I am using Revive Ad Server and to comply with EU Law I need to be able to disable the tracking cookies that Revive creates when tracking ads. I have looked everywhere online for a solution but can't find one, how would I prevent Revive creating a cookie if the user opts-out?
It is really easy, For each Zone you could either enable or disable the Cookies.
Go to - From your Revive Ad Server, Select Zones, Then Advanced Tab, Then you see Cookies Selection, Then the setting there.
Related
How do browsers share credentials belonging to one domain with other? As I asked in question, if I log into one service, I'm automatically logged into other service? What authentication scheme is this and how are credentials shared?
The answer is that they use OAuth or something like it. You can read about it at https://en.wikipedia.org/wiki/OAuth or just google for OAuth. Only one site receives your username and password. The others are granted permissions by that site.
By using API's.
For example: When you going to Youtube and you want to log in, then Youtube uses Googles API's to check if there is an account that equals with your details.
And in case of logging in automatically, just the same way, but then with a session or cookie I think.
They use cookies to save your (encrypted) information.
Cookies stored on your browser are readable by any website*, so in theory any website that knows how Google's authentication scheme works is able to "log you in" on a Google account.
Also, in theory, any person who "steals" your cookies and use it on their computer would be able to log in as you. However there are certainly security measures taken into consideration from Google before allowing you to authenticate using only a cookie (using IP and other request information to make sure that cookie belongs to you, etc)
As a proof of concept, if you delete all cookies on your browser created by google.com you will find out that you are logged out of Google's websites. And when you log back in, the cookies will be recreated.
Errata:
*Cookies can be read by websites under the same domain.
I have a website where users can post ads and view them. I am using ASP.net build it. So normally site is free for to view ads. But if anybody wants to post an ad he or she needs to be a registered user. So if an user try to Post an ad without logging then he will be redirect to login page. So I want to enable SSL for login page to securely transfer information over the internet.
Here few things you should know.
I just only need to secure the user name and passwords.
Ads post by users are not sensitive data. So it is OK if it transfer through non secure path.
I dont want to enable SSL for every page. Because it will slow down page loading and it is a CPU intense task.
So how to achieve this? Do I need to maintain the HTTPS state after user logged under SSL connection until he post articles and until he log out?
Cant I just secure the login page for authenticate the user and then go with normal pages? Keep in mind that I need to keep the logged information because I saw in an another blog that saying When you go from HTTPS to HTTP all the states are being lost. Is that true?
So Help me here.
Thank you very much.
You should maintain SSL for every page once a user is logged in so that you can use secure cookies for the authentication cookie. This can be set using the requireSSL="true" in the web.config (MSDN doc). You definitely should use secure cookies for authentication, and you'll only be able to utilize that cookie over HTTPS.
Or as Scott Hanselman put it in this seriously old blog post:
In order to prevent Session Hijacking, when you've got a secure site,
it's a good idea to mark your cookies as "secure," meaning that they
can't be accessed over HTTP. This prevents folks from being issued
cookies over HTTPS then switching to HTTP in order to access the
cookie with sniffers or other evil.
This question has also been covered at Information Security Stack Exchange and Programmers Stack Exchange.
More Reading: OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection
I am building a website with user accounts. I want the user's name to be displayed at the top, along with the ability to check their inbox with a dropdown that will be updated and refreshed by AJAX. For a user to log in, they will enter their username and password in another dropdown box powered by AJAX. I will also have a specific page, which could use SSL, which sells items through PayPal and BitPay.
I want to secure this with SSL. However, it's not feasible to make all the pages use SSL because the CDN I plan to use doesn't support SSL at the price I am willing to pay and because I wish to allow users to embed images and YouTube videos, which would be linking to third-party HTTP resources.
So my question: is it possible to allow users to log in through AJAX securely over SSL? (The AJAX request would be secured, but not the page that shows the log in form.) It must then be able to display their account name and edit their account settings over an unsecure connection? How would cookies work with this?
You might get better answers at security.stackexchange.com, but in short: You might have a cookie shared between http and https. But then you should not associate any information to the cookie, which might be abused by an attacker, because the cookie can be sniffed when using http instead of https and then reused by the attacker to hijack the session (and those the identity). So for serious stuff you should have another and different secure (e.g. https-only) cookie. A good source of information is also OWASP, e.g. https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
I'm looking at building an site that authenticates users against AD of my company.
I've already created something that works internally, but I'd also like the users to be able to authenticate externally - from outside the network over the internet. using any pc or even mobiles. Obviously only people within the company should be able to access it.
I just need a few guidelines for what I'll need to bare in mind for such a project..
Use forms authentication
Use ADMembershipProvider
Host site on network with AD
How do I make it visible externally? what security implications are there? what needs to be done on the server?
There is no special requirements for the AD usage, normal security requirements apply - enforce HTTPS on the login page, for start.
I guess your server is in the DMZ, so just make sure it can see AD from there.
We use FormAuthentication to manage logins and I have a case where a customer complains where he can login from one computer but to from another.
I can see in my logs that his authentican is successfull but he gets bumped back to the login page. I can reproduce the symptons by disabling cookies so I asked the customer to test if cookies are enabled on http://www.tempesttech.com/cookies/cookietest1.asp, but this came out positive.
What have I missed? Is there any antivirus/security software that can mess up (ASP.NET) cookies?
The user is using IE7 and claims to have F-secure installed.
First ask from your customer to try to login using some other browser like google chrome.
If with other browser works, then ask from your customer to clear the cookies on his browser, if he can clear only your page cookies, then you must be check if you using too much cookies, or too big ones, and create a diferent shecma.
You maybe have set to store/cache the roles on cookie - this make cookie too big ones, and big cookies create problems.