Is there a difference in terms of security between these two models to be given to View? Ie. in the second example can a webuser/hacker access the methods in any way? public class ObjectViewModel { public PropertyA {get;set;} public PropertyB {get;set;} public PropertyC {get;set;} } public class ObjectViewModel2 { ...
I'm looking for way to verify whether a site is categorized in any url filtering databases. Does somebody know such database with free API? ...
I'm working on a project in which remote clients need to log in to a webserver. I'm not looking for examples in any particular language; just a general idea of the security concerns involved. The basic question is: How should user credentials be passed to a webserver for verification? I'm picturing your typical website login. One field...
I am building an Asp.Net web site that uses FormsAuthentication and standard Session mechanism with configuration like that: <authentication mode="Forms"> <forms cookieless="UseCookies" name=".MyAppAuth" loginUrl="~\Login.aspx" timeout="20"/> </authentication> ... <sessionState timeout="20" cookieless="UseCookies" /> It seems that...
Is there a PHP implementation of markdown suitable for using in public comments? Basically it should only allow a subset of the markdown syntax (bold, italic, links, block-quotes, code-blocks and lists), and strip out all inline HTML (or possibly escape it?) I guess one option is to use the normal markdown parser, and run the output th...
I was told that the optimal way to program in C++ is to use STL and string rather than arrays and character arrays. i.e., vector<int> myInt; rather than int myInt[20] However, I don't understand the rational behind why it would result in security problems. ...
I need my application to use client's phone-number to generate unique ID for my web-service. Of course a phone-number is unique, but it must be secured. So it can be implemented with symmetric encryption (asymmetric will be later, because leak of resources), but I do not know where to store a encryption-key. 1. I do not know why, but s...
I'm using (server side, not cookie) sessions in an application that I writing, if the users has not obtained access to the server can I trust the $_SESSION variable or should I verify it's content on every page load? Note: I'm trying to limit the number of queries to my database and currently I am verifying the data on every page load,...
We are setting up a SQL Server 2008 Standard edition on a Web Server for the first time. We normally have our SQL Server on our local Intranet and only use windows authentication. What is the best practise authentication mode for a web server? Can I use Mixed mode without any security worries? Thanks! ...
How do you implement Roles and Security in your C# Domain Driven Designs? We have some debate raging on wether it should be implemented by the calling application (ASP.NET MVC) or in the Domain Model itself (model entities and services). Some argue that it should be in the web site itself since that's where the authentication already exi...
Hello, Q1 Book says that we can choose to share profile information between web application by having profile providers use the same ApplicationName value. But would it also be ok for applications to share roles, or would that represent a security risk? Q2 If ProfileManager.AutomaticSaveEnabled is set to True, then when change is ...
Disclaimer: I'm completely clueless about .net and COM. I have a vendor's application that appears to be written in .net and I'm trying to wrap it with a web form (a cgi-bin Perl script) so I can eventually launch this vendor's app from a separate computer. I'm on a Windows Server 2003 R2 SE SP1 system and I'm using Apache 2.2 for the...
I have a system I'm building that seems to call for some complex rules and rather than have a mess of rules through out the system. I was looking to centralize the process. (Which may not be the smartest idea I've had) My most (perhaps least) brilliant idea was to use a seperate class to check any objects before being saved to the datab...
I believe that internode communication is taking place in the clear and that the cookie value is strictly used for authentication. (I do not have any proof as yet). How do I encrypt internode comms? How do I encrypt Mnesia replication messages? How do I configure my firewall and packet filters to permit these messages to pass thru? Ho...
I've seen that you can manipulate private and internal members using reflection. I've also seen it said that a 'sealed' class is more secure that one that isn't. Are the modifiers "public, protected, internal, private, abstract, sealed, readonly" anything more than a gentleman's agreement about design and API use, that can be broken as...
Question is still OPEN... For IT people here it may be not so difficult question. May be not only at first look ;) All ideas are welcome! For startup Antispam project it is needed around 10000 spam mails per day and more. And also (for shingle algorithms) we need six and more modified mails for the same spam letter. Please, if you ha...
So, hashes are useful because they change password/login name/salt value combinations to a code that cannot be reversed. The client sends this hash to the server. The server compares the hash to a list of stored hashes to see if the client's user may be granted access. But how do I prevent a malicious user from intercepting the hashed pa...
I'm connecting to a WCF service in an ASP.NET app. I'm logging in using one username and password and passing the actual username of whoevever is logged into the ASP.NET web app in a message header as below. using (OperationContextScope scope = new OperationContextScope(myService2.InnerChannel)) { Guid myToken = Guid.NewGuid(); ...
Suppose I setup a simple php web server with a page that can be accessed by https. The url has simple parameters like https://www.example.com/test?abc=123. Is it true that the parameter here in this case will be safe from people sniffing the packets? And would this be true if the server does not employ any SSL certificate? ...
Is it possible to use Windows client credentials for transport security between a windows forms-based client and self-hosted WCF service if the two machines are not in a domain together? ...