Search Results

Search found 21719 results on 869 pages for 'password security'.

Page 202/869 | < Previous Page | 198 199 200 201 202 203 204 205 206 207 208 209  | Next Page >

• Sanitizing CSS in Rails

  - by Erik

  Hello! I want to allow the users of a web app that I'm building to write their own CSS in order to customize their profile page. However I am aware of this opening up for many security risks, i e background: url('javascript:alert("Got your cookies! " + document.cookies'). Hence I am looking for a solution to sanitize the CSS while still allowing as much CSS functionality as possible for my users. So my questions if anyone anyone knows of a gem or a plugin to handles this? I've googled my brains out already so any tips would be really appreciated!

  Read the article

• Accepting bank account information in a form

  - by jeffthink

  What security concerns are there when accepting a user's bank account information (account number and routing number) via a form on a page that is using SSL, and posting it back to the server where I then curl off a HTTPS request to send that information to an ACH service like First ACH or ACH Direct via their API? We wouldn't be saving the bank account information in our database. I know another option is to use Paypal's Mass Pay API, but they think it's unprofessional (at least for their business) to require customers to have a paypal account to get paid. Thoughts?

  Read the article

• Using an empty keystore password used to be possible?

  - by TomTasche

  When signing an apk after a long break from Android development I was surprised that I'm no longer able to enter an empty keystore password to unlock it. Is it just me or has this been possible before? If so, when did that change and how can I manage to unlock the keystore anyway? Some background: maybe I'm just crazy and didn't use an empty password for the keystore before, but the one and only possible password that I could have been using instead doesn't work either (I swear, there's no chance I'd have used another password!).

  Read the article

• php Form to Email sanitizing

  - by Jacob

  Hi, im using the following to send a contact us type form, iv looked into security and only found that you need to protect the From: bit of the mail function, as ive hardcoded this does that mean the script is spamproof / un-hijackable $tenantname = $_POST['tenan']; $tenancyaddress = $_POST['tenancy']; $alternativename = $_POST['alternativ //and a few more //then striptags on each variable $to = "[email protected]"; $subject = "hardcoded subject here"; $message = "$tenantname etc rest of posted data"; $from = "[email protected]"; $headers = "From: $from"; mail($to,$subject,$message,$headers);

  Read the article

• Is *not* using the asp.net membership provider a bad idea?

  - by EJB

  Is it generally a really bad idea to not use the built-in asp.net membership provider? I've always rolled my own for my asp.net apps (public facing), and really have not had any problems in doing so. It works, and seems to avoid a layer of complexity. My needs are pretty basic: once setup, the user must use email address and password to login, if they forget it, it will be emailed back to them (a new one). After setup there is little that needs to be done to each user account, but I do need to store several extra fields with each user (full name, telephone and a few other fields etc). The number of users that required login credentials are small (usually just the administrator and a few backups), and everyone else uses the site unauthenticated. What are the big advantages that I might be missing out on by skipping the asp.net membership provider functionality?

  Read the article

• How do I tell which account is trying to access an ASP.NET web service?

  - by Andrew Lewis

  I'm getting a 401 (access denied) calling a method on an internal web service. I'm calling it from an ASP.NET page on our company intranet. I've checked all the configuration and it should be using integrated security with an account that has access to that service, but I'm trying to figure out how to confirm which account it's connecting under. Unfortunately I can't debug the code on the production network. In our dev environment everything is working fine. I know there has to be a difference in the settings, but I'm at a loss with where to start. Any recommendations?

  Read the article

• SQL Server Reporting Services 2008: How to set the credentials property properly?

  - by wgpubs

  No matter how I configure the Credentials property I get a 401 exception when I try to Render the report. Here is my (latest) code: var rs = new ReportExecutionService(); rs.Url = "https://myserver/reportserver/reportexecution2005.asmx"; var myCache = new System.Net.CredentialCache(); myCache.Add(new Uri(rs.Url), "kerberos" , new System.Net.NetworkCredential("username", "password", "Domain")); rs.Credentials = myCache; The URL and credentials are all correct. But still getting a 401 when I cal rs.Render(...). The Reporting Services install is sitting on a Windows Server 2008 box and requires integrated authentication. Thanks

  Read the article

• How does Lastpass recognize actual login?

  - by Pan.student

  We are currently working on simple school project using Codeigniter where we need login page. It would be very useful if Lastpass could recognise and save logins. We have several accounts with different roles and manual insert of login is pretty slow. So I was wondering what needs to be done and where in files (view, controller?) for Lastpass to work as it does on every website. For example this is our login form: <?php echo form_open('login'); ?> <input type="text" id="username" name="username"/> <input type="text" id="password" name="password"/> <input type="submit" value="Login"/> </form> Thanks for help. (could not create new tag "Lastpass" due to low reputation) [SOLVED] changed <input type="text" id="password" name="password"/> to <input type="password" id="password" name="password"/>

  Read the article

• Is is possible to determine a password input string as plaintext or hashed?

  - by Godders

  I have a RESTful API containing a URI of /UserService/Register. /UserService/Register takes an XML request such as: <UserRegistrationRequest> <Password>password</Password> <Profile> <User> <UserName>username</UserName> </User> </Profile> </UserRegistrationRequest> I have the following questions given the above scenario: Is there a way (using C# and .Net 3.5+) of enforcing/validating that clients calling Register are passing a hashed password rather than plaintext? Is leaving the choice of hashing algorithm to be used to the client a good idea? We could provide a second URI of /UserService/ComputePasswordHash which the client would call before calling /UserService/Register. This has the benefit of ensuring that each password is hashed using the same algorithm. Is there a mechanism within REST to ensure that a client has called one URI before calling another? Hope I've explained myself ok. Many thanks in advance for any help.

  Read the article

• Reliably detect caller domain over cURL request?

  - by Utkanos

  OK so server-side security is not my forte. Basically, I'm building a service which users may use (via an SDK) only on the domain they stipulated when they signed up. The SDK calls my web service over cURL in PHP. Would I be right in thinking I cannot reliably detect the caller domain, i.e. enforce that it is the same domain they stipulated when signing up? cURL of course sends this over headers, but headers can always (?) be faked. Is there a better course of action to enforce domain for this sort of thing? (NB I'm already using an API key, too - it's just I wanted to restrict domain, too) Thanks in advance

  Read the article

• Reason to use more cookies than just a session hash for authentication?

  - by dierre

  I usually hang out in a community using vBulletin as its bulletin board. I was looking at what this software saves as cookie in my browser. As you can see it saves 6 cookies. Amongst them, what I consider to be important for authentification are: ngivbsessionhash: hash of the current session ngivbpassword: hash of the password ngivbuserid: user's id Those are my assumptions of course. I don't know for sure if ngilastactivity and ngilastvisit are used for the same reason. My question is: why use all these cookie for authentication? My guess would be that maybe generating a session hash would be to easy so using the hashedpassword and userid adds security but what about cookie spoofing? I'm basically leaving on the client all fundamental informations. What do you think?

  Read the article

• Html encoding in MVC input

  - by fearofawhackplanet

  I'm working through NerdDinner and I'm a bit confused about the following section... First they've added a form for creating a new dinner, with a bunch of textboxes delcared like: <%= Html.TextArea("Description") %> They then show two ways of binding form input to the model: [AcceptVerbs(HttpVerbs.Post)] public ActionResult Create() { Dinner dinner = new Dinner(); UpdateModel(dinner); ... } or: [AcceptVerbs(HttpVerbs.Post)] public ActionResult Create(Dinner dinner) { ... } Ok, great, that all looks really easy so far. Then a bit later on they say: It is important to always be paranoid about security when accepting any user input, and this is also true when binding objects to form input. You should be careful to always HTML encode any user-entered values to avoid HTML and JavaScript injection attacks Huh? MVC is managing the data binding for us. Where/how are you supposed to do the HTML encoding?

  Read the article

• How are CD Keys generated?

  - by The Rook

  CD Keys are the defacto-standard as an anti-piracy measure. To be honest this strikes me as Security Though Obscurity, although I really have no idea how CD Keys are generated. What is a good (secure) example of CD Key generation? What cryptographic primitive (if any) are they using? Is it a message digest? If so what data would they be hashing? What methods do developers employ to make it difficult for crackers to build their own key generators?

  Read the article

• OpenID PAM module

  - by Harvey Kwok

  I am looking for a PAM module that can use OpenID to do the authentication. My idea is that I want to logon my Linux box using my gmail account and password. I found there is a open source project in Google Code which seems to be doing the things I want but I don't see any code available for download. I saw there are so many examples or implementations but they are all about web apps. Is there any non-web based OpenID applications in the world? Is it technically possible to make a non-web based OpenID application? I naively think that it should be possible. I can emulate whatever packets the browser send out to the OpenID provider and get back the result. As long as my Linux box is connected to the Internet, I should be able to use my OpenID to login. Appreciate any comments, suggestions or pointers on how to make an OpenID PAM module. Thanks!

  Read the article

• Disadvantages of hard coding credentials? What's the resolution?

  - by SeeBees

  I am building a Sharepoint web part that will be used by all users. The web part connects to a web service which needs credentials with higher privileges than common users. I hard coded credentials in the web part's code. query.Credentials = new System.Net.NetworkCredential("username", "password", "domain"); query is an instance of the web service class This may not be a good approach. In regard with security, source code of the web apart is available to people who are not allowed to see the credential. This is bad enough, But is there any other drawback of this approach? How to prevent hard coding credentials into the source code? Thanks

  Read the article

• Understanding Nested If.. Else statements

  - by user1174762

  For some reason my PHP login script keeps returning "invalid email/password combination", yet i know I am entering the correct email and password. Does anyone see what I might be doing wrong? <?php $email= $_POST['email']; $password= $_POST['password']; if (!empty($email) && !empty($password)) { $connect= mysqli_connect("localhost", "root", "", "si") or die('error connecting with the database'); $query= "SELECT user_id, email, password FROM users WHERE email='$email' AND password='$password'"; $result= mysqli_query($connect, $query) or die('error with query'); if (mysqli_num_rows($result) == 1) { $row= mysqli_fetch_array($result); setcookie('user_id', $row['user_id']); echo "you are now logged in"; } else { echo "invalid username/password combination"; } } else { echo" you must fill out both username and password"; } ?>

  Read the article

• How to recover Wordpress on GoDaddy hosting after reseting database password? [migrated]

  - by Tom Brito

  I did reset my database password, so I could enter the phpMyAdmin, but now my Wordpress installation can't connect to the database. I tried to access the "wp-config.php" (should be at http://mysite.com/wp-config.php right?) but, again, I get the "can't connect to database" message. Also, now when I try to access the file manager on the GoDaddy hosting, I get "The page isn't redirecting properly". I did e-mail the GoDaddy support, and I'm researching while they do not answer. Not sure if it's a GoDaddy or Wordpress issue. Is there any way to fix Wordpress, or I'll need to re-install it?

  Read the article

• The risk of granting to IUSR* NTFS permissions on a folder on the server

  - by vtortola

  I have two web applications that must share a file in the server file system. Both apps are inside of "Inetpub\wwwroot". The file cannot be accessed freely from outside, so it is in a folder out of "Inetpub". I have granted full NTFS permissions to the user "IUSR_whatever" (is the user that runs IIS in anonymous requests) in that folder. The folder has only that file, and has no other use. It works so far :) But, what is the risk? what should I be afraid of? As I see it, as long the folder is out of the "InetPub" cannot be accessed, and as long the apps don't have any security flaw like "path traversal" or server side code injection, it should be safe enough.... But I'm always keen to be wrong :) What do you think? May the file or even the server itself get compromised because of this? Thanks.

  Read the article

• WYSIWYG-editor with "add custom html feature" and secure (validated) html output?

  - by Tom

  I've been looking into some of the WYSIWYG editors (TinyMCE, FCKEditor, etc.) and they all seem to offer a lot of options. However, one vital feature that seems to lack is a simple "add custom html" option which would allow the user to input any of these embed-snippets you find all around the web these days, for example a youtube video. This is different than a "edit html/source" feature as that requires actual knowledge of html and there is the risk of the user writing invalid code. Another issue that I couldn't find much about is the output html. How would I make sure that this output causes no security invulnerabilities? Even when the user has the ability to add his own html? So, basically, is there an open source WYSIWYG editor which covers these 2 features?

  Read the article

• Is it immoral to put a captcha on a login form?

  - by azkotoki

  In a recent project I put a captcha test on a login form, in order to stop possible brute force attacks. The immediate reaction of other coworkers was a request to remove it, saying that it was inapropiate for that purpose, and that it was quite exotic to see a captcha in that place. I've seen captcha images on signup, contact, password recovery forms, etc. So I personally don't see inapropiate to put a captcha also on a place like that. Well, it obviously burns down usability a little bit, but it's a matter of time and getting used to it. With the lack of a captcha test, one would have to put some sort of blacklist / account locking mechanism, which also has some drawbacks. Is it a good choice for you? Am I getting somewhat captcha-aholic and need some sort of group therapy? Thanks in advance.

  Read the article

• [PHP] md5(uniqid) makes sense for random unique tokens?

  - by Exception e

  I want to create a token generator that generates tokens that cannot be guessed by the user and that are still unique (to be used for password resets and confirmation codes). I often see this code; does it make sense? md5(uniqid(rand(), true)); According to a comment uniqid($prefix, $moreEntopy = true) yields first 8 hex chars = Unixtime, last 5 hex chars = microseconds. I don't know how the $prefix-parameter is handled.. So if you don't set the $moreEntopy flag to true, it gives a predictable outcome. QUESTION: But if we use uniqid with $moreEntopy, what does hashing it with md5 buy us? Is it better than: md5(mt_rand())

  Read the article

• URIs vs Hidden Forms

  - by NateDogg

  I'm working in the Codeigniter framework, and want to send requests to my controller/model that have several variables involved. Is there a difference between passing those variables via a hidden form (i.e. using "post") as opposed to passing them through URIs (e.g. 'travel/$month/$day/')? What about security concerns? e.g. URIs: http://www.example.com/travel/$month/$day/ Hidden Form: form_hidden('month',$month); form_hidden('day',$day);

  Read the article

• REST authentication S3 like hmac sha1 signature vs symetric data encryption.

  - by coulix

  Hello stackers, I was arguing about an S3 like aproach using authorization hash with a secret key as the seed and some data on the request as the message signed with hmac sha1 (Amazon S3 way) vs an other developer supporting symetric encryption of the data with a secret key known by the emiter and the server. What are the advantage of using signed data with hmac sha1 vs symetric key other than the fact that with the former, we do not need to encrypt the username or password. What would be the hardest to break ? symetric encryption or sha1 hashing at la S3 ? If all big players are using oauth and similar without symetric key it is sure that there are obvious advantages, what are those ?

  Read the article

• I'm trying to implement 2 factor authentication on the cheap. How would I do that?

  - by Biff MaGriff

  Ok so I need 2 of the 3. Something the user knows. Something the user has. Something the user is. I have a system that is exposed to the internet and we need clients to connect in a secure manner to satisfy our security standards. I'm thinking when a user registers to use our system we send them an application that they install on their home system. The application generates a key based on a timed randomness algorithm. Our application server has the same algorithm so when the user submits their credentials with the key we know that they are a legitimate user. Is this a valid method of 2 factor authentication? What is another way of doing this? Are there any pitfalls that I should be aware of? Thanks for your help!

  Read the article

• How to hash and salt passwords

  - by Henrik Skogmo

  I realize that this topic have been brought up sometimes, but I find myself not entirely sure on the topic just yet. What I am wondering about how do you salt a hash and work with the salted hash? If the password is encrypted with a random generated salt, how can the we verify it when the user tries to authenticate? Do we need to store the generated hash in our database as well? Is there any specific way the salt preferably should be generated? Which encryption method is favored to be used? From what I hear sha256 is quite alright. And lastly, would it be an idea to have the hash "re-salted" when the user authenticates? Thank you!

  Read the article

< Previous Page | 198 199 200 201 202 203 204 205 206 207 208 209  | Next Page >