I´m seeing methods of encryption, and I´ve seen a lot of this tool: "aspnet_regiis" but I´ve been asked to search about "machineKey" and all I can see is that it is another section of the web.config but don´t know it´s function or what it is per se...
So... I´m asking this simple question: What is and what does machineKey do ?
Regards.
One of the things that the machineKey does is to validate ViewState so that it can't be manipulated by an attacker. Other uses would be similar. If you are running servers behind a load balancer, you need to make your machineKey the same on all servers so that subsequent requests received by another server can perform validation.
Related
I am planning to develop a project which will have access to different services placed in different domains using ajax, so that it may get different types of data from each of them.
At the beginning I thought that due to cross-site scripting that can't be done so I would have to use a different approach or maybe use a bridge (make the calls to my server which will behind the scenes call the others) but the bridge would become a performance issue.
But then I was testing Angular using Google's API and realized that it just works. I mean, I could make AJAX calls to my localhost (though I know localhost may work just because it's localhost) using a script loaded from googleapis.com.
Now I wonder if it is possible or not to have a page with ajax calls to other domains like: mail.mydomain.com, profiles.mydomain.com, media.mydomain.com, and so on. And if so, can that be done just like that or are there any limitations? Because I remember that some years ago I had trouble doing things like that due to the cross-script block.
Just in case it helps, I'm planning to use Angular to get the data and paint it over the views.
Thanks.
Use JSON-P for cross domain AJAX. http://json-p.org/
Yes, it has limitations, but can be relieved easily.
Set HTTP header "Access-Control-Allow-Origin" to "*" does it.
I am developing a website using Microsoft MVC3, and have built it upon the default MVC3 Application template. It accesses an external database and works on localhost.
I have deployed it to a shared server I rent from storminternet via the publish tool using ftp method (storminternet do not yet support web deploy), and it runs well. It accesses the database okay and get requests work fine.
However, any form that submits via POST protocol returns page not found error 404 (this is on actions where I have asserted [HttpPost]).
Storm internet assure me that POST and GET are allowed by default, and since the helpdesk are not developers, I'm unsure who to turn to. I don't have an excellent understanding of web.config, although I can read and understand xml and see what's going on by reading through and googling. I have tried adding the protocols to the root web.config, and I think I might be barking up the wrong tree.
Has anyone else had this problem, or might anyone know how to help me?
To replicate my error, my site is here... 213.229.125.117/$sitepreview/ase-limited.com/Dev (sorry it isn't blue. The dollar gets parsed to % something)
and the quickest route to a POST request is to click 'Add Building' at the top of the left-hand side and then click 'Save' at the top of the dialogue box.
Any help will be gratefully received. I've been stuck on this for days without luck.
Best Regards
Nick
STOP-PRESS-STOP-PRESS-STOP-PRESS-STOP-PRESS-STOP-PRESS-STOP-PRESS-STOP-PRESS-
It turned out to be a known issue with sitepreview. Switching to the proper domain sorted everything.
I have noticed that you have some 404 javascript errors when performing your AJAX requests. For example you have a request to:
http://213.229.125.117/$sitepreview/ase-limited.com/BuildingManager/Employees/2
instead of:
http://213.229.125.117/$sitepreview/ase-limited.com/Dev/BuildingManager/Employees/2
Notice how /Dev is missing. That's because in your javascripts you have hardcoded your urls instead of using url helpers to generate them. For example you wrote something like this:
$.ajax({
url: '/BuildingManager/Employees/2',
....
});
which works fine on localhost because you don't have a virtual directory name but doesn't work when you deploy on your server because now the correct path is:
$.ajax({
url: '/Dev/BuildingManager/Employees/2',
....
});
For this reason you should absolutely never hardcode urls like that.
And when I try to POST the form in tries to post to http://213.229.125.117/Dev/BuildingManager/SaveBuilding which seems a very weird url as it is missing the whole beginning. Once again: never hardcode urls. Always use url helpers.
I'm working on a MediaWiki plugin that adds a certain captcha if users have more than three bad login attempts. I'm basing this on the existing ConfirmEdit plugin but for some reason the way they store bad login attempts doesn't seem to work for me. After checking the code they use, it seems they're using the global variable $wgMemc, which in my case appears to be an instance of FakeMemchachedClient. This is a fake memchache that just returns true on everything without even saving anything.
I'm trying to find out how to implement another way to internally keep track of the amount of bad logins, preferrably without having to consult the database for this.
The only thing I could come up with that avoids the cache entirely is POSTing the amount of bad logins, but this could easily be modified by a smart user/bot...
Anyone have any ideas?
In ideal case, $wgMemc should be instance of MemcachedPhpBagOStuff. It is actually an interface to memcached, see the MediaWiki page about it for more information and usage in MediaWiki.
For this use case it would be great choice. However, since it seems you don’t have memcached set up, the only viable alternative is probably using the database.
I was hoping someone could shine some light on my problem. I am in the process of load testing a website. For authenticity, I would like to simulate users logging in and such. JMeter refuses to comply. I have tried manually using HTTPS requests, HTTPS spoofing that is provided, and exporting login scripts from Badboy. Using the View Results Tree listener after running a test, it seems that everything is working, but in the end I am always redirected to the login page. The cookie appears to be functioning properly as it displays the same session for each request.
Thanks in advance for any wisdom you all may offer.
While badboy is a great tool to create jmeter test in https.
But on our apps, badboy seem to add get request that didn't work at all, I had to remove them manually to fix the problem.
And if you have a token or session id in your cookies, it's doesn't take care of it for you so you got to figure out how to extract them with a reg-ex extrator and put in a variable that your test will use.
These problem were very specific to our apps not sure it apply to you, but if you remove unessary request and take care of sending back your token/session id it might do the trick.
I was facing the similar issue sometime ago but since my web application was JSF based I had to take care of the javax.faces.ViewState.
In my case every response had a JFV and I had to pass it as a parameter to the next request using Regular Expression Extractor.
Kindly check if your application is having any such problem.
Regards
Greetings,
I will certainly hope someone will be able to provide some enlightenment to my problem.
Currently, I have 2 joomla sites, layout and menus are a replicate of the other.
I noticed that on both Joomla, I will occasionally encounter "Unable to send mail" after a form submission.
Is this the fault of my server, or the fault of Joomla's PHP Mailer ? I will certainly love to approach my hosting company for a solution but I do not want to place a false accusation on them.
By default, Joomla will use PHP's mail() function, although you can set it to use other methods (sendmail, SMTP) in the Global Configuration on the Server tab.
The best way to test this would be to set up a small PHP script that sends a message through mail(). Next time you see the message, try running the small script and see if that one fails as well.
I personally preffer using an SMTP server for mailing purpose. I guess your hosting company has provided something like smtp.yourdomain.com
You may use it.
Else, you can use the gmail server smtp.gmail.com
It wont disappoint you for sure.