looking at oAuth but this seems overkill for my solution. The "apps" don't ne...
best solution for use access in project for database with security i need to use access with 600 megabyte in my project and my problem is low security for example i can rename access database extension to increase security and people don't use my database for other goals i will not to use sql server for every one to use my application ...
Hello, I am creating a Ruby On Rails website, and for one part it needs to be dynamic so that (sorta) trusted users can make parts of the website work differently. For this, I need a scripting language. In a sort of similar project in ASP.Net, I wrote my own scripting language/DSL. I can not use that source code(written at work) though, ...
I have two web applications (A) and (B). (A) is my primary web application. (B) is purely for content storage, such as file uploads by users of (A). What's best way to securely retrieve data from (B) into (A) but in a way that does not expose the data in (B) to potential discovery by third-parties over the public internet or nosy us...
Is storing secret keys (internal use passwords and such) on iPhone source code and project resources (such as plist files) secure? Obviously nothing is 100% secure, but can this information be extracted easily from an installed app? How do you recommend storing these keys to use them in the source code? Just in case, this question is...
I have a simple authentication scheme for a set of semi-public REST API's we are building: /-----------------------\ | Client POST's ID/Pass | | to an Auth Service | \-----------------------/ [Client] ------------POST----------------------> [Service/Authentica...
Hello, I have been reviewing a number of applications for securing deleting files. I understand the concepts of overwriting the file several times with zeros and random characters; however, I don't understand the concept of renaming the file up to thirty times before actually deleting the file. Any feedback would greatly be appreciated....
I have a JSON web service to return home markers to be displayed on my Google Map. Essentially, http://example.com calls the web service to find out the location of all map markers to display like so: http://example.com/json/?zipcode=12345 And it returns a JSON string such as: {"address": "321 Main St, Mountain View, CA, USA", ...} ...
I currently run several research-related web-sites with active users, and these sites use some personally identifying information about these users (their email address, IP address, and query history). Ideally I'd release the code to these sites as open source, so that other people could easily run similar sites, and more importantly scr...
I have http://example.com/index.html, which from within the HTML uses JavaScript (XmlHttpRequest) to call a web services at http://example.com/json/?a=...&b=... The web service returns to index.html a JSON array of information to then be displayed on index.html. Since anyone can view the source code for index.html and see how I'm c...
[Authorize] property is nice and handy MS invention, and I hope it can solve the issues I have now To be more specific: When current client isn't authenticated - [Authorize] redirects from secured action to logon page and after logon was successfull - brings user back, this is good. But when current cilent already authenticated but no...
Talking about javax.crypto.Cipher I was trying to encrypt data using Cipher.getInstance("RSA/None/NoPadding", "BC") but I got the exception: ArrayIndexOutOfBoundsException: too much data for RSA block Looks like is something related to the "NoPadding", so, reading about padding, looks like CBC is the best approach to use here. I foun...