The authentication tag has no wiki summary.
2
votes
1answer
63 views
Is “friendly fire” session replay a valid concern?
I've been reading a lot about sessions and security, trying to learn as much as possible before writing too much code. I've read about limiting session replay by including a timestamp within the ...
2
votes
0answers
35 views
Is my websocket session idea practical?
In a situation where all communication (including logging in) between a client (web browser) and server is done over a persistent TLS encrypted websocket, would there be anything inadvisable about ...
0
votes
1answer
51 views
Common techniques to integrate social media login to a website that requires account registration
I have developed websites where users would register with a username of their choice and an entry would be created in a database table that holds their username and some sort of salted password. They ...
0
votes
1answer
157 views
Knowing who is the user in every request (every action, every view, every time)
I have many model classes that are mapped from/to tables using EF. Two of them are User and UserCookie, which are stored in tables Users and UserCookies.
public class User
{
public long UserId { ...
0
votes
0answers
92 views
Login from external application in MVC
We have an ASP.Net MVC application that use Identity provider to authenticate users. A new customer now wants to access owr application pressing a button inside their winform app.
I started to modify ...
0
votes
2answers
128 views
How does Facebook manage to allow a user unlimited sessions?
I could login through the website, android app, iOS app, the browsers on mobile, and when I log out from one, it doesn't log me out of all of them. Traditionally, you would log out of all the services ...
0
votes
0answers
19 views
What should my redirect URL be for OAuth2.0 in Azure if my application is a local windows application?
I am setting up OAuth2.0 on Azure. I am at the stage where I have been allowed access to the application and a Code has been returned in my redirect URL. My application is a local windows application. ...
0
votes
0answers
42 views
When are request headers read by ASP.NET code
I've got an issue with my MVC 4 website where iOS Safari is automatically sending the DNT header with the first request to the site. Here's my question on StackOverflow. Even though the iPhone has the ...
2
votes
1answer
47 views
Security Pattern to store SSH Keys
I am writing a simple flask application to submit scientific tasks to remote HPC resources. My application in background talks to remote machines via SSH (because it is widely available on various HPC ...
0
votes
2answers
38 views
Separating roles authorization and database
Something really bothers me about the way authorization tends to be done with roles in ASP.NET MVC.
The way it is normally done is that you have a Users table and a Roles table. A User can have many ...
0
votes
0answers
39 views
If OWIN is used on PC and Mac (Mono), then what is the abstraction for claims and authentication?
If the PC implementation of OWIN is Katana, and OWIN doesn't define authentication abstractions, (or authorizations)* then:
What is the abstraction for Authentication (cookies, forms, OAuth, SAML, ...
0
votes
0answers
86 views
Best practice: Secure Android app online authentication
Currently, I develop an Android App needing online authentication for login (and registration).
The main focus is on security. I’m amaing for:
keeping the users’ passwords safe and
preventing MITM ...
1
vote
1answer
68 views
Testing for Authentication loop holes / bugs
We've got a web application which is 99% complete prior to public beta, were currenlty securing the site from security perspective, locking down the server, db etc, one thing I'm concerned about but ...
1
vote
2answers
118 views
Should all HTTP requests including credentials be made using a POST even if it is actually just a request for data?
Assume there is a request which is going to look up a list of items from a service which requires authorisation (e.g. it's behind a Basic Authentication domain). If the service didn't require ...
0
votes
0answers
53 views
Token based autorization for a web game
I am lead developer for a multiplayer game in a small startup company. I would like to present here my solution for token based authentication and hear your opinions about possible weak spots. I am ...
0
votes
0answers
14 views
Mobile application: What should be the server authentication strategies?
I am developing an mobile application for the first time and have some confusions around it
What I plan to do?
The iPhone application will have Sign in with Google where user will authenticate on ...
1
vote
1answer
71 views
Is OAuth suitable for this scenario?
I need to create a simple web application for track expenses, with some basic actions (user must be able to create an account and log in, list expenses, edit them, etc) with a REST API for each one, ...
1
vote
0answers
140 views
How to authenticate user on php and Node.js
I´m currently developing a little chat page. The main page and user management is written in php and also all the authentication stuff with sessions.
Now I´m planning to run the messaging stuff on a ...
1
vote
0answers
166 views
Authorization and Authentication using multiple types of authentication in MVC
Currently I am managing a team where we're building a new SaaS application.
The way it is currently structured is that we have a solution that has our business logic and data, and a solution that ...
0
votes
1answer
119 views
Is it a good practice to decouple the membership system?
Currently I'm developing a project that basically is built with ASP.NET Web API. The membership system I'm using is ASP.NET Identity. The only problem I'm seeing with this is that the membership ...
1
vote
1answer
91 views
Implicit OAuth2 endpoint vs. cookies
I currently have an app which basically runs two halves of an API - a restful API for the web app, and a synchronisation API for the native clients (all over SSL).
The web app is completely ...
1
vote
1answer
781 views
Most Appropriate Authentication Type for MVC5 project
I am about to start a new ASP.NET MVC5 project and I am planning the authentication / authorization requirements at present.
The client wants Windows authentication, to prevent their users having to ...
0
votes
1answer
64 views
Flexible authorization design in ASP.NET pages?
I'm developing an ASP.NET webforms application with pages which displays information based on the authorization level of the authenticated user (very typical). I will write a simple example of the ...
1
vote
1answer
81 views
How to make sure that reported issues are not caused by wrong credentials or typos of the client? [duplicate]
I have found myself a few times in the situation where a client reports an issue like 'I can no longer login to my account'.
Sure enough when trying to login with the client's credentials myself ...
1
vote
3answers
242 views
Authentication with If/Else
For keeping the "Administration Panel" secure to those who are logged in, for my web application, is the best practice to use an If/Else Statement?
if($_SESSION['logged_in'] == true) {
include ...
1
vote
6answers
427 views
How to distribute, one virtual token to each person in this world, and make sure nobody gets more than one? [closed]
How to distribute, one virtual token to each person in this world, and make sure nobody gets more than one?
In other words, how to prevent a user from creating more than one user account in a site?
...
4
votes
1answer
113 views
Can someone explain the behind-the-scenes process of connecting an app account to a Facebook account?
I am developing an app that will use the Twitter and Facebook login APIs exclusively.
Suppose a new user downloads the apps and is presented with the option to log in through Facebook or Twitter. The ...
-3
votes
1answer
170 views
Can one determine the creation date of an email account?
Is it possible to determine the creation date of the email supplied with the authentication process flow; Or at least determine that the email was/was not created the same day as signup (or ...
1
vote
0answers
50 views
How to handle static-ish content from a CDN with authentication?
I have a website that allows user uploads of content. Part of the design, to date, involves storing the user content on a NAS that has been configured with a separate app pool in IIS that has ...
0
votes
1answer
128 views
How to manage multiple database credentials across multiple projects
We have 10 separate projects that all access the same database. Initially, all 10 projects had database credentials hardcoded into them. I decided to move the credentials into a utility method and ...
0
votes
0answers
61 views
How to have my callbacks authenticated in a REST app?
I'm developing a REST application and I allow my clients to authenticate in several ways (typically using Authorization: Token ... as in OAuth 2.0, but also there's session-based auth option for the ...
1
vote
0answers
53 views
How do I authenticate users from facebook/twitter?
I need to build a site for a mobile app that allows users to sign in with facebook/twitter or sign up as a new user (traditional username/password).
No matter which method the user chooses, they ...
6
votes
2answers
1k views
Best way to hide API key in source code
I need some ideas on how to protect a private API key in an application, specifically in a c# .NET application.
Firstly, I understand that it is theoretically impossible to hide anything in the ...
-2
votes
3answers
111 views
Why speaks basic http authentication always of a username
In RFC 2617 HTTP Authentication: Basic and Digest Access Authentication they speak always of username and password for the authentication.
Why should I choose to take a username as identifier for a ...
0
votes
1answer
184 views
Why can't we use unique identifier as combination of email and password? [closed]
For prevent email conflicts for authentication system we can surely choose email and password combination as unique identifier.
What can prevent me to built authentication system by treating unique ...
4
votes
3answers
170 views
Kerberos web authentication
I'v developed an internal singe-page web-app (unix, apache & postgresql) protected by a simple login page. Currently, the users have their own login role with a password.
This is starting to get ...
1
vote
1answer
217 views
What kind of user authentication do I need in for a restful web api
I am doing a restful web api with asp.net Web API 2
I do not want to use any form of cookies or basic authentication (send user/pass in cleartext thus SSL needed)
I do not use/need claims stuff.
I ...
0
votes
2answers
171 views
Limiting certain functionality to development environment only [closed]
I intuitively think that an application should be exactly the same in DEV, QA, and PROD environments. However, I have been asked to add a feature to an application that will only be available in DEV ...
1
vote
2answers
272 views
Is double password protection safe for admin authentication?
I was looking at some of my past codes, and I viewed one of my admin boards I've made. I had it setup so that the admin has to define/enter 2 passwords for his account.
Is this really double-safe or ...
2
votes
0answers
147 views
Facebook authentication with an Authoritative Server for a Flash Game
I'm working on a multiplatform game in Flash. This game utilizes Photon Server for authoritative physics and user statistics tracking. I'm looking to leverage Facebook authentication as an alternative ...
1
vote
1answer
351 views
Is it an implementation of a stateful mechanism for Rest API authentication?
In many articles about Rest API's best practices, it is recommended to not depend upon sessions on server side since it leads to a stateful mechanism.
I currently use Play 2.2 framework, with a ...
0
votes
1answer
53 views
Identifying how server is authenticating users
I'm trying to build a bot that will parse the list of classes offered by my university and let me know when the one I'm looking for is open. The problem is that in order to get to the ...
0
votes
0answers
52 views
Validating time-limited HMACs
I'm exploring using HMAC style secret-key authentication with timestamp expiry, but am struggling to get my head around how you validate the timestamp portion.
On the client side you would do:
...
5
votes
1answer
3k views
Authenticate native mobile app using a REST API
I'm starting a new project soon, which is targeting mobile application for all major mobile platforms (iOS, Android, Windows). It will be a client-server architecture.
The app is both informational ...
2
votes
1answer
242 views
Approach to Authenticate Clients to TCP Server
I'm writing a Server/Client application where clients will connect to the server. What I want to do, is make sure that the client connecting to the server is actually using my protocol and I can ...
1
vote
1answer
354 views
Is this a secure solution for RESTful authentication?
I need to quickly implement a RESTful authentication system for my JavaScript application to use. I think I understand how it should work, but I just want to double check. Here's what I'm thinking -- ...
0
votes
0answers
102 views
Problem with OAuth2 authentication process and session persistance
We're using node-oauth2-provider as an authentication library for our service. The current process for a user to log in is:
POST /oauth2/access_token
Which creates and saves the access_token to the ...
1
vote
2answers
66 views
Authentication at my web site using other credentials
Suppose there are 2 web site: example.com I don't own and example2.com I own. I want to extend the functionality of example.com somehow.
example.com doesn't have any API. I want the users of ...
2
votes
1answer
347 views
Implementing User Authentication on an N-Tier Web Application
I appreciate all help and feedback. Parts bolded are critical parts if this is too verbose. Perhaps it will help to mention I am a green developer. I have found some useful info from related ...
0
votes
0answers
1k views
How secure is this way of authenticating an ASP .NET Web API - creating your own tokens?
http://www.codeproject.com/Articles/630986/Cross-Platform-Authentication-With-ASP-NET-Web-API#_rating
The above link shows exactly how I want to go about authenticating against an ASP .NET Web API. ...
