Our server already has symantic anti-virus with autoprotect enabled w/ regular scans and updates. I tested it and it does automatically scan uploaded files to document libraries. My question is, what additional benefit is there to using a specific anti-virus plugin instead of this current setup? There are at least 3 different plugins I ...
When a user logs in, I give them a cookie named auth with a value that is a GUID, which expires in 2 weeks. I save the hashed GUID in the database with a salt of their userID and then date when it expires. When a user accesses the site, I check for the cookie and log them in if it matches and hasn't expired in the database. At some poin...
This article states that If your site is run on a shared Web server, be aware that any session variables can easily be viewed by any other users on the same server. On a larger host like GoDaddy, are there really no protections in place against this? Could it really be that easy? If it is that easy, where are the session vars...
Is there a way to change owner of saved file using IIS on Windows Server. The easier the better. It doesn't matter either this will have to be done during saving or changing file owner after file is already saved to disc. An example in ASP.NET is highly apriciated. ...
I am trying to write a simple function for windows that answers the following question. Does user (U) have rights (R) on file (F)? Where, R is some combination of (GENERIC_READ, GENERIC_WRITE, GENERIC_EXECUTE) U does not have to be logged in or impersonated The code that I wrote is shown below. The application calls the fir...
I've got a DLL which makes a call to SetDllDirectory() in its DllMain() function. The argument to SetDllDirectory() is the directory in which the DLL resides, as returned by the GetModuleFileName() function. The effect of this is that if the DLL is placed as c:/foo/bar.dll, then loading bar.dll will add c:/foo to the DLL search path of t...
I am refactoring a working ASP.NET Web Application to expose Web Services interface using ASP.NET Web Service. According to Web Services authentication - best practices, Basic Auth over https is the way to go. Let's assume it is, as opposed to doing WS-Security, X509, etc.. On .NET 3.5/VS 2008, what's the simplest way of implementing cu...
Hi, Hope someone can help me on this matter. I'm looking for a way of enabling message level security on my WCF service other than using certificates. Problem is that the application is used on clients that connect via a VPN with multiple sites that each have their own domain controller and the domains does not trust each other. I'm tota...
We have a web page of a J2EE application, in which the user signs-in to the application. It contains a flash widget that needs to call services in the server, using the session that the user created. The web page passes the jsessionid to the flash widget, in order for the flash to use it to pass the authentication. However, the flash p...
Is it possible to have user based security permissions for JMX on a JMX generated webpage? If so, how? We're currently using a HtmlAdaptorServer class to provide a web front end. The problem comes where this JMX site is becoming very big and we want to allow some mbeans on a server for everyone and restrict more risky mbeans to certain ...
I was just wondering what security issues can arise from not closing the database connection after using it. Doesn't PHP automatically close it once a new page loads? Levi ...
I've created an web authentication app using c# & asp.net and want to bounce off how secure you think it is. All navigation is done by https. User Registration User enters 3 datapoints (SSN,Lname and DOB). If that combination is found in our system, a session variable is set and navigates to next page. If session variable for #1 is se...
/* define page path */ define("PAGE_DIR", "pages/"); if (file_exists(PAGE_DIR."$_GET[page].php")) include(PAGE_DIR."$_GET[page].php"); How safe is this? Could you for example include a page on another webserver if the page is in a folder called pages? Thanks ...
my friend's website got hacked somehow. The index.php page got inserted an extra line of javascript, which redirect the page to another website. The index.php is just a text file not managed by any CMS. he has changed all ftp/ssh user password. Somehow this is still happening. Any hint on what might be the cause? ...
Does anyone know of a good, open source security framework for java? I've played with jSecurity a bit, and it seems really cool, but the documentation is so sparce I can't seem to make any progress. Spring security seems web-app oriented -- but I may be wrong. I am not opposed to writing this myself, but it seems like this should ha...
I've managed to use Sun's MSCAPI provider in my application. The problem I'm having now is that it always pops up a window, asking for a password, even though I've provided it in the code. This is a problem, because I need the cryptography functionality in a webservice. Here's the code I have now: String alias = "Alias to my PK"; char[...
Is there a norm for AJAX security? When making an XMLHttpRequest, if querying an HTTPS url, will the browser handle all the certificate business and properly encrypt the request (or use an already existing authenticated tunnel)? Are there any security flaws in this model? Then there's also user authentication issues with AJAX. Th...
I just had an interview in Redmond where they asked me a ton of security based questions surrounding asp.net. One of the questions they asked was about configuring a secure intranet application to use constrained delegation to access the SQL Server. In this scenario an AD user account is delegated access to the SQL Server. The whole p...
I'm modifying existing security code. The specifications are pretty clear, there is example code, but I'm no cryptographic expert. In fact, the example code has a disclaimer saying, in effect, "Don't use this code verbatim." While auditing the code I'm to modify (which is supposedly feature complete) I ran across this little gem which...
Does the System.Security.Cryptography.Pkcs namespace have support for PKCS#11? ...