Hey. Am new to the world of web programming and learning a bunch of fairly simple new pieces of tech, trying to piece them all together. So, we have a simple client (currently iPhone, to move to J2ME soon) that's pulling down lists of data via PHP, which is talking to a MySQL db. I have a rudimentary user/login system so that data is ...
Here is scenario : I have some web services (JAX-WS) that need to be secured. Currently for authentication needs I providing addition SecurityWService that give authorized user some userid & sessionid that is need to be described in request to other services. It would be more better to use some java security. We have many of them but c...
Hi there, I have a kind of asp.net forms authentication with the code like that: FormsAuthentication.SetAuthCookie(account.Id.ToString(), true); HttpContext.Current.User = new GenericPrincipal(new GenericIdentity(account.Id.ToString()), null); What kind of additional efforts shall I take to make authentication cookie (that is user i...
I'm thinking of creating a diagnostics page for an ASP.NET app, which would be mostly intended for admin use to get more information about the application for diagnosing problems. Examples of the info the page might have : System.Environment.MachineName (might be useful in web farm scenarios) System.Environment.Version Environment.Use...
I'm having some Google failure here. Is there a plan or existing implementation of RFC 5054 in any of the major browsers yet? If nobody has an implementation yet, then which major browsers have it on their roadmap? Where? ...
I'm having serious problems with accepting payments. I'm passing the total amount in a hidden field <input type="hidden" name="checkout-flow-support.merchant-checkout-flow-support.shipping-methods.flat-rate-shipping-1.price" value="129.00"/> Some of the users changed this value to 2 using firebug and submitted the form. Instead o...
Hello! Is it true that following code adds a XSS vulnerability to some JSP page? <!-- <%=paramName%>=<%=request.getParameter(paramName)%><BR> --> It looks like a "leftover debug" and definitely should be removed from the code, but how dangerous is it? ...
Hi. I aw working on cross site authentication (some domains have got common authentication). So I want to send authentication data (login, password) to main domain from others. How should I use protect_from_forgery and how can I check if data received from valid domain? What I am thinking now is to turn off protect_from_forgery for se...
Hi there, I have around 3000 SWF files, some are interactive which has lots of actionscripts and some are just animated lessons for mathematics. Currently, users have access to these files through a web interface (PHP). Even though access to these files are restricted for unregistered users, the registered users can still download the f...
Hi! There is good tutorial Basic Authentication with JAX-WS But it describe deployment description for web based application (war). Is it passable describe in ejb jar deployment description ? For web.xml <security-constraint> <display-name>SecurityConstraint</display-name> <web-resource-collection> <web...
In my application it is required that only certain pages need to be secured using SSL so i configured it security-constraint> <display-name>Security Settings</display-name> <web-resource-collection> <web-resource-name>SSL Pages</web-resource-name> <description/> <url-pattern>/*.jsp</url-pattern> <http-method>GET</http-m...
Hi, I'm developing a web app where users can response to blog entries. This is a security problem because they can send dangerous data that will be rendered to other users (and executed by javascript). They can't format the text they send. No "bold", no colors, no nothing. Just simple text. I came up with this regex to solve my problem...
I'm developing an application where I'm concerned about locking down access to the database. I know I can develop stored procedures (and with proper parameter checking) limit a database user to an exact set of queries to execute. It's imperative that no other queries other then the ones I created in the stored procedures be allowed to ...
Anyone knows if fyiReporting RDL reports require Full trust like RDLC or they can work in Medium trust? ...
Hi - I have in my website a PHP page which retrieves data from my database to be presented in my website. This page is called via AJAX. How can I restrict the access to it only from pages within my website so users who wants to abuse it and get this data not from the website (e.g. posting HTTP request from their server) itself won't be a...
Dear all, Here is my code KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); KeyPair myPair = kpg.generateKeyPair(); PrivateKey k = myPair.getPrivate(); System.out.print(k.serialVersionUID); Cipher c = Cipher.getInstance("RSA"); c.init(Cipher.ENCRYPT_MODE, myPair.getPublic()); String myMessage...
I am developing an application in Rails 3 using a nosql database. I am trying to add a "Follow" feature similar to twitter or github. In terms of markup, I have determined that there are three ways to do this. 1) Use a regular anchor. (Github Uses This Method) <a href="/users/follow?target=Joe">Follow</a> 2) Use a button. (Twitte...
What's the best way to prevent a dictionary attack? I've thought up several implementations but they all seem to have some flaw in them: Lock out a user after X failed login attempts. Problem: easy to turn into a denial of service attack, locking out many users in a short amount of time. Incrementally increase response time per failed ...
Hello, I am not a guru of the stack tracing, at all. I even don't know how to get some. Anyway, I am wondering if entering a password entered in an inputbox is safe. Can't it be retrieved by getting a stack trace ? A password entered that way will be found in many places : Caption property of the TEdit Result of the function which ...
I'm writing an Applet that makes some JSON-RPC calls. I'm using the Google JSON library (GSON) to cast the response JSON into a class. Thsi seems to work fine as is but when I use this code in my Applet, I'm hit with a java.lang.reflect.reflectpermission. From what I read on this thread on SO, it seems that since GSON uses Reflection, I...