security

问题 So my question is very basic. When checking if a user is still logged in on any page, I'll use if (isset($_SESSION['user']) && $_SESSION['user'] == true) { CODE } But, shouldn't I use a hashed value instead of a boolean value for the $_SESSION['user']? All the guides I find are using boolean values, but from my point of view that is a security leak, isn't it? People are talking about Session-Hjacking and Session-Fixation all the time, and that would be very easy if I just used boolean values

问题 I'm building a small web based management app. Within it I need to connect to different servers using different accounts via wmi. What I want is to tell my app: you are now run by user1, do this and this. And then I want to tell it: now you are user2, do this and this. I guess, I'm not all that clear with my question, I'll refactor it. 回答1: You would have to write a seperate piece of .Net code (some umanaged calls too) to perform impersonation of your user then call your code whilst

问题 I purchased a very well-known 3rd-party php-based forum software. Uploaded to my server, run it for few weeks. This morning, when I visit my site, it display all the PHP code, including all the comments etc, like what you will see if you open it with notepad. It was very scary, my database config which is in PHP file also visible, what happened? I have no choice but to take my website down now. What should I do? How can view PHP code? I thought PHP code is very safe? Has somebody hacked my

问题 I am playing around with the java .policy file and was wondering how I could go about doing something like preventing calls to java.util.Date(), as an example. I just want to get a better sense of the .policy file works and how it can be used to sandbox code. 回答1: You'll be out of luck there I'm afraid. As Paŭlo Ebermann says, package.access can block out package hierarchies. You can be more precise about this with a custom SecurityManager , which is usually a damn good indication you are

问题 Together with my application's domain logic I am trying to outline the security model. I am stuck with a requirement that prevents me from considering security just a cross-cutting concern over my domain logic. Here follows my situation. A user in my system can potentially be allowed to create a certain kind of objects, say, 'filters'. I introduce a permission called 'CREATE_FILTER', and a user is either allowed to create filters or not, depending on whether the admin assigned such a

问题 I'm currently having some difficulties with getting BouncyCastle to work. Been searching on this for a couple of days now, so I'm hoping you can provide any helpful insights. Here's the set-up. Using REST-protocol, the Android-client sends POST-messages to the server. I made a separate project with classes representing these messages, so that I can include this as a library on both the client and the server. The message-objects are first parsed to a JSON-string and afterwards interpreted on

问题 We have projects using Struts 2.0 and 2.1. We're using web-hosting with Tomcat and both projects are working fine on remote servers. Recently, we got warning message from the webhosting provider, like: This notice is inform you that recently numerous vulnerabilities have been discovered related to Struts and Struts2 frameworks and other frameworks which use OGNL classes. Since your application is using Struts or Struts2 framework, we HIGHLY recommend that you URGENTLY update it to the most

问题 we have created an application which provides the ability to set a recursive "Deny" on a windows folder for a certain Active Directory group. Basically the same as going into the properties dialog in windows explorer and clicking on security and the adding an AD group with the permission of Deny. We are using this code: public void DenyAccessInherited(string DomainAndSamAccountName) { SetPermissionAndInherit(this.FolderPath, NTFSPermission.PropagationFlags.CONTAINER_AND_OBJECT_INHERIT_ACE,

问题 So I am playing around with trying to implement as closely as I can OAuth 2 for this API I am building. I am at the point where I need to generate the access_token however I am trying to figure out the best method of doing this. I have read in a very place where people are encrypting the revenant information and the access_token (like expired date, client id, etc...) in order to prevent a database lookup on each API call. I was think about that and thought, how does that way of generating the

问题 We are working on creating an installation package for a WCF-based web service. The service uses message-level encryption via an installed certificate. I am trying to come up with an automated way to both install the certificate and set its permissions. Currently, we are manually installing the certificate via the MMC snap-in. After it is installed, we need to find the file containing the installed certificate and modify the permissions so that the Network Service account can access it. The