We are using the standard aspnet security features, we have need to set the order of the roles, purely for display purposes. We could just have a sequence number onto the end of the aspnet_roles table, but that feels kinds of hacky to me. Also if in future versions of asp the security get changed we will be in trouble. Is there a bette...
Hi, I need help using the PasswordRecovery control in .net 2.0. My situation is the application has changed from storing the passwordformat in Hashed to Clear. The problem is the newly created users have a clear password stored and there are still users with hashed passwords. When I use the passwordRecovery control as below for users w...
What is your opinion on sending the username and password to their email address when they register on our website..this way if they forget the password in the future, they can look it up in their email...also we wont have to implent the forget/reset password scenario (we are close to release).. is this approach safe enough? My second...
This is a security best practice and I'm wondering if I should even be wasting my time with this. In the same vein of an initial crack of the Blu-ray movie format, hackers just inspected the memory of a player to snoop out a key value. It seems like it's feasible to do the same thing with browser memory, and to look at values that th...
I've read several XSRF solutions that rely on adding more tokens to the response, which do help protect code that only runs on POST. i.e. this would be a one step attack relying on a page that responds to HTTP GET <img src="http://amazon.com/buybook/anarchistscookbook/mailto/me/execute.php"> But with better libraries like jquery,...
Is there a way to limit access from SQL Server Management Studio to SQL Server to the database server? Or to a given IP address? The case is that a group of users (in a Windows group) are allowed access to the database via an application, but should be denied access using SQL Server Management Studio. I read several articles about Appl...
Flash Player 10 specifies: "Redirects to policy files outside the originally requested domain will continue to cause policy files to be ignored by Flash Player." Is there a way to access policy files outside the domain? ...
Looking at Gmail's cookies it's easy to see what's stored in the "remember me" cookie. The username/one-time-access-token. It could be implemented differently in cases where the username is secret, as well. But whatever... the thing is not very high security: you steal the cookie and you're ready to go. My question is on the functional ...
I have a question about PDF security preferences. Can I change an editable pdf to readable pdf programmatically? ...
I'm trying to create a custom MembershipProvider and I was wondering how I would add my user information to the Authentication Cookie that ASP.NET uses. My goal is to get my authentication to work for both the website and the WCF service with ASP.NET Compabatibility mode enabled. ...
Hello - We would like to force encryption of the data going to and from our customers' SQL databases. Currently, we access the customer databases via ODBC DSNs, using both SQL Management Studio (Query Analyzer) and our custom applications. Yeah, I know this is not "best practices", but I have to deal with it for now. Anyway, I have b...
I just implemented a "remember me" feature for a user login on a website. Most advice was to have the userid stored in a cookie, and then have some long, unguessable random key. If both of these match up, the user is considered authenticated. Does having two strings actually help? Wouldn't a longer key do exactly the same thing? In ot...
Is your password more secure in any way if it is stored on LDAP rather than a database or an encrypted file? ...
I'm developing a relatively small application to talk to PostgreSQL, and wanted to get some feedback on how far is too far to go with regards to protecting against SQL injection. The application is in Perl and does not use any ORM modules (just DBI). The SQL statements are constructed in the typical fashion with placeholders: my $sql ...
I am using my own implementation of the UserDetailsService interface to load a User object from the Database and place it as UserDetail into my SecurityContext. The User object is then a detached Hibernate object. When I want to access lazy load relations of the authenticated User I need to get it from the SecurityContext and attach it ...
Hello all, I've been working with a couple different contact management solutions, but my security paranoia prevents me from wanting to put any sensitive data in the cloud. While I'm not dealing with anything like credit transactions that have detailed security requirements, I am considering handling sensitive personal data that I woul...
Using a strongly typed dataset and its related table Adapters, normally when I want the changes to pass back, just pass it the table and let it do all the work. What are some easy ways to enforce security roles on the application user as to which fields they can insert/update/delete when the database is using an application ID instead ...
Hi, I need some help about WCF and authorization. Currently I have a client which calls as .NET remoting object hosted in a windows service and which is calling a WCF service (with wshttpbinding). The WCF service is using windows authentication with message based security. The windows service is running with a special account. Once a c...
When we talk about security we have the following requirements: authentication integrity Non-repudiation Isn't the third requirement included in the first two? If we know A sent the message (authentication) and it has not been changed since A sent it (integrity) then how can A repudiate sending it? Please don't talk about dig-sig as...
I'm implementing a Rails application in which users will be able to store snippets of code for later reference. I'm planning to use Markdown for text entry and will probably use the wmd markdown editor. (The very one Stackoverflow uses.) I'm a little concerned about the idea of people entering code into the edit box. From what I underst...