PHP getting the PHP file
Is there any way to get the source file of PHP like you would for HTML file or javascript from web browser alone? If so how? If not why? ...
security
Should a web page with a login form be secured?
Question in title, but I'll elaborate. Say I have a form on a non-secure page, but I don't want the data that the user is posting to my web server to make sense to anyone who might intercept it. Do I need to serve the form securely or simply post the form to a secure URL? ...
What should I do if I am worried that a company is handing out my information because of a bug in their code?
I just got an automated response email from a company that had someone elses registration info in it. The person that responded to the email expressing my concerns refuses to acknowledge that there is a problem. I've think i've heard you are legally required to hash certain sensitive information (credit card info for example) even if...
The best way to create log-in realm in PHP
I can do login realm in PHP and the way that I do it is by setting a session variable and check whether that session variable is set or not. On every restricted page, I check whether a certain session variable is set (or is equal to a certain value). If not, then i will send the user back to the login page. Is this the best way to do it?...
Existing Fine-grained access control library/framework?
Let's say I have these kind of requirements: User A in Role AA needs to be able to update all entities of type A1. User B in Role BB needs to be able to update only the entities of type A1 with the primary identifier of "2", which I'll call A1("2"), and can not update any other entities of type A1, but can add or delete any number of c...
Safely Storing Biometric Information for Comparison
I'm using a biometric fingerprint scanner with an SDK that allows me to compare two images of a fingerprint. My question is if I wanted to locally store one of the images for later comparison what is the safest way to do this? My line of thinking is that when doing the same thing with passwords, an easy safe way would be to hash the or...
Cleaning up HTML from textarea
Hi, I have a page with two textareas, where registered users can fill them with HTML codes. First one has TinyMCE (so HTML is cleaned up), but the other one does not, since I expect the code to be inserted as embed codes from other sites (mostly sites that provide maps, e.g. Google Maps, MapMyRace.com, etc). But problem is that those ot...
Hacking and different environments
For a long time, I've wanted to become a security expert. In fact, I've always wanted to know everything there is to know about computers in general. So I did some reading on viruses and the different type of environments you can get. What I found is that viruses affect Windows computers more than UNIX due to less people using UNIX for w...
How to configure CruiseControl.Net for Windows Authentication?
Hi, I am using CruiseControl.Net for continuous integration which is now accessing the dashboard through login plugin, which in turn is authenticating and authorizing after verifying it with a set of users saved as XML file in the CruiseControl.Net server. Now, i need to bring in Windows Authentication to the system whereby which Cruis...
PHP and AJAX security question
I am currently building a web app in which PHP files are loaded into a main file using jQuery's $.ajax function. However, the PHP files are obviously still accessible outside of the app, by just typing the files name in the address bar. So my question is what would be the best way to make it so that the PHP file being 'ajaxed' in knows ...
How to restrict access file from Apache Server?
If I allow user to upload file, after user uploaded the file, the file will go to wwww.someplace.com/public_file/... .... So, everybody can get access the file. But I would like to make some restrictions on that. For example, I want to reduce the downloading speed for non-login users. How can I do that? Also, if I want to limit th...
Secure elmah with ASp.NET security but only to some users
HI, I am developing a ASP.NET App and I want to add elmah. The problem I have is the the users login to the site and the only way I found to secure elmah is to authenticate users, not a specific user. I am using ASP.NET MVC 2 and NET 4. Any Ideas? ...
Web Services: Secure? Asp.net
Hey there, Something I can't wrap my head around is how secure web services are. For example we're writing a desktop application that will interact with data on one of our websites as well as local data. This data is sensitive though and the last thing we want is anybody calling the web services. I've not yet found anything that sa...
Timed session variables in PHP? I am trying to lock people out for failed logins.
I am having trouble searching for what I am looking for. I figure it is best I ask here, so I can also find out what is the best practice or method for what I am attempting. I want to make a lockout script that prevents people from trying to login in too many times to prevent password cracking. I have one that makes a fade-in pop-up, wh...
Example of a SAML LoginModule for JAAS
Has anyone had any experience creating a JAAS LoginModule that uses SAML to authenticate and authorize a user? As I understand JAAS, this would likely require a custom CallbackHandler that understand and can parse a SAML message. In my case, the authorization is defined as a set of roles in a database, but like your typical Database Lo...
Implicit "Authentication" of Client Service Requests
Although algorithmic security is normally to be avoided, I'm interested in a means for agent / client software (running on Windows under the local system account) to authenticate itself to a REST web service: without relying on PKI without relying on the user's account (agent code is "local system") In short, I'm attempting cheaply t...
AllowPartiallyTrustedCallersAttribute error with MVC 2 and .NET 4.0
Assembly 'Foo.BAL, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' is marked with the AllowPartiallyTrustedCallersAttribute, and uses the level 2 security transparency model. Level 2 transparency causes all methods in AllowPartiallyTrustedCallers assemblies to become security transparent by default, which may...
What permissions must be granted for applets to write temporary files?
We're developing an applet and need it to be able to read/write files in the user's temporary files directory (e.g. C:\Documents and Settings\USERNAME\Local Settings\Temp). The applet is signed, the user clicks the 'allow' option on applet startup, and the Java Control Panel has "Allow user to grant permissions to signed content" and "...
Web-Application Security with Apache Shiro Configuration Problems
Hi folks, I decided to use Shiro to secure my webapplication. I use a tomcat app server, maven, hibernate and jsf. Now I tried to configure Shiro but got some problems. Here are my files: ---POM.xml--- <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifact...
Trying to create a X509Certificate2 certificate fails when called within a COM interop environmen
I've got a classlibrary which defines a couple of helper classes/methods which are used from a classic asp web application. So far, everything works fine. Now I've added a new helper method which signs a PDF file using a third party tool. Using a console application to call this wrapper method, everything works fine. Once I use an asp pa...