Is it possible for me to create and use a database table that contains no :id column in ActiveRecord, Ruby on Rails. I don't merely want to ignore the id column, but I wish it to be absolutely non-existent. Table Example :key_column :value_column 0cc175b9c0f1b6a831c399e269772661 0cc175b9c0f1b6a831c399e26977...
We're an ISV with ~65 customers. When they call with a support issue, we log it in our internal Bugzilla instance (there is a handful of specially trained super-users at each customer site from whom we allow calls). We're considering making this Bugzilla instance available via the Internet so that customers can log their own issues and ...
I have a payment page I would like to use SSL. I have the certificate installed... now what? Can I just refer the the page using https? When I do that I get the following error: SSL received a record that exceeded the maximum permissible length. ...
As some of you may know, Microsoft banned memcpy() from their Security Development Lifecycle, replacing it with memcpy_s(). void *memcpy(void *dest, const void *src, size_t n); /* simplified signature */ errno_t memcpy_s(void *dst, size_t dstsize, const void *src, size_t n); So if your code used to be: if (in_len > dst_len) { /*...
This is related to my previous post, where my only option was to have a RSA algorithm which seemed relatively weak. Let us assume that I want to encode a 35 bit number (From 0 upto 34359738367) with a 36 bit modulo (between 34359738368 upto 68719476735). Referring to http://en.wikipedia.org/wiki/RSA I can see that my n is between 34359...
Hello. I want to add at runtime a new RuntimePermission to the set of already existing permissions (java.policy) file. Here is my code: ProtectionDomain domain = MyClass.class.getProtectionDomain(); final PermissionCollection domainPerms = domain.getPermissions(); Enumeration<Permission> oldPerms = domainPerms.elements()...
I need to encrypt / decrypt passwords for a new application. The spec requires me to use AES; can anyone suggest a good reason to either Do all my encryption in the database layer using CLR functions or Doing it at the .Net app layer ? a mixture of db and server Am going to be validation passwords; the app is n-tiered using Telerik O...
I have setup Apache to serve Subversion data. The configuration looks like this, <Location /svn> DAV svn SVNPath /path/to/svn AuthType Basic AuthName "My Project" AuthUserFile /etc/httpd/dav_svn.passwd Require valid-user SSLRequireSSL <LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept> </Location> T...
One of our products is a screensaver that plays movies using DirectShow. In XP this screensaver works when no one is logged in. In Vista no movies are played when no one is logged in. The reason is that "CoCreateInstance" fails with error code 0x80070005 (= "Access Is Denied"). This is the code we use to initialize DirectShow: HRESULT ...
Assume you are running a pure-HTML website on Apache. Just serving static files, nothing dynamic, nothing fancy. Also assume all passwords are safe, and no social-hacking (i.e. phishing attacks, etc...) Can a website of this nature basically be hacked? Can the server become compromised? Are there any examples for this? ...
I'm working on a small website for a local church. The site needs to allow administrators to edit content and post new events/updates. The only "secure" information managed by the site will be the admins' login info and a church directory with phone numbers and addresses. How at risk would I be if I were to go without SSL and just hav...
There have been a couple of great discussions regarding salt best practices, and it seems the overwhelming recommendation is to generate a different salt for each password and store it alongside the password in the database. However, if I understand the purpose of salt correctly, it is to reduce the chance that you will be compromised b...
My web app is going to call a webservice. I'm looking for best practices / guidance for logging onto the webservice so I know that an authorized user is trying to access it not just anyone. ...
Hello, Q1 I’ve read that when setting the timeout of an authentication cookie, we should keep in mind that the longer the cookie persists, the greater the chance of a cookie being stolen and misused. A) But assuming we secure our application against replay attacks by enabling SSL for the entire application, and since forms authent...
Anyone reading my last batch of questions knows I'm working on a Firefox add-on for my office intranet. So, here's the latest; this time a concern instead of an obstacle: So, my first plan was to build a sign-in form right into the chrome, so that it blended and didn't require any dealings with iframes/browsers/etc. But after some think...
I would like to temporarily impersonate a domain user account to read in a file on a network drive from an ASP.NET site. I would rather not set up impersonation for the entire site or set up a mapped drive on the server. ...
Is there a way to generate a 128-bit key pair suitable for encryption using Sun's keytool program? It seems that the algorithms available in http://java.sun.com/javase/6/docs/technotes/guides/security/StandardNames.html#KeyPairGenerator are either not supported or do not allow keys shorter than 512 bits. The key pair will be used with ...
We need to implement role-based security across our solution which has asp.net, winforms and web service entry points. We will also need some front end to configure it. I really don't feel like rolling my own,s I have done it a few times before and it is tedious. I have historically not been a fan of the MS ABs because I found them to b...
I've taken a look at the StackOverflow question, "Password Encryption / Database Layer AES or App Layer AES," and I'd like to effectively and efficiently hash my passwords on registration (web app) and then be able to check they are correct on login. I'm using VB, but comfortable using C#. I would love to use Jeff Atwood's Encryption...
The first time I log onto my webservice I want to use FormsAuthentication e.g. myService.ClientCredentials.UserName.UserName = "name"; myService.ClientCredentials.UserName.Password = "password"; but once a user has logged onto my web app I dont want to have to know about his password so I would like to be able to connect to the webser...