We currently have a setup like this: lan\john lan\application1 lan\appService1 lan\appService2 client ------> website ----------> WCF Service1 ------> WCF Service2 So each website/service runs as a different identity account that is setup in active directory. Security checks are based on the identity of the immediate ca...
What are the best practices for dealing with Things that should be hashed. i.e. passwords and Things that cannot be hashed, but are extremely confidential and would cause tremendous pain if compromised. i.e. credit cards, SSN, missle launch codes. Which encryption algorithm is strongest, most recommended? How you do handle the ...
I was looking at ways to authenticate users in a web app, but in a way where the main web app doesn't need to process the password. Something like OpenId, but the authentication server would definitely need to be hosted on an intranet, internet services can't be accessed by the application server. My environement is pretty much Java web...
Note: this is a different problem to https - it's related to privacy security I'm trying to figure out if there's a way to take load off our server [cache] by pushing information to the browser. Is there any technology that will provide secure caching that is bound to a session? We have privacy-sensitive data that's often used, but wi...
(Related to Is there a secure Browser Cache? ): Do any of the implementations of HTML5 session storage write to disk ever? e.g. can I rely on having a "secure"/"private" cache that I know will not be able to persist beyond the browser session whether it times out is ended/logs out browser closes/crashes/power button on computer Se...
I have a WSS installation that's behind basic authentication/SSL (it's hosted at a public web host). I'm creating a sister site in ASP.NET, and am considering just running the credentials through and allowing users to log into the new system providing there is no 401 Not Authorized error returned. Both are internet-facing applications t...
Host: GoDaddy Shared Hosting Trust Level: Medium The following happens after I submit a valid user/pass. The database has read/write permissions and when I remove the login requirement on an admin page that updates the database work as expected. Has anyone else had this issue or know what the problem is? Anyone? Server Error in '/' ...
I need to avoid being vulnerable to SQL injection in my ASP.NET application. How might I accomplish this? ...
Premise: The requirements for an upcoming project include the fact that no one except for authorized users have access to certain data. This is usually fine, but this circumstance is not usual. The requirements state that there be no way for even the programmer or any other IT employee be able to access this information. (They want me to...
I manage a small group of Windows Server 2003 computers. ONE of the the servers is NOT performing the same as the others. I expect that I have not set the folder and share permissions the same as the others. I want to be able to create a text document containing the share and folder permissions from each server so I can them use a...
What is the easiest free method of encrypting my web traffic? I'd like to be able to log in to sites on my web server without sending my password in plaintext. Edit: My web server is running on the LAMP stack , although it is a shared host so I don't have root. ...
Hi, in Web 2.0 applications many users usually want to stay logged in ('remember me' flag) and on the other hand their cookie can give access to very private data. Is there a way to prevent that somebody who steals the cookie - directly from the computer or via sniffing - can use the cookie to get access to the user's data? Always HTTPS...
So this question will get technical – eventually – but first check out Hanselminutes with Atwood (et. al.) where Scott basically invites developers to try to hack this site. It’s a hoot. I first thought (out loud of course, because with headphones on you get the best stares from people as you think out loud) “he either just got off a p...
One of my custom developed ASP.NET sites was hacked today: "Hacked By Swan (Please Stop Wars !.. )" It is using ASP.NET and SQL Server 2005 and IIS 6.0 and Windows 2003 server. I am not using Ajax and I think I am using stored procedures everywhere I am connecting to the database so I dont think it is SQL injection. I have now removed t...
I want to check that two passwords are the same using Dojo. Here is the HTML I have: <form id="form" action="." dojoType="dijit.form.Form" /> <p>Password: <input type="password" name="password1" id="password1" dojoType="dijit.form.ValidationTextBox" required="true" invalidMessage="Please type a p...
Is it possible to check if a, dynamically loaded, assembly has been signed with a specific strong name? Is it enough / secure to compare the values returned from AssemblyName.GetPublicKey() method? Assembly loaded = Assembly.LoadFile(path); byte[] evidenceKey = loaded.GetName().GetPublicKey(); if (evidenceKey != null) { by...
I have a server behind a firewall. It runs a web application (Java servlets under Apache Tomcat) and responds only to port 443 (HTTPS). There is no scripting code in the pages served - the forms use HTTP POST to receive the form, process the data (with appropriate input filtering) and then output an HTTP result page. I am currently usin...
I'm wondering what people use for storing their username, passwords, urls, IPs, domains, and any other login information they need to both do their job and in general life. It might also store serial numbers or similar data. I find that I'm registering for probably 5 sites a month, paying some piece of software, just setting up a new ho...
I have a Java application and I would like to make it extensible. To create an extension, developers within our company will write a Java class that implements a certain interface. They may also wish to write associated helper classes. I would like to load these extensions into the application without an outage. I would like to limit...
In an ongoing effort to improve my code I am looking for the best way to create and compare a salted password in .NET. Is there a better, or more secure, way of doing this? My current code is as follows: public static string CreateSaltedPassword(string salt, string password) { SHA1CryptoServiceProvider SHA1 = null; ...