PHP runs in a shared-nothing environment, which in this context means that every web request is run in a clean environment. You can not access another request's data except through a separate persistence layer (filesystem, database, etc.). What about Ruby on Rails? I just read a blog post stating that separate requests might access ...
I want to know the best way of transferring a cryptographic initialization vector (IV) from the place where my data is encrypted to the place where my data is decrypted. In other words, the IV should be randomly generated every time you encrypt a message (right?), so there needs to be some way of finding the IV when you decrypt. I have...
I am relatively new to ssas and am having trouble with something. The scenario: A cube with a company hierarchy (region, sub-region, country, company) Dimension security is applied by filtering the company dimension by linking username to a list of allowable companies. Enable Visual Total is switched ON so that you can only see totals...
Hi, I'm trying to fetch a list of operations related to user. I'm using AzMan to store the application authorization rules. How can i get list of operations per user using EntLib 4.1 SecurityApplicationBlocks or any other way? [C#] Thanks. ...
Hi, I am struggling hard with getting WCF service running on IIS on our server. After deployment I end up with an error message: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service. I want to use Windows authentication and thus I have Anonymous ac...
PCI/DSS has a requirement indicating that an application's log should be reviewed AT LEAST daily for security events. Most network/infrastructure professionals can review network device logs but won't be familiar with actual applications. The same can be said for most security professionals. So, are developers really stepping up to this...
I know I have to consider about mail header injection, and are there more thing that I need to know before I make form mail thing? I want mail, and I feel that I have to set up form mail thing in my page, but I heard that mail thing is dangerous if I do not consider all security things. ...
When getting the username and/or SID of the current user, what is the preferred method? Is it using: WindowsIdentity.GetCurrent().Owner Or: WindowsIdentity.GetCurrent().User What is the difference between the two? This would be a great question for SuperUser.com, but alas, it's not live yet. Thanks! ...
I created a Web Service in .Net and so the address of the service file has a nifty auto generated explanation about how it works. When I run the page from the machine it's hosted on it even has a form that I can use to submit test values to the service. However on remote machines it hides the form and gives the message as seen above. Is...
I have a number of COM services in my system and I need to change default cloaking beahvior. In particular, I want to use dynamic cloaking. Since the product is a "closed" one, meaning that no other program/service will be installed on the machine, changing system defaults is one of the options. I am not willing to go into that directio...
how to remove NTFS security from a folder ? ...
Just had a thought post.php if (isset($_SESSION['id'])) { if (isset($_POST['comment'])) { insert() } <form method="post" action="post.php"> <textarea name="comment"></textarea> <input type="submit" class="btn" value="Submit"> </form> } $_SESSION['id'] needs to be set to access post.php. Is that safe enough? Just thinking maybe...
Consider and client server scenario and you got two options: You can include Server's Public Key in Client and perform the exchange. You can use Diffie Hellman KeyExchange Algorithm to handshake and then exchange the key. Which one is more secure way? also if public key will come from store say from Client CA store? would it be more ...
I am playing with an idea that would allow people to add tickets to unfuddle, post a message to twitter/facebook etc. all from the one site. To do this I need their username/password for these other sites but I don't really want to know that information. Is there another way of achieving the same thing without having to holding this ki...
Given a group name and a user account, I would like to know if the supplied user belongs to a particular group. The user can be a local user or a domain user and the group could be a local group or a domain group and the group could also be nested inside other groups. In short I am looking for a function like bool IsUserMemberOf(User, Gr...
I'm working out the reasonability of a request to keep all documents with executable code of a document management system. This is above and beyond the existing protections restricting the file extensions to a short list and running the file by norton antivirus before we save it. So far .doc(x), .xls(x), and .htm are all common document...
Scenario: A client calls WebService A on the LAN. WebService A is running under an App Pool with Identity "Network Service". WebService A does some work, prepares to call WebService B. WebService B requires a client cert (*.cer) and SSL. WebService A is on a dedicated Windows 2003 server. Everything works in the Dev environment as it s...
I have a website built with ASP.NET (3.5) and want add some level of security into it. I am using the login controls to help with this. I have one issue though. I have within my web.config the following. <authorization> <deny users="?"/> </authorization> This work fine when a user has not logged in before (ie. if they goto ...
hi guys, I know that ppl have already asked questions regarding encrypting web.config. im also trying to encrypt my test config file, but im getting this error. aspnet_regiis -pef "connectionStrings" "C:\encryptedWeb.config" Encrypting configuration section... The configuration for physical path 'C:\EncryptedWeb.config' cannot be opene...
An automated security scan was performed on my WSS 3.0 site and it came up with some warnings based on the apparent presence of FrontPage Extensions. Namely it found files like /_vti_pvt/service.cnf, /_vti_pvt/services.cnf, and /_vti_bin/_vti_aut/author.dll by appending those locations to the site's main URL over the web. These are appar...