You will need to use openssl. openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt The key file is just a text file with your private key in it. If you have a root CA and intermediate certs, then include them as well using multiple -in params openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in … Read more
Improved Persistent Login Cookie Best Practice You could use this strategy described here as best practice (2006) or an updated strategy described here (2015): When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie. The login cookie contains a series identifier and … Read more
I think it’s well explained here — quoting just the key sentences of the long article: The general concept behind a token-based authentication system is simple. Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource – without using their username and password. … Read more
Improper use of eval opens up your code for injection attacks Debugging can be more challenging (no line numbers, etc.) eval’d code executes slower (no opportunity to compile/cache eval’d code) Edit: As @Jeff Walden points out in comments, #3 is less true today than it was in 2008. However, while some caching of compiled scripts … Read more
According to Microsoft they are the same thing. When false, User ID and Password are specified in the connection. When true, the current Windows account credentials are used for authentication. Recognized values are true, false, yes, no, and sspi (strongly recommended), which is equivalent to true.
I work at Auth0 and I was involved in the design of the refresh token feature. It all depends on the type of application and here is our recommended approach. Web applications A good pattern is to refresh the token before it expires. Set the token expiration to one week and refresh the token every … Read more
Authentication is the process of ascertaining that somebody really is who they claim to be. Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases, while Usama is only authorised to read. The two concepts are completely orthogonal and independent, but both are … Read more
The short answer is NO, PDO prepares will not defend you from all possible SQL-Injection attacks. For certain obscure edge-cases. I’m adapting this answer to talk about PDO… The long answer isn’t so easy. It’s based off an attack demonstrated here. The Attack So, let’s start off by showing the attack… $pdo->query(‘SET NAMES gbk’); $var … Read more
This is bcrypt: Generate a random salt. A “cost” factor has been pre-configured. Collect a password. Derive an encryption key from the password using the salt and cost factor. Use it to encrypt a well-known string. Store the cost, salt, and cipher text. Because these three elements have a known length, it’s easy to concatenate … Read more
The whole lot is encrypted† – all the headers. That’s why SSL on vhosts doesn’t work too well – you need a dedicated IP address because the Host header is encrypted. †The Server Name Identification (SNI) standard means that the hostname may not be encrypted if you’re using TLS. Also, whether you’re using SNI or … Read more