Search Results

Search found 97980 results on 3920 pages for 'code security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 302/3920 | < Previous Page | 298 299 300 301 302 303 304 305 306 307 308 309  | Next Page >

  • Understanding CSRF - Simple Question

    - by byronh
    I know this might make me seem like an idiot, I've read everything there is to read about CSRF and I still don't understand how using a 'challenge token' would add any sort of prevention. Please help me clarify the basic concept, none of the articles and posts here on SO I read seemed to really explicitly state what value you're comparing with what. From OWASP: In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is utilized for each subsequent request until the session expires. If I understand the process correctly, this is what happens. I log in at http://example.com and a session/cookie is created containing this random token. Then, every form includes a hidden input also containing this random value from the session which is compared with the session/cookie upon form submission. But what does that accomplish? Aren't you just taking session data, putting it in the page, and then comparing it with the exact same session data? Seems like circular reasoning. These articles keep talking about following the "same-origin policy" but that makes no sense, because all CSRF attacks ARE of the same origin as the user, just tricking the user into doing actions he/she didn't intend. Is there any alternative other than appending the token to every single URL as a query string? Seems very ugly and impractical, and makes bookmarking harder for the user.

    Read the article

  • java keytool question

    - by user384706
    Hi, I created a java keystore programmatically of type jks (i.e. default type). It is initially empty so I created a DSA certificate. keytool -genkey -alias myCert -v -keystore trivial.keystore How can I see the public and private keys? I.e. is there a command that prints the private key of my certificate? I could only find keytool -certreq which in my understanding prints the certificate as a whole: -----BEGIN NEW CERTIFICATE REQUEST----- MIICaTCCAicCAQAwZTELMAkGA1UEBhMCR1IxDzANBgNVBAgTBkdyZWVjZTEPMA0GA1UEBxMGQXRo BQADLwAwLAIUQZbY/3Qq0G26fsBbWiHMbuVd3VICFE+gwtUauYiRbHh0caAtRj3qRTwl -----END NEW CERTIFICATE REQUEST----- I assume this is the whole certificate. How can I see private (or public key) via keytool? Thank you

    Read the article

  • Securing Elmah RSS Feeds in ASP.NET website

    - by olivehour
    I followed the answer to this question http://stackoverflow.com/questions/1245364/securing-elmah-in-asp-net-website to restrict access to the elmah handler. However, it seems that adding an RSS feed to Outlook for the URL elmah.axd/rss or elmah.axd/digestrss bypasses the authentication. What's the point of securing the handler if someone can guess the RSS URL and subscribe to a feed of the error log?

    Read the article

  • Flash: Adjust this code to keep the duplicated movie clip

    - by Luke Evans
    OK, so here is my code ham_mc.onPress=function(){ startDrag(this); } ham_mc.onRelease=ham_mc.onReleaseOutside=function(){ stopDrag(); _root.ham_mc.duplicateMovieClip("ham_mc" + "x",2); x++; } The user can at first drag the movie clip. When released, the duplicateMovieClip command runs, leaving a new ham movie clip in the position the first is dragged to. PROBLEM: When I click and drag the first ham movie click again, the duplicateMovieClip runs again but REPLACES the previous generated movie clip. I added x and x++ in an attempt to give the movie clip duplication a different name every time, but this doesn't solve it. How do I change this code so that a NEW ham_mc is created every time, rather than overwriting the old one. I'm tired, sorry for the poor explaination!

    Read the article

  • XSLT: Disable output escaping in an entire document.

    - by Kragen
    I'm trying to generate some C# code using xslt - its working great until I get to generics and need to output some text like this: MyClass<Type> In this case I've found that the only way to emit this is to do the following: MyClass<xsl:text disable-output-escaping="yes">&lt;</xsl:text>Type<xsl:text disable-output-escaping="yes">&gt;</xsl:text> Where: Often it all needs to go on one line, otherwise you end up with line breaks in the generated code In the above example I technically could have used only 1 <xsl:text />, however usually the type Type is given by some other template, e.g: <xsl:value-of select="@type" /> I don't mind having to write &lt; a lot, but I would like to avoid writing <xsl:text disable-output-escaping="yes">&lt;</xsl:text> for just a single character! Is there any way of doing disable-output-escaping="yes" for the entire document?

    Read the article

  • Rhino - Set FEATURE_LOCATION_INFORMATION_IN_ERROR in code?

    - by Scott
    I'd like fileName, lineNumber and stack traces to automatically be provided by Rhino for any errors. I've been told that I need to set FEATURE_LOCATION_INFORMATION_IN_ERROR on the current context, but I'm not sure how to do this in code. Does anybody have an example of turning this feature on so that I can see stacktrace dumps on crashes? I'm using Rhino as part of Narwhal/Jack, and so that complicates things a bit, and I think the easiest way to at least get moving forward is if I can set it through code. Thanks.

    Read the article

  • Can per-user randomized salts be replaced with iterative hashing?

    - by Chas Emerick
    In the process of building what I'd like to hope is a properly-architected authentication mechanism, I've come across a lot of materials that specify that: user passwords must be salted the salt used should be sufficiently random and generated per-user ...therefore, the salt must be stored with the user record in order to support verification of the user password I wholeheartedly agree with the first and second points, but it seems like there's an easy workaround for the latter. Instead of doing the equivalent of (pseudocode here): salt = random(); hashedPassword = hash(salt . password); storeUserRecord(username, hashedPassword, salt); Why not use the hash of the username as the salt? This yields a domain of salts that is well-distributed, (roughly) random, and each individual salt is as complex as your salt function provides for. Even better, you don't have to store the salt in the database -- just regenerate it at authentication-time. More pseudocode: salt = hash(username); hashedPassword = hash(salt . password); storeUserRecord(username, hashedPassword); (Of course, hash in the examples above should be something reasonable, like SHA-512, or some other strong hash.) This seems reasonable to me given what (little) I know of crypto, but the fact that it's a simplification over widely-recommended practice makes me wonder whether there's some obvious reason I've gone astray that I'm not aware of.

    Read the article

  • Cleaning all inline events from HTML tags

    - by Itay Moav
    For HTML input, I want to neutralize all HTML elements that have inline js (onclick="..", onmouseout=".." etc). I am thinking, isn't it enough to encode the following chars? =,(,) So onclick="location.href='ggg.com'" will become onclick%3D"location.href%3D'ggg.com'" What am I missing here? Edit: I do need to accept active HTML (I can't escape it all or entities is it).

    Read the article

  • WCF REST based services authentication schemes

    - by FlySwat
    I have a simple authentication scheme for a set of semi-public REST API's we are building: /-----------------------\ | Client POST's ID/Pass | | to an Auth Service | \-----------------------/ [Client] ------------POST----------------------> [Service/Authenticate] | /-------------------------------\ | Service checks credentials | [Client] <---------Session Cookie------- | and generates a session token | | | in a cookie. | | \-------------------------------/ | [Client] -----------GET /w Cookie -------------> [Service/Something] | /----------------------------------\ | Client must pass session cookie | | with each API request | | or will get a 401. | \----------------------------------/ This works well, because the client never needs to do anything except receive a cookie, and then pass it along. For browser applications, this happens automatically by the browser, for non browser applications, it is pretty trivial to save the cookie and send it with each request. However, I have not figured out a good approach for doing the initial handshake from browser applications. For example, if this is all happening using a AJAX technique, what prevents the user from being able to access the ID/Pass the client is using to handshake with the service? It seem's like this is the only stumbling block to this approach and I'm stumped.

    Read the article

  • How do i sign variables?

    - by acidzombie24
    I have a few variables that must be stored on the client side. As usual anything on client side can be tampered. I would like to sign a few variables and verified them when the data is sent back to the server. At the moment i think they are 5 64bit vars. On the server i would like to sign those 5 variables, then ensure the signature is valid when the client sends it back. How do i do this using C# .NET?

    Read the article

  • Problem exporting RSA key -'key not valid for use in specified state'

    - by asp316
    I'm encrypting the web.config in our web sites using aspnet_regiis. However, I want the ability to export the encryption key so if we need to move from Machine A to Machine B, asp.net will be able to decrypt it. When I run aspnetregiis -px "NetFrameworkConfigurationKey" c:\keys.xml -pri, I get the following : 'Key not valid for use in specified state'. I've seen all kinds of responses online but they don't seem to apply. It's not an invalid key because when I use aspnet_regiis to encrypt sections of the web.config, they encrypt fine. Ideas?

    Read the article

  • how to force client(winform) application to use NTLM when calling web services

    - by peanut
    Hi, I have a winform application calling web services hosted in IIS, by default, the client app will use Kerberose for authentication to IIS, and it failed for some reasons? But the same app works fine at another PC(with different user login), and I found it is using NTLM by checking the IIS server event log. is there anyway we can change the client app(winform) authentication type? Thanks in advance

    Read the article

  • Abstract out repeated code

    - by CookieMonster
    The code in this event is repeated exactly in two other event handlers. How do I put the repeated code into a method and call that method from the event handlers so I only have to maintain it in one place? I'm not sure how to pass the event args to the calling method. protected void gvDocAssoc_RowDataBound(object sender, GridViewRowEventArgs e) { if (e.Row.RowType == DataControlRowType.DataRow) { if ((Convert.ToString(DataBinder.Eval(e.Row.DataItem, "DETAIL_TYPE_DESC")) == "Transcript") && (Convert.ToString(DataBinder.Eval(e.Row.DataItem, "INSTITUTION_CODE")) == "")) { e.Row.BackColor = System.Drawing.Color.Red; } if ((Convert.ToString(DataBinder.Eval(e.Row.DataItem, "DETAIL_TYPE_DESC")) == "Certified Diploma") && (Convert.ToString(DataBinder.Eval(e.Row.DataItem, "INSTITUTION_CODE")) == "")) { e.Row.BackColor = System.Drawing.Color.Red; } if ((Convert.ToString(DataBinder.Eval(e.Row.DataItem, "DOC_TYPE_DESC")) == "Post Graduate conditions") && (Convert.ToString(DataBinder.Eval(e.Row.DataItem, "INSTITUTION_CODE")) == "")) { e.Row.BackColor = System.Drawing.Color.Red; } } }

    Read the article

  • How do I ensure that SOAP requests from a flash client to my ASP server are coming from the flash cl

    - by Gary Benade
    I have a flash based game that has a high score system implemented with a SOAP service. There are prizes involved and I want to prevent someone from using FireBug or similar to discover the webservice path and submit fake scores. I considered using some kind of encryption on the data but am aware that someone could decompile the swf and work out how I did it. I also considered using an IP whitelist but since the incoming data will come from the users IP and not the servers that won't work. (I'm sure I'm missing something obvious here...) I know that there is a tried and tested solution for this, but I don't seem to be asking google the right questions to get to it. Any help and suggestions will be appreciated, thank you

    Read the article

  • Is there a /users/www-data type directory in RedHat/Fedora?

    - by Yarin
    I'm trying to setup web2py on my Fedora server, and the instructions, written for Debian, are telling me to install it in the /users/www-data directory. I realize that Fedora uses a default 'apache' user for running Apache, and Debian uses a 'www-data' user, but there's no corresponding /users/apache directory on my machine... Here are the instructions http://web2py.com/book/default/section/11/2

    Read the article

  • Downloading Eclipse's Source Code

    - by digiarnie
    I'm doing a study on large Java projects and would like to view the source code for Eclipse. I have gone to this url (http://wiki.eclipse.org/index.php/CVS_Howto) and figured that the most useful cvs repository for me to look at would be this one: :pserver:[email protected]:/cvsroot/eclipse (The Eclipse platform project) However, when looking at this repository, it has so many modules! Which modules should I be trying to check out? I don't necessarily want to build the IDE from source, however, I just want to get the core Eclipse code base to perform some analysis. Would I just check out any modules starting with "org.eclipse..."? Should I be checking out any of the others? Or is there an easier way to get the source? I read somewhere that you can get the source from the binary version of Eclipse but I am unsure where to find the source.

    Read the article

  • How to improve IntelliJ code editor speed?

    - by Hoàng Long
    I am using IntelliJ (Community Edition) for several months, and at first I'm pleased about its speed & simplicity. But now, after upgrading to version 10, it's extremely slow. Sometimes I click a file then it takes 5 - 15 seconds to open that file (it freeze for that time). I don't know if I have done anything which cause that: I have installed 2 plugins(regex, sql), and have 2 versions of IntelliJ on my machine (now the version 9 removed, only version 10 remains). Is there any tips to improve speed of code editor, in general, or specifically IntelliJ? I have some experience when using IntelliJ: 1. Should open IntelliJ a while before working, cause it needs time for indexing. Don't open too many code tabs Open as less other program as possible. I'm using 2 GB RAM WinXP, and it just seems fairly enough for Java, IntelliJ & Chrome at the same time.

    Read the article

  • Configure Windows firewall to prevent an application from listening on a specific port [closed]

    - by U-D13
    The issue: there are many applications struggling to listen on port 80 (Skype, Teamviewer et al.), and to many of them that even is not essential (in the sense that you can have a httpd running and blocking the http port, and the other application won't even squeak about being unable to open the port). What makes things worse, some of the apps are... Well, I suppose, that it's okay that the mentally impaired are being integrated in the society by giving them a job to do, but... Programming requires some intellectual effort, in my humble opinion... What I mean is that there is no way to configure the app not to use specific ports (that's what you get for using proprietary software) - you can either add it to windows firewall exceptions (and succumb to undesired port opening behavior) or not (and risk losing most - if not all - of the functionality). Technically, it is not impossible for the firewall to deny an application opening an incoming port even if the application is in the exception list. And if this functionality is built into the Windows firewall somewhere, there should be a way to activate it. So, what I want to know is: whether there exists such an option, and if it does how to activate it.

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 298 299 300 301 302 303 304 305 306 307 308 309  | Next Page >