How to describe PasswordValidator rules

The Microsoft.AspNet.Identity.PasswordValidator is configurable with a number of parameters which define the minimum password length and complexity rules. If the user enters a password that does not meet the criteria, PasswordValidator will throw an

ASP.NET MVC5 security best practices file download?

We are building an ASP.NET MVC5 web app which includes serving file downloads. Users are required to login using ASP.NET Identity framework. The files are stored in the database (we are interfacing with a legacy application) and each file is identifi

How to generate a PIN code in Symfony

I'm working right now on a symfony2 web app and I need to generate automatically and randomly pin-code composed by 6 alphanumeric characters example: 14gkf8 kfgh88 this code will be sent by mail to the use, that's how he will connect to the platform.

Applying Non-MVC Attributes to MVC Actions

Our application has the notion of a PermissionAttribute. This attribute is defined in a base layer of our application and our commands and queries are decorated with that attribute. Since this attribute is defined in base layer we can't (and don't wa

osgi security with signed war file

can anybody help me? I would like to use osgi security in my application. Therefore i wrote a security bundle, that grant all bundles that was signed by my keystore. One of my bundles is a war file (Bundle10). If i start the server (glassfish with fe

Security risk of PHP variables

The page I'm building interacts with the java api of another system to retrieve data via the command line. This is triggered from PHP, but needs a valid username and password sent with every call. I don't want to store the username and password in ei

How to prevent a web-based game from being hacked?

I need to build a web based (html/js) game where the user earns/scores points. At the end of the game, the user enters their details on a form and it, along with their score, are submitted to the server (via ajax post) to be stored in a database. The

understand kSecAttrAccessGroup

I was just reading through some source code for an iOS application and I'm curious about the security of the same. It seems that the access group of an application can be specified in the entitlements it was built with. However, if a user unknowingly

How to safely store credentials / application keys?

Developing the application in Ruby on Rails, hosted on Heroku. Our application has several different app IDs/keys assigned by a number of different services (Facebook, Mixpanel, etc). We are now adding a payments system and so we are planning to use

Why is it a bad idea to tell your server to parse HTML in PHP?

You know you can make a server parse HTML pages as PHP (execute PHP code in a HTML doc) using .htaccess? Well, some people say it's bad to do so. Why? Some people also say it opens a security vulnerability in your application. How? The source code is

PHP jail arbitrary code

We have a Java IRC application where users are allowed to execute arbitrary PHP and get the result. Here is one example of what this is used for: btc: <php>$btc = json_decode(file_get_contents('https://btc-e.com/api/2/1/ticker'), true); $ticker = $b

Secure ConnectionString in WinForm Applications

How Can I Secure my ConnectionString in WinForm Application?You can't. Although you can encrypt the connection string in the app.config file, the application needs to be able to decrypt it and it is therefore always possible to retrieve the unencrypt

Secure erasure of a directory

I know how to wipe a file in C# including it's sectors and such. But how do I overwrite the directories themselves? Example: @"C:\mydirectory\" must be unrecoverable gone forever (all files insides are already wiped) so that it will be impossibl

Secure Rails Download

I am building an rails app and I want to secure the user's downloads. The scenario is: There is an item with a download column of "/some_directories/some_file.zip". A user buys the file, goes to "My downloads" page and clicks "Dow

Form submission using $ _SESSION data - safer / correct method?

I currently have a form that has a hidden form field, populated based on a variable in the user's session. A function is called when this form is submitted, which processes the form, and this hidden variable is pretty important to it. Is it better to

Grails + Security Application

Im working on a legacy grails application. I have a couple of tables like this User ( id, name,enterprise_id) Enterprise (id, name) Asset (id,description, enterprise_id) I want to validate that when a certain user wants to access an asset, it has the

Why not use AES for password encryption in PHP?

Everywhere I have seen people talking about storing passwords in a database, they have almost always used MD5. What is wrong with AES, or SHA1?If you store a password encrypted, it can be decrypted. Since many people reuse passwords across many diffe

Password Security ActionMailer

Am I crazy, or is it a bad idea to keep my SMTP username and password for ActionMailer in the actual (development/production) config file? It seems like I should store it an encrypted place, or at the very minimum, exclude it from my Mercurial pushes

Exploit risk & ldquo; back & rdquo; in outbound tcp connections

I am building a server application that will maintain connections to other applications by initiating TCP connections out through a firewall that is only open for outbound traffic to the relevant IP's ports that the application will connect to. What

Windows authentication prompts you for your username / password

I am trying to deploy an application in a client network, with AD/domain controller. My application is a simple asp.net c# application, using windows authentication. I am using win2003. Basically, using VS2008, create a new website, hosted on IIS6.0.

benefits of & ldquo; HTTP authentication with PHP & rdquo;

what are the benefits of using HTTP authentication with PHP (HTTP 401 headers) instead of using a normal form submit authentication??From security perspective, both the form based and HTTP Basic Access Authentication use plain text for sending the au