Symfony 4+, 2019+ Approach In symfony 4 (probably 3.3 also, but only real-tested in 4) you can inject the Security service via auto-wiring in the controller like this: <?php use Symfony\Component\Security\Core\Security; class SomeClass { /** * @var Security */ private $security; public function __construct(Security $security) { $this->security = $security; } public function privatePage() : Response … Read more
There are several techniques, which when used together provide a sufficient CSRF protection. Unique Token A single, session-specific token is good enough for most applications. Just make sure that your site doesn’t have any XSS vulnerabilities, otherwise any kind of token technique you employ is a waste. AJAX call to regenerate the token is a … Read more
Actually Firefox has started to do the same: How to fix a website with blocked mixed content It makes sense. If the user access a site using HTTPS is expecting to have a secured experience, and he may not be aware of parts of the application loading under not secure connections. That is the reason … Read more
Thread.CurrentPrincipal is the way .NET applications represent the identity of the user or service account running the process. It can hold one or more identities and allows the application to check if the principal is in a role through the IsInRole method. Most authentication libraries in .NET will verify the user’s credentials and set this … Read more
Kill all instances and try again. Had the same problem today and after I killed chrome it works.
You don’t need to push the user’s ID via ajax. You should, on the server side, use the fbsr_{app_id} cookie which holds the signed_request. Parse this signed_request using your ‘secret’ app_secret issued by FB to get the ‘user_id’. NOTE: a successful parse also shows that the cookie data provided by FB is not tampered with. … Read more
I don’t think you can do that with the WCF Test Client. It’s a fairly limited and simplistic tool – works great in simple scenarios, but stops fairly quickly. If you need more features and abilities, you might want to look at SoapUI which is a SOAP/web services testing tool and works quite well – … Read more
You are correct: in .NET 4, leaving the APTCA on there makes the assembly SecurityTransparent, and that may be what’s causing you grief. The MSDN article Migrating an APTCA Assembly to the .NET Framework 4 has a good discussion and explanation of the changes to the AllowPartiallyTrustedCallersAttribute in .NET 4. Specifically: The AllowPartiallyTrustedCallers attribute has … Read more
Is it possible to steal a cookie and authenticate as an administrator? Yes it is possible, if the Forms Auth cookie is not encrypted, someone could hack their cookie to give them elevated privileges or if SSL is not require, copy someone another person’s cookie. However, there are steps you can take to mitigate these … Read more