What are the options to accept a credit card payment from an iPhone application? This will be a stand alone application, not an iPhone specific web site. Can I integrate with a payment gateway like Authorize.net? What about paypal or Google checkout? I know on some web sites, it will take you to a paypal site for the payment authoriz...
I'm using JBoss Web Services for a payment service application. At some point I need to make remote SOAP calls to a payment service provider, and I need to authenticate with a Username token. The only way I know how to do this with JBossWS is like this: Map<String, Object> requestContext = ((BindingProvider)port).getRequestContext(); r...
Following on Steve (YSlow) Souder's evangelism, my site (LibraryThing.com) splits requests across domains to facilitate parallel loading. We do CSS, JS and images; you can also do Flash, etc. We also use Google's version of Prototype, which is cross-domain, not just cross-subdomain. This is all great for speed, but for a small percent o...
How is SAML SSO typically implemented? I've read this about using SAML with Google Apps, and the wikipedia entry on SAML. The wikipedia entry talks about responding with forms containing details of the SAMLRequest and SAMLResponse. Does this mean that the user has to physically submit the form in order to proceed with the single sign o...
I need to implement SSO between a windows domain and a J2EE web appliction. I've been thinking what the impact of this would be on the web application's session timeout. We have a 2 hour time out. If we implement a seemless SSO, then I think it might become confusing for the user. The SSO will make it appear that the web application i...
I often come across web applications that expose internal database primary keys through forms like select boxes. And occasionally I see javascript matching against an int or guid magic value that switches the logic. Is is a best practice to avoid leaking all internal identifiers of rows in your web application to prevent outsiders from...
No obfuscation please and simpler the better. Similar post is http://stackoverflow.com/questions/294777/shared-secret-with-api-in-an-ajax-adobe-air-app but I was not convinced that these protect from decompiling. If they do, please explain (For example, what's stopping someone from decompiling and using the URLLoader themselves). ...
Hi All, My environment is VS2005 C# targetting Excel 2003. I gave myself a small dose of over confidence with the installer of this add-in when I saw that an .msi project was created just for me :) within the solution. Needless to say, this has been the trickiest part of the whole project and I am completely stuck on how to deploy and...
I'm responsible for developing a large Python/Windows/Excel application used by a financial institution which has offices all round the world. Recently the regulations in one country have changed, and as a result we have been told that we need to create a "locked-down" version of our distribution. After some frustrating conversations wi...
After I authenticate user login info, i create this session for them: $_SESSION['username']= $userName; Then, I redirect them like this: header('Location:www.domain.com/profile/' . $_SESSION['username']; I want my website to have a beauty URL, something like: www.domain.com/profile/userName Thus, in all my redirect links (HTML <a...
I am supposed to write a client application in C# that communicates with Thales WebSentry and I need a few hints at how to start. Device comes with Java SDK but I need to do my programming in .NET. Are there any libraries in .NET that I can use, or will I have to do it all low-level (directly to socket). Any hints or pointers on how and...
I have a following scenario – and what I am really looking is real help from real people. Suggestions / Solutions ? Please. I have an extranet web site for ex. www.foo.com (asp.net 3.5) I am using JQuery 1.3.2 to call ValidateLogin PageMethods in default.aspx page ( www.foo.com/default.aspx) The code will look like this $.ajax({ ...
If you are a developer and had access to tools such as Ounce Labs, Fortify Software or Veracode, would you object to metrics on the code you write being made publicly available? If you would object, what would it take for you to feel more comfortable with more transparency in this regard? If metrics were public, do you think this would ...
Some time ago I joined new project. It was under development for quite a long time. The thing that surprised me was that all users' passwords are stored in non-encrypted form. I explained huge security vulnerabilities of this to our management - it looks like they agree with that and want to make project more secure. Team members agree ...
I'm a fanatic of Murphy's Law and I have it in mind at programming time. There are a lot of "applied" versions in a variety of fields. Maybe (as stack overflow users) we can compile a list of them applied to Internet Security. I suggest this because in times of phishing, XSS, CSRF and a lot more of treats surrounding the programmer and t...
Ok, so the whole problem with hashes is that users don't enter passwords over 15 characters long. Most only use 4-8 characters making them easy for attackers to crack with a rainbow table. Solution, use a user salt to make hash input more complex and over 50chars so that they will never be able to generate a table (way to big for string...
The .NET security model throws security errors whenever a .NET exe is run from a file share. The error does not appear when ran from a local drive. Does anyone know of a way around this without requiring the code to be signed? ...
Assuming I've securely exchanged keys with another computer (using Diffie-Hellman perhaps), here's my tentative solution: packet number + encrypted data + message authentication code (MAC) The packet number is an incrementally-increased number starting at 0. After that is the encrypted data itself, followed by a MAC of them both. If so...
Hey guys, here's the setup (bear in mind I'm really struggling with the Windows/.NET security stack i.e. I don't get it): A Windows Service running as LocalSystem on a Windows Server 2003 box. A .NET 3.5 Website running on the same box, under "default" production server IIS settings (so probably as NETWORKSERVICE user?) On my default...
All reservations about unsecuring your SecureString by creating a System.String out of it aside, how can it be done? How can I convert an ordinary System.Security.SecureString to System.String? I'm sure many of you who are familiar with SecureString are going to respond that one should never transform a SecureString to an ordinary .NET...