So here is the problem. When a user logs out of my website, they can still hit the back button and continue using the site. To keep track of whether the user is logged in or not, I created a session attribute "isActive". The attribute is set to true when the user logs in, and is (redundantly) removed right before the session is invalidat...
I would like to know where people draw the boundary between assigning permissions to a user in a muliti user appliction and the business logic. For example if a user can have permission to access a number of cars do you assign these permissions directly through the user class by adding them to a collection of car objects on the user o...
I'm a little confused about the StripTags filter as used in Zend. I think it's meant to strip tags that could result in XSS. So shouldn't that mean it should be used when outputting data in the views? I've seen it being used with form inputs ->addFilter('StripTags') Should it be used with both input in the forms and output in the vie...
Hi, How can I detect a self signed certificate from a revoked or expired ones? I'm using NSURLConnection and implementing connection:didReceiveAuthenticationChallenge: on delegate: - (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge{ if ([challenge.protectionS...
What is the best and method of ensuring that $page and $getVars are clean and safe? //fetch the passed request $request = $_SERVER['QUERY_STRING']; //parse the page request and other GET variables $parsed = explode('&', $request); //the page is the first element $page = array_shift($parsed); //the rest of the array are GET statements...
Hi there, I am using PayPal's DoDirectPayment API for payment integration. I am getting an error message like below. Security error: Error no: 10002 Error message: Security header is not valid Here is my code, $environment = 'sandbox'; // Set up your API credentials, PayPal end point, and API version. $API_UserName =...
How do I secure my "hibernate.cfg.xml" file? (Nhibernate). It currently sits in the route of the web app and can be viewed via the browser. ...
I work in company with many servers and Pcs for developers. Servers are win2003, PC developers Windows XP. In a server Win2003 named preiis01, in preproduction environment, other people in company install a client certificate using any other user (unknown user for me) for logging in server preiis01. I use my user "domainCompany\myuser"...
I use Window 2003 server, and I need get information about security folder, programatically using C#. I want create a tool for check permissions. I need get the groups, users, permissions and special permissions for a folder, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys edit: the follo...
I have developed a PHP session class and tested it using a few examples (see source code below). It appears to be okay. Now I would like to make this session somehow "secure". I found some sample code which is meant to encrypt a cookie (in Courioso's book Expert PHP and MySQL). Here is this code snippet. Code for encrypted cookie $cook...
I have been wondering how secure a codeigniter setup is. Because information like db passwords etc is stored in config files in the main application folder could this be retrievable by hackers? I know you can move the application folder to a location away from the web root but is it still safe if you don't? Also, even if you did move it ...
Hi guys, I'm having some wonders. How's session based authentication designed for webservices ? Imagine I do have a web solution where people can sign up and then log themselves in, then they can do stuff that's processed by webservices (either hosted on the same machine or on a remote server). I know how to manage sessions after log i...
I have a webapp that requires security beyond that of a normal web application. When any user visits the domain name, they are presented with two text fields, a username field, and a password field. If they enter a valid user/pass, they get access to the web application. Standard stuff. However, I'm looking for additional security be...
First of all this question is not intended to be a "subjective question". The actual specific question might be if being closed source (in web development for example) is a good protection measure. It was this article that got me thinking: http://techcrunch.com/2007/08/11/facebook-source-code-leaked/ Lets say you are quite a newbie to...
When I invoke "sudo /sbin/iptables ..." in my Perl CGI scripts, I get the error: Insecure dependency in system while running with -T switch at usr/lib/perl5/vendor_perl/5.8.8/IPC/Run3.pm line 403 I tried to add "/sbin:/etc/sysconf:/etc/init.d" in $ENV{'PATH'} but still no success. Anybody has any idea? ...
I've got Flash content that needs to run within a web page off a CD. It works fine if I change the security settings in the Flash Global Security settings screen but that can only be accessed online. So... Can the security violation be overcome with a cross-domain XML on the local drive somehow? Can the Global Security settings screen ...
Hi, I'm writing a module to force a user whose password has expired to renew its password. This app uses the acegi security plugin. After the expired credentials are detected, the user is redirected to a "insert a new password" page. However, when the form is submitted, the auth action is executed, instead of the desired one (renewPass...
I am right now a fresher currently in my MCA 3rd Sem. I want to ask how can i move ahead to be a penetration tester in a good company.Do freshers have enough scope in this field in India,What all are the certifications required for the very same? Thanks.................. ...
I have created Silverlight Login Page. I use PasswordBox in that page and use this solution to do MVVM in my application. BTW after I read this answer I realize that current solution is not secure. I want to know how can I improve security in my solution even though it will break MVVM. ...
I'm writing some db access server controls at the moment that take properties for things like data source and column required and whatnot. In my head I have thought about this approach and it seems to me that, in order to make these controls work you have to put them on the page and fill them full of explicit references to the database ...