security

问题 This question already has answers here : Closed 8 years ago . Possible Duplicate: PHP Session Security I am using sessions all throughout my application. I want to make them much more secure. Currently I am using code like $username = $_SESSION['username']; and the like. How do I make my sessions more secure? 回答1: The first thing you'll want to watch out for is Session Hijacking. To quote Wikipedia: In computer science, session hijacking refers to the exploitation of a valid computer session

问题 I want to check that my program is not modified (cracked). So I want program to calculate md5 from self exe and compare. if(GetMD5FromSelf() != "hash") Application.Exit(); //modified so exit But when I put hash to string then the md5 of file will get changed. Is there any way to do this? 回答1: These are some ways you could do it, Option 1 You could store the hash online, This is probably safer because if someone is going to change your program they can also change the hash. Option 2 You could

问题 Background What is the best way to apply granular right level restriction in ASP.Net core. I've have already set up authentication and my application issues tokens that that expire after a certain amount of time. My web app also makes use of roles and rights, where a certain role is can be associated with a set of rights. I've seeded the rights and restricted access to them in that even admin users cannot change, create or deleted any (i.e. read-only). The roles on the other hand are dynamic,

问题 Before asking i searched SO and found this answer which essentially says GUID are predictable and thus should never be used for anything random. But from my understanding i disagree. However this question is about squishing a GUID From my understanding a GUID is made of part MAC address, time and random number. I dont know what part of the GUID is what but this function essentially uses it as 2 64bit ints and XOR them together. I currently use the result as 1) A reset key for people who want

问题 I found with my browser inspector some private credentials located in my environment file. They're not hidden ? That's not secure... I did something wrong ? 回答1: If you included them in your environment.ts in your Angular project then they will not be hidden. You can not include any secret values directly in your front-end Angular project as everything will be transferred to the client. If you need to use a secret of some kind then usually they are only accessible by your back-end code and

问题 Is there any security risks involved in using $_SERVER['REQUEST_URI'] to include a file? Can you pass ../../.. through the request uri somehow? What I'm thinking is something like this: <?php $path = $_SERVER['REQUEST_URI']; $path = preg_replace('~\\.html?$~', '.php', $path); include $path; ?> This should substitute ".htm" or ".html" URIs for ".php" paths and render them. But I am concerned about security here. 回答1: $_SERVER['REQUEST_URI'] contains the requested URI path and query string as

问题 Is there any security risks involved in using $_SERVER['REQUEST_URI'] to include a file? Can you pass ../../.. through the request uri somehow? What I'm thinking is something like this: <?php $path = $_SERVER['REQUEST_URI']; $path = preg_replace('~\\.html?$~', '.php', $path); include $path; ?> This should substitute ".htm" or ".html" URIs for ".php" paths and render them. But I am concerned about security here. 回答1: $_SERVER['REQUEST_URI'] contains the requested URI path and query string as

问题 I just read Configuring ClickOnce Trusted Publishers and got it running at another computer on network. I deployed the application on network itself (that is, \\\abc\something ). Though I could not find certmgr.exe as part of Windows core component, as the article says (..so you will need to use the certificate management console (certmgr.exe) included in Windows..), I instead found it at "C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin". It worked fine, but did I miss something? I mean,

问题 I have a string in my code that I use as a secret when I communicate with my server. What is the best way to encypt this string to ensure that a hacker will not be able to find it out by searching my binary or looking into the memory during run time? (if possible to prevent at all?) What are some measures you would suggest to at least make this as diffcult as possible? 回答1: A far better approach would be to monitor use from your server and try to detect usage patterns that did not match your

问题 I came to a security concern while doing $http.post requests that are received by the backend of my app. I can see all the data that is being sent using for example firebug in Firefox. Are third parties able to sniff this data? It would be disastrous if someone sniffed the password when someone registers a new account. Is there a way to secure my AngularJS front-end so that someone won't be able to steal the data in the POST request? Any advice will be appreciated :) 回答1: No javascript can