|
Probably with a PhD in Mathematics and whole lot of computing power, yes. Can it be brute forced? Yep, given sufficient time, anything can be guessed at until you get it right.
Can some schmuck off the street discover it, no.
|
|
|
|
|
Great, what I wanted to do was create a confirmation email. The link to confirm would include the email address to be confirmed in plain text, and a hashed version of the same email address. So when the email is confirmed I can hash the plain text and compare the two values to make sure it hasn't been tampered with. But I wasn't sure if it was possible to reverse engineer the private key and regenerate the hash value so it would match and bypass the validation.
|
|
|
|
|
Mark J. Miller wrote: The link to confirm would include the email address to be confirmed in plain text, and a hashed version of the same email address. So when the email is confirmed I can hash the plain text and compare the two values to make sure it hasn't been tampered with.
Why send it in plain text at all?? If the people are able to break the hash, then it's trivial for them to fake the address AND create a valid hash for it. Forget the plain text version of the address, it's just a clue to what MIGHT be in the hash. Part of security is divulging as little as possible about what the contents of the hash might be.
Instead, don't compute a one-way hash of the address. Use an symetric encryption scheme where you encrypt the address with public side of a key pair, convert it to a base 64 string to make it compatible with being in a URL, then stick that in the email. When the link is clicked, the site should convert the base64 string back into the original binary bytes, then run that through the decryption using your privatekey.
Besides, if the address doesn't show up in your "attempted, but not validated" database table, you can just ignore the address sent to you or log it in a table that tracks invalid validation attempts.
|
|
|
|
|
Thanks, I'm trying to get rid of old, bad habits and instead think and code more securely. Your response is very helpful.
|
|
|
|
|
Use a known secret key on your server, hash the address mixed with the key (xor, say) Then send the result.
People won't be able to generate a hash for an address without your key.
Of course this means you'll need to keep the hashcode in your database - in which case you may as well just give them a random confirmation guid.
Guess-the-GUID is guaranteed to be about as fun as 52 card pickup, but longer playing times
|
|
|
|
|
"Form Creator". I'm not certain there's a package out there, but basically I'm looking to create a forum for my site that can be integrated into a asp.net pages easily and have the ability to change it's look and feel so that it blends in with the exising site.
I was thinking of creating a forum from scratch but if there's somethign already pre made and pluggable, I'll download and use that instead....
Thanks.
Humble.
|
|
|
|
|
A quick google search found this[^].
|
|
|
|
|
Hi,
I have several related applications that all use Apache's log4net logging package. This package can use an XML configuration file to configure options. Furthermore, this configuration file can be embedded into the application's general App.config file by doing the following:
<configuration>
<configSections>
<section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net"/>
</configSections>
<log4net>
<!--CONFIGURATION STUFF GOES HERE-->
</log4net>
</configuration>
Now, I don't want to have to copy the log4net.config file contents into each of the App.config files, as it is large and would make things more difficult to maintain.
I found that XML has an XInclude extension (see http://www.w3.org/TR/2003/WD-xinclude-20031110)
If I did my googling right, this means that an XML document can specify the content of another XML document to be embedded within it. Therefore, I could theoretically use XInclude to include the contents of my log4net.config file in each App.config file. Below is my attempt:
<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
<configSections>
<section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net"/>
</configSections>
<xi:include href ="log4net.config" parse="xml" />
</configuration>
However, this does not work - when the code is run the log4net configurator very obviously does not find the embedded content.
Does anyone have any suggestions for how to format the xml file to make this work? Is this even possible within .NET framework?
-klk
|
|
|
|
|
I should mention that viewing the generated config file in Internet Explorer does not do any XInclude processing. In other words, the XML displayed is exactly that of the .config input file.
Am currently trying a solution using ENTITY, will post fix if I find.
|
|
|
|
|
Dear All
i am migrating vb project to .net to create web based CRM .
In that VB Projetct one active x control is used which is exclusively made for
windows application I am developing the .net project using web Servises
That active x control use dial method to make a call from agent desktop to client's mobile
also OtherPartydisconnected,thisPartydisconnected otherpartyAnswered and thisPartyanswered these
events of that active x control is required
Please suggest me how i can achive to write these Events in Web Service.
Please Gude me in this Regards.
Thanks to all
|
|
|
|
|
soniasan wrote: That active x control use dial method to make a call from agent desktop to client's mobile
also OtherPartydisconnected,thisPartydisconnected otherpartyAnswered and thisPartyanswered these
events of that active x control is required
It may not be possible for you to use this component in a Web Service. Web Service code runs entirely server-side, and depending on the speed at which this AxtiveX module does it's work, you may not be able to use this component in a web service, or it may not be the best choice for using it.
Depending on the component and exactly what it does, you may have to implement the functionality around this component in a Windows Service instead. This service would probably have to setup some queue to receive it's work orders and service these orders, one at a time, until the queue is empty.
|
|
|
|
|
Dave, Thanks For your Reply.
Basically Events OtherPartyDisconnected ThisPartyDisconnects are fired by CTC SERVER
I am not intrested to use the active x control basically this active x control,
call its MakeDial Method and when when party get disconnects that time on my crm the Hang up button get activated. From my CRM the agent from his desktop phone which is connected through
EPBX i want to call the customer. and when customer disonnect then i want to activate Hang UP Button on my CRM Basically this is a outbound crm i am developing.
So will it possible to write the functionalty through Web Services.
Thanks
|
|
|
|
|
soniasan wrote: So will it possible to write the functionalty through Web Services.
It's not possible like you described, IF I understood your description. Web Services exist for a very short time and do not hold session state. What you're decribing requires a very long object lifetime and maintain session. This would be better served by either a Windows Service or directly in your application.
|
|
|
|
|
As known in MFC, thread function must be a static function because non-static function contains a 'this' pointer.
But this is not a problem at all in .net, I want to know how CLR can do that?
Thanks.
|
|
|
|
|
The only reason the function needs to be static in MFC is because of the underlying APIs used.
Since the underlying APIs use a C interface, they no nothing of C++ class objects and the
associated this pointer.
The .NET framework already knows there's a managed object involved. The framework is designed for
language independence so the interface is well defined.
Mark
Mark Salsbery
Microsoft MVP - Visual C++
|
|
|
|
|
Technically what it does for a delegate to a non-static method is to generate a small thunk containing a pointer to the object and a pointer to the method. The thunk contains code which calls the method, passing the object pointer as a parameter, just as an instance method call normally would.
In C++ I normally write
static DWORD WINAPI CMyClass::ThreadStartProc( LPVOID pvParam )
{
CMyClass* pThis = (CMyClass*) pvParam;
return pThis->ThreadProc();
}
DWORD CMyClass::ThreadProc()
{
return 0;
}
_beginthreadex( ThreadStartProc, 0, this ); The Framework is just doing this behind-the-scenes rather than you having to spell it out.
DoEvents: Generating unexpected recursion since 1991
|
|
|
|
|
It's so funny.
Actually I use the similar MFC codes with your's like this:
<br />
static DWORD WINAPI CMyClass::ThreadStartProc( LPVOID pvParam )<br />
{ <br />
CMyClass* pThis = (CMyClass*) pvParam; <br />
<br />
pThis->MethodA(...);<br />
<br />
pThis->MemberB++;<br />
<br />
return 0;<br />
}<br />
Obviously, your codes is better...
|
|
|
|
|
Hello,
Can anybody help me on how to change iplanet users groups throw LDAP using System.DirectoryServices??
|
|
|
|
|
Hello
I try to publish my application using clickonce, and when the server uses http protocol everything was ok, but when publishing it on a server containing SSL (https://) and i try to install it from there the application stops and occurs an error that it cannot download .dll file
Any suggestions can help me
|
|
|
|
|
Try referring the following links:
http://blogs.msdn.com/shawnfa/archive/2006/07/15/665763.aspx
http://msdn2.microsoft.com/en-us/library/ms228998.aspx
Regards,
Dave
Dave Traister
Software Engineer
ComponentOne LLC
www.ComponentOne.com
|
|
|
|
|
Hello.
Im doing a client server program where the client program is created using Visual C++.NET meanwhile the server program is created using C#.NET. Just for my own knowledge, can both of these program be connected via a network using TCP protocol. I tried to execute the sample. there was no error but it could not be connected. Which part that must i edit? Is it ok if i only edit the client part (created using C++). This is because the server part also have multithreading mechanism, so i dont want to mess that up. For your information, i tried to connect both client and server using port 5000. I will also include here the connection part of the client and server source code. Did i miss anything in the source code in the code snippet attachment? Thank you and your help is very appreciated.
<br />
<br />
<br />
<br />
InitWSA();<br />
<br />
sock = socket(AF_INET, SOCK_STREAM, 0);<br />
if (sock < 0) {<br />
printf("Error no %d occured when creating socket\n", errno);<br />
exit(-1);<br />
}<br />
<br />
myaddr.sin_family = AF_INET;<br />
myaddr.sin_port = 5001;<br />
myaddr.sin_addr.s_addr = INADDR_ANY;<br />
<br />
status = bind(sock, (struct sockaddr *)&myaddr, sizeof(struct sockaddr));<br />
if(status < 0) {<br />
printf("Error no %d occured when binding\n", errno);<br />
exit(-1);<br />
}<br />
<br />
<br />
receiver.sin_family = AF_INET;<br />
receiver.sin_port = 5000;<br />
receiver.sin_addr.s_addr = inet_addr("127.0.0.1");<br />
<br />
status = connect(sock, (struct sockaddr *)&receiver, sizeof(struct sockaddr));<br />
if (status < 0) {<br />
printf("Cannot connect to server, error no %d occured\n", errno);
exit(-1);<br />
}<br />
<br />
<br />
<br />
<br />
<br />
string portStr = textBoxPort.Text;
int port = System.Convert.ToInt32(portStr);<br />
<br />
<br />
m_mainSocket = new Socke(AddressFamily.InterNetwork,SocketType.Stream,ProtocolType.Tcp);<br />
IPEndPoint ipLocal = new IPEndPoint (IPAddress.Any, port);<br />
<br />
<br />
m_mainSocket.Bind( ipLocal );<br />
<br />
<br />
m_mainSocket.Listen(4);<br />
<br />
<br />
m_mainSocket.BeginAccept(new AsyncCallback (OnClientConnect), null);
<br />
UpdateControls(true);<br />
<br />
<br />
<br />
|
|
|
|
|
Maybe try NOT binding the client socket - let the protocol pick the socket name.
You should be able to debug this easily.
What calls are failing?
On the client, I don't see any code that checks error codes returned from failed socket API calls
Shouldn't you be using WSAGetLastError instead of errno?
Mark
Mark Salsbery
Microsoft MVP - Visual C++
|
|
|
|
|
hello and thanks for the reply
I tried the method you said. So I disable the binding socket. Still, the client could not connect to the server. Actually, there is no error in the code but it just could not connect the client which is programmed in C meanwhile the server side is programmed using C#. So i think it is not about the errno or the WSAGetLastError problem. Actually, this is just only a test program. After i proved that it can connect, then I will produce a real version. I just want to know is there any method or code which can connect a client programmed in C to a server which is programmed in C#. I assume that the connect() call failed since the printf("Cannot connect to server, error no %d occured\n", errno); as in the code snippet will be displayed. So this clearly means that it just could not connect to the server. Anyway, thank for your reply and help. Any other idea's or solution? hehe..
|
|
|
|
|
Kogee San wrote: I just want to know is there any method or code which can connect a client programmed in C to a server which is programmed in C#
TCP/IP is TCP/IP, no matter what platform it runs on or what language the code is written in.
Why do you dismiss error codes? They can give you important clues to reasons for failure.
That's why they are there. Why not use the clues the system offers? Otherwise all you can do is guess.
Using the socket APIs properly will help...
First you need the port number in network byte order:
receiver.sin_port = <span style="font-weight: bold;">htons(5000)</span>;
Then you need to properly check for errors:
status = connect(sock, (struct sockaddr *)&receiver, sizeof(struct sockaddr));<br />
<br />
if (<span style="font-weight: bold;">SOCKET_ERROR</span> == status)<br />
{<br />
printf("Cannot connect to server, error no %d occured\n", ::WSAGetLastError() );
<br />
}<br />
Mark
Mark Salsbery
Microsoft MVP - Visual C++
|
|
|
|
|
hello mark
Thanks for the reply. I just add the byte order method htons and it works. Thanks for the solution. I really2 appreciated it. Also thanks for the tips to take error messages seriously. I will take your advice. I know error messages is important for debugging, but i just consider a simple connection from client/server, thats why i dont want to concern the error messages. I will be careful next time. Thanks again.
|
|
|
|