I'm trying to implement "some sort of" server-client & zero-config security for some WCF service. The best (as well as easiest to me) solution that I found on www is the one described at http://www.dotnetjack.com/post/Automate-passing-valuable-information-in-WCF-headers.aspx (client-side) and http://www.dotnetjack.com/post/Processing-cu...
I have a signed Java applet. And it works fine. But now I have to integrate some 3rd party JAR files with it. When I test it from Eclipse, the whole thing works correctly. But when I test it as an applet, it gives me a java.security.AccessControlException: access denied (java.io.FilePermission ...) I thought this was because those 3rd p...
I want to create a token generator that generates tokens that cannot be guessed by the user and that are still unique (to be used for password resets and confirmation codes). I often see this code; does it make sense? md5(uniqid(rand(), true)); According to a comment uniqid($prefix, $moreEntopy = true) yields first 8 hex chars = ...
Does Struts 2 has complete solution for simple login task? I have simple declaration in struts.xml: <package namespace="/protected" name="manager" extends="struts-default" > <interceptors> <interceptor-stack name="secure"> <interceptor-ref name="roles"> <param name="allowedRoles">registered</pa...
What is the best way to check if a user has correct rights to run an action? I have a couple ways in my mind, some which I like more than others: 1) Use the PrincipalPermission attribute which is simple and very low on LOC written. Major con is that it requires a code release (and testing) to make any changes in security. 2) Use the A...
Sometimes, I came across certain web development framework which doesn't provide authentication feature as in Authenication ASP.NET I was wondering what is the security measure needs to be considered, when implementing "Remember Me" login feature, by hand coding? Here are the things I usually did. 1) Store the user name in cookie. The...
Hi, I'm developing an ASP.NET Web app and would like the user to be able to either upload an image from their local system, or pass in a URL to an image. The image can either be a JPG or PNG. What security issues should I be concerned about doing this? I've seen various ways of embedding code within JPG files. Are there any methods in ...
phpass is a widely used hashing 'framework'. Is it good practice to salt the plain password before giving it to PasswordHash (v0.2), like so?: $dynamicSalt = $record['salt']; $staticSalt = 'i5ininsfj5lt4hbfduk54fjbhoxc80sdf'; $plainPassword = $_POST['password']; $password = $plainPassword . $dynamicSalt . $staticSalt; $passwo...
phpass is a widely used hashing 'framework'. While evaluating phpass' HashPassword I came across this odd method fragment. function HashPassword($password) { // <snip> trying to generate a hash… # Returning '*' on error is safe here, but would _not_ be safe # in a crypt(3)-like function used _both_ for gen...
All I can make out is that one of them is the BC for all 'DES' algorithms to be derived from and the later is a wrapper for the Cryptographic service provider implementation of the DES algorithm. The reason why I ask is that I am going over .Net Security and the MS official training book simply refers to the DES class but the another of...
Hello All... I have created Web Service using Asp.net 3.5. Now it's working perfectly in live windows server, and giving me perfect xml while invoking it using some url like : http://www.somedomain.com/Service.asmx?op=fetchData Now My question is when I am accessing url like : http://www.somedomain.com/Service.asmx it's listing my c...
Hi, I have been working on creating an RSS reader app for the iphone which allows me to view RSS from an external feed. However the project im working on I need to be able to view an Authenticated RSS feed which is behind a login. Im struggling to write the code to do this. I need the app to ask the user to enter: The url they wish to ...
I am busy writing a login page in Silverlight. I am using an Authentication Service that processes the logins and I am also creating a custom Membership and Roles providers. Everything is working but I need some assistance. I would like some advice on how to redirect the user to page they came from before they were pushed to the Login ...
Hi SO people, I'm very surprised this issue hasn't been discussed in-depth: This article tells us how to use windbg to dump a running .Net process strings in memory. I spent much time researching the SecureString class, which uses unmanaged pinned memory blocks, and keeps the data encrypted too. Great stuff. The problem comes in when ...
I guess there are two parts to this question, one technical and one best practice for security and doing things "right". I'm working on a little game using C++ / directx but I would like to be able to launch it from a web page by someone clicking on a link on that page. Ideally I would like the first time they clicked for it to launch ...
What is the best practice for a secure socket connection (without SSL). I will be moving sensitive data (logins/passwords/accounts) across TCP Socket connection, and wondering if there is a good/fast way of Encrypting/Decrypting and avoiding malicious injection. ...
Hello, I'm working on C++ project that is supposed to run on both Win32 and Linux, the software is to be deployed to small computers, usually working in remote locations - each machine likely to contain it's own users/service-men pool. Recently, our client has requested that we introduce access control via password protection. We are...
Hi Folks, Afaik, you can change/manipulate browser settings in Mozilla/Netscape browsers. For Instance "netscape.security.PrivilegeManager.enablePrivilege('someprivilege');" Of course the user gets informed about that and needs to verify the action. My question is, do other browser have similar functionality? IE, Safari/Chrome ? Kind...
I'm creating a web service with create/update/delete calls. But for now I'd like to restrict use of it on my own web app and no other clients. How can I have clear text javascript code that makes these calls but still be confident the credentials won't be used elsewhere? My idea is to use server side generated nonces for each request. B...
If I use code like this [just below] to add Message Headers to my OperationContext, will all future out-going messages contain that data on any new ClientProxy defined from the same "run" of my application? The objective, is to pass a parameter or two to each OpeartionContract w/out messing with the signature of the OperationContract, s...