EzDevInfo.com

Will web browsers cache content over https

Will content requested over https still be cached by web browsers or do they consider this insecure behaviour? If this is the case is there anyway to tell them it's ok to cache?

Are HTTPS headers encrypted?

When sending data over HTTPS, I know the content is encrypted, however I hear mixed answers about whether the headers are encrypted, or how much of the header is encrypted.

How much of HTTPS headers are encrypted?

Including GET/POST request URLs, Cookies, etc.

How to secure database passwords in PHP?

When a PHP application makes a database connection it of course generally needs to pass a login and password. If I'm using a single, minimum-permission login for my application, then the PHP needs to know that login and password somewhere. What is the best way to secure that password? It seems like just writing it in the PHP code isn't a good idea.

How can I prevent SQL-injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

Why is char[] preferred over String for passwords in Java?

In Swing, the password field has a getPassword() (returns char[]) method instead of the usual getText() (returns String) method. Similarly, I have come across a suggestion not to use String to handle passwords.

Why does String pose a threat to security when it comes to passwords? It feels inconvenient to use char[].

Why Does OAuth v2 Have Both Access and Refresh Tokens?

Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate oneself with a resource) as well as a refresh_token, which is used purely to create a new access_token:

http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.2

Why have both? Why not just make the access_token last as long as the refresh_token and not have a refresh_token?

PreparedStatement IN clause alternatives?

What are the best workarounds for using a SQL IN clause with instances of java.sql.PreparedStatement, which is not supported for multiple values due to SQL injection attack security issues: One ? placeholder represents one value, rather than a list of values.

Consider the following SQL statement:

SELECT my_column FROM my_table where search_column IN (?)

Using preparedStatement.setString( 1, "'A', 'B', 'C'" ); is essentially a non-working attempt at a workaround of the reasons for using ? in the first place.

What workarounds are available?

What is the best way to implement "remember me" for a website? [closed]

I want my website to have a checkbox that users can click so that they will not have to log in each time they visit my website.
I know I will need to store a cookie on their computer to implement this, but what should be contained in that cookie?

Also, are there common mistakes I need to watch out for to keep this cookie from presenting a security vulnerability, that could be avoided while still giving the 'remember me' functionality?

How are Software License Keys generated?

License Keys are the defacto-standard as an anti-piracy measure. To be honest this strikes me as (in)Security Through Obscurity, although I really have no idea how License Keys are generated. What is a good (secure) example of License Key generation? What cryptographic primitive (if any) are they using? Is it a message digest? If so what data would they be hashing? What methods do developers employ to make it difficult for crackers to build their own key generators? How are key generators made?

Why is JsonRequestBehavior needed?

Why is Json Request Behavior needed?

If I want to restrict the HttpGet requests to my action I can decorate the action with the [HttpPost] attribute

Example:

[HttpPost]
public JsonResult Foo()
{
    return Json("Secrets");
}

// Instead of:
public JsonResult Foo()
{
    return Json("Secrets", JsonRequestBehavior.AllowGet);
}

Why isn't [HttpPost]sufficient?
Why the framework "bugs" us with the JsonRequestBehavior.AllowGet for every JsonResult that we have. If I want to deny get requests I'll add the HttpPost attribute.

Authentication versus Authorization

What's the difference in web application? In short, please.

P.S. I see abbreviation "auth" a lot. Does it stands for auth-entication or for auth-orization? Or both?

Why is using the JavaScript eval function a bad idea?

The eval function is a powerful and easy way to dynamically generate code, so what are the caveats?

Is either GET or POST more secure than the other?

When comparing an HTTP GET to an HTTP POST, what are the differences from a security perspective? Is one of the choices inherently more secure than the other? If so, why?

I realize that POST doesn't expose information on the URL, but is there any real value in that or is it just security through obscurity? Is there ever a reason that I should prefer POST when security is a concern?

Edit:
Over HTTPS, POST data is encoded, but could URLs be sniffed by a 3rd party? Additionally, I am dealing with JSP; when using JSP or a similar framework, would it be fair to say the best practice is to avoid placing sensitive data in the POST or GET altogether and using server side code to handle sensitive information instead?

Is "double hashing" a password less secure than just hashing it once?

Is hashing a password twice before storage any more or less secure than just hashing it once?

What I'm talking about is doing this:

$hashed_password = hash(hash($plaintext_password));

instead of just this:

$hashed_password = hash($plaintext_password);

If it is less secure, can you provide a good explanation (or a link to one)?

Also, does the hash function used make a difference? Does it make any difference if you mix md5 and sha1 (for example) instead of repeating the same hash function?

Note 1: When I say "double hashing" I'm talking about hashing a password twice in an attempt to make it more obscured. I'm not talking about the technique for resolving collisions.

Note 2: I know I need to add a random salt to really make it secure. The question is whether hashing twice with the same algorithm helps or hurts the hash.

SQL injection that gets around mysql_real_escape_string()

Is there an SQL injection possibility even when using mysql_real_escape_string() function?

Consider this sample situation. SQL is constructed in PHP like this:

$login = mysql_real_escape_string(GetFromPost('login'));
$password = mysql_real_escape_string(GetFromPost('password'));

$sql = "SELECT * FROM table WHERE login='$login' AND password='$password'";

I have heard numerous people say to me that a code like that is still dangerous and possible to hack even with mysql_real_escape_string() function used. But I cannot think of any possible exploit?

Classic injections like this:

aaa' OR 1=1 --

do not work.

Do you know of any possible injection that would get through the PHP code above?