security
IIS Returning Old User Names to my application
I’ve had similar issues lately and as stated in Robert MacLean’s answer, AviD’s group policy changes don’t work if you’re not logging in as the users. I found changing the LSA Lookup Cache size as described is MS KB946358 worked without rebooting or recycling any apppool or services. I found this as an answer to … Read more
Facebook login – how to develop on both localhost and in production?
Update: As of 2018 the path to this setting is now Products > Facebook Login > Settings > Client OAuth Settings the rest of this answer is still valid. There is a better way. You just need to add valid callback URL’s for your localhost to Settings > Advanced > OAuth Settings. This method allows … Read more
How to store passwords in Winforms application?
The sanctified method is to use CryptoAPI and the Data Protection APIs. To encrypt, use something like this (C++): DATA_BLOB blobIn, blobOut; blobIn.pbData=(BYTE*)data; blobIn.cbData=wcslen(data)*sizeof(WCHAR); CryptProtectData(&blobIn, description, NULL, NULL, NULL, CRYPTPROTECT_LOCAL_MACHINE | CRYPTPROTECT_UI_FORBIDDEN, &blobOut); _encrypted=blobOut.pbData; _length=blobOut.cbData; Decryption is the opposite: DATA_BLOB blobIn, blobOut; blobIn.pbData=const_cast<BYTE*>(data); blobIn.cbData=length; CryptUnprotectData(&blobIn, NULL, NULL, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN, &blobOut); std::wstring _decrypted; _decrypted.assign((LPCWSTR)blobOut.pbData,(LPCWSTR)blobOut.pbData+blobOut.cbData/sizeof(WCHAR)); If … Read more
Authentication, Authorization, User and Role Management and general Security in .NET
For coarse-grained security, you might find the inbuilt principal code useful; the user object (and their roles) are controlled in .NET by the “principal”, but usefully the runtime itself can enforce this. The implementation of a principal can be implementation-defined, and you can usually inject your own; for example in WCF. To see the runtime … Read more
Encrypting credentials in a WPF application
Here’s a summary of my blog post: How to store a password on Windows? You can use the Data Protection API and its .NET implementation (ProtectedData) to encrypt the password. Here’s an example: public static string Protect(string str) { byte[] entropy = Encoding.ASCII.GetBytes(Assembly.GetExecutingAssembly().FullName); byte[] data = Encoding.ASCII.GetBytes(str); string protectedData = Convert.ToBase64String(ProtectedData.Protect(data, entropy, DataProtectionScope.CurrentUser)); return protectedData; … Read more
HTML encode user input when storing or when displaying
i’d strongly suggest encoding information on the way out. storing raw data in the database is useful if you wish to change the way it’s viewed at a certain point. the flow should be something similar to: sanitize user input -> protect against sql injection -> db -> encode for display think about a situation … Read more
WebSockets authentication
If you’re already doing authentication for the non-websocket part of your app, just pass the session cookie along as the first message after connecting and check the cookie as you normally would. WARNING: It’s been pointed out that the following doesn’t work when flashsockets are used: If you’re using socket.io, it’s even easier—the cookies are … Read more
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
The comment by Rory that the proxy would have to use a self-signed cert if not stricltly true. The proxy could be implemented to generate a new cert for each new SSL host it is asked to deal with and sign it with a common root cert. In the OP’s scenario of a corportate environment … Read more