(I think) I understand why session IDs should be rotated when the user logs in - this is one important step to prevent session fixation. However, is there any advantage to randomly/periodically rotating session IDs? This seems to only provide a false sense of security in my opinion. Assuming session IDs are not vulnerable to brute-for...
I have a page, where I have approximately 90 items I need to output. Most of them are object properties (I am using ORM so these objects map to my database tables). But the question is, do I have to encode each of those 90 outputs by applying functions to each (in my case, the htmlspecialchars)? Wouldn't that add a bit of an overhead (ca...
Hello Everyone, I am developing an application using cakePHP v 1.3 on windows (XAMPP). Most of the controllers are baked with the admin routing enabled. I want to secure the admin actions of every controller with a login page. How can I do this without repeating much ? One solution to the problem is that "I check for login information ...
I have seen many sites who claim to have bank grade security encryption. if their web sites have been built with php what other forms of security can exist aside from using mysql_real_escape_string and a 128bit ssl encryption? ...
Why is it necessary to remove and then re-add a user to a SQL Server database after restoring it from a file? If I don't do this, I get a "User login failed" when trying to access the database using this username from apps. ...
This may be a really stupid question...I started worrying last night that there might be someway to view PHP files on a server via a browser or someother means on a client machine. My worry is, I have an include file that contains the database username and password. If there were a way to put the address of this file in to a browser or s...
I'd like to know what people consider best practice for securing the Admin sections of websites, specifically from an authentication/access point of view. Of course there are obvious things, such as using SSL and logging all access, but I'm wondering just where above these basic steps people consider the bar to be set. For example: A...
I'd like to run user supplied ruby code in server, what are the potentially nasty things that can happen? I mean things like deleting files etc. Can you give me more examples? Thanks in advance! ...
Are SAFE levels supported in JRuby? If not, is there other ways of safely running user supplied code in server? ...
If a loggedin user gets a new role, what does he has to do to get all permissions based on this role? logout and login again does not work reassign the roles with an admin-account works Do i have to delete all roles given to this user, and reassign them? Role model is hierarchical. ROLE_POWERUSER > ROLE_USER ...
According to Microsoft, the SharePoint help pages present a security concern and should be disabled. Since we don't want users clicking on a broken help icon, it needs to be removed as well. What's the best way of removing the icon and the separator pipe that's to the left of it? ...
I have a security manager in my application that works for both windows and web, the process is simple, just takes the user and pwd and authenticates them against a database then sets the Thread.CurrentPrincipal with a custom principal. For windows applications this works fine, but I have problems with web applications. After the proce...
Hello, normally, all sane developers are trying to secure input of all public methods (casting to proper types, validating, sanitizing etc.) My question is: are you in your code validating also parameters passed to protected / private methods? In my opinion it is not necessary, if you securize properly parameters of public methods and ...
Hello, I am working with Flex, Webservices and C# and I would like to secure the access on my web services through SOAP. I spent 2 days on this problem: My asmx file where i describe my webmethod: public ServiceAuthHeader CustomSoapHeader = new ServiceAuthHeader(); [SoapHeader("CustomSoapHeader")] [WebMethod(Descriptio...
I am trying to send an email using the following very standard code. However, I get the error that follow... MailMessage message = new MailMessage(); message.Sender = new MailAddress("[email protected]"); message.To.Add("[email protected]"); message.Subject = "test subject"; message.Body = "test body"; SmtpClient client = new SmtpClient(); cl...
Lets say I have a cluster of HTTPD's on a Cloud and they all share the same database. Is setting up MySQL over SSL reasonable paranoia? Or is it security masturbation? What are the pro's and con's of SSL on the cloud? What about ARP Spoofing? ...
It has come to my attention that a user has been trying to create an exploit through avatar image uploads. This was discovered when a user reported to me that they were getting a notice from their Norton Anti-virus saying "HTTP Suspicious Executable Image Download." This warning was referencing the user's avatar image. I don't think t...
An application is deployed to context that uses security for the entire context. I need create a new file that will serve as a ping for our loadbalancer. This file can have NO security associated with it. How do I set up this file in web.xml to disable any security for it? ...
I'm building three web applications in .NET that will all share a users database and login information. Lets pretend that application 1 is the "parent" application and applications "A" and "B" are the "child" applications. All users have to be logged into application 1 to have access to applications A and B. Authorization, Authenticatio...
Hey All, Like always, just want to say thank you for all of the help and input in advance. I have a particular site that I am the web developer for and am running into a unique problem. It seems that somehow something is getting into every single PHP file on my site and adding some malware code. I have deleted the code from every page ...