-
Posts
15,229 -
Joined
-
Last visited
-
Days Won
427
Everything posted by requinix
-
True, you can't really detect it as an ongoing activity, but you can detect it when it first starts: both users will be using the same session ID. At that moment you can force the second person ("second" being whoever did their page request after the other person) to be logged out. If the good user wins then the bad user is logged out and their attack failed. Of course if the bad user wins then the good user is logged out. Given how a session hijack should be a very uncommon occurrence, logging out both sessions would be best: in the former case, the good user would get logged out too - they'd be a bit miffed but can log in again while the bad user is left behind. Consider a session "chain". Chains relate different session IDs together, and each regenerated session ID gets the same chain. When a session hijack happens, there are two users with the same session ID for only a moment, but they'll both be using the same chain from that point on. 1. User A makes a request with session ID #101 in chain #501. Good. Response is session ID #102 in chain #501. 2. User B makes a request with session ID #101 in chain #501. Bad. User is logged out, chain #501 is flagged, they begin chain #502. 3. User A makes a request with session ID #102 in chain #501. Chain is flagged, user is logged out, they begin chain #503. 4. The two users are now on different chains. Only the good user can log back in again, and logging in is the only way someone can prove ("prove") they're the good user. Better to be miffed than have their session compromised. You could delay logging out user A until user B successfully logs in, but that requires the user logs in again and maybe they don't want to.
-
To clarify "concurrent session", I meant concurrent for a particular session ID. The only way that can really happen is if one browser grabs a copy of the session ID being used by the other browser. Short of some sort of browser-sharing sync thing that I've never heard of, this would probably only happen maliciously. Don't prevent concurrent browsing via two different sessions for the same user. As in, the user logged in twice. So don't restrict a user to one particular session.
-
Applying multiple ssl's to one ip address, multiple websites
requinix replied to greenace92's topic in Apache HTTP Server
The chain file connects your certificate to a trusted authority. You probably have the right chain file. The problem is you're using a certificate for [www.]site.us when you need one for [www.]site2.com. Can't use the same cert for both domains. You really sure you're using the same cert for both? It's additive. One is a bit verbose, two is somewhat verbose, three is very verbose. Yeah: the certificate does not cover site2.com. Like I said you're apparently using the site.us cert. Are the sites accessible online? That's the easiest way. -
Applying multiple ssl's to one ip address, multiple websites
requinix replied to greenace92's topic in Apache HTTP Server
Check your certificates. Or if they're both online somewhere then we can see them. You should probably clarify what exactly the "error regarding ssl by the browser" is. -
But how PHP know which session it should use? The browser has to tell it somehow. Sessions are controller by a session cookie (by default named "PHPSESSID") which contains a session ID (a random value). PHP gets the cookie with the request and loads the corresponding session data. Stealing a session is a matter of getting that session cookie and setting it in your own browser. PHP itself doesn't know the difference because all it has to work with is the session ID. That's why an application needs to verify session data: record IP address, user agent, stuff like that, in the session and then verify it with each request. Given what I just said about session IDs, this statement does not make sense. Depending on your application you may need a few things: 1. The session ID regenerates frequently and the old session ID is invalidated. This prevents concurrent browsing (eg, by the user and an attacker). 2. The session ID doesn't last long, depending on what kind of activity you expect from a user. Long enough that a user doesn't get logged out just because they stepped away from the computer, short enough that it's not feasible for an attacker to simply store the ID somewhere and use it later. 3. You may need persistence with a "remember me"-type token, which can partially identify a user. And SSL for everything, of course.
-
Applying multiple ssl's to one ip address, multiple websites
requinix replied to greenace92's topic in Apache HTTP Server
That would be because the "site2.com" hostname doesn't match the "www.site2.com" hostname in your certificate. You should be able to get a cert with both names in it. I don't remember the correct terminology but you specify one as the primary name and the other as a secondary name. Fun fact: up until relatively recently (a couple years or so?) https://amazon.com would present the SSL warning. Someone else had that problem too, forget who it was. -
I dunno. echo? print? Mobile app? You decide. That would be why I suggested it.
-
The publicAddress and clientIdentifier are attributes on the . (string)$xml->Device["publicAddress"] (string)$xml->Device["clientIdentifier"]I don't know where you're getting the created time from but use date to make it more readable.
-
Use like you expect. However your emails have to be sent as HTML, which basically means formatting everything in the email as if it were HTML. Preferably with and and s and such. Once you have the HTML markup correct (you can send yourself test emails to verify that), make whatever you use to send emails send them as HTML. If you're not sure about how to do that, we'll need to see the code that does the actual sending.
-
"Masked" Forwarding, aliasing a domain and all that - How To Do that!
requinix replied to Maze's topic in Miscellaneous
Right. Do not redirect, make sure your website doesn't have the domain name hardcoded anywhere, and make sure your web server is configured to show the same site/virtualhost for all four domain names. Mind the SEO impact, though. If all four websites show the exact same content then they will all be punished for it in the search results. To be frank, what you want to do is a bad idea. -
frmvalidator.addValidation regexp for a line break?
requinix replied to sleepyw's topic in Javascript Help
Order does not actually matter. What did you have that wasn't working and what do you have now?- 3 replies
-
- frmvalidatoraddvalidation
- frmvalidator
-
(and 1 more)
Tagged with:
-
frmvalidator.addValidation regexp for a line break?
requinix replied to sleepyw's topic in Javascript Help
\r and \n are easier than the \u syntax, but they'll be interpreted by Javascript and you'll get those characters inside the actual string. Escape the backslashes like "\\r\\n".- 3 replies
-
- frmvalidatoraddvalidation
- frmvalidator
-
(and 1 more)
Tagged with:
-
There is a way to do it as you describe, so if you want that solution for academic reasons there's that. However it uses references (PHP does not have pointers but references are close) and I try to avoid references unless I know my audience (eg, coworkers) will be comfortable working with them. For normal code I would go with either a) The recursive version, as posted by Barand, or b) A loop-based version where you construct the array backwards, as in array() array('key3' => array()) array('key2' => array('key3' => array())) array('key1' => array('key2' => array('key3' => array())))
-
"The file input"? rename (which does moves too) Figure out the path to the file in directory A, figure out the path you want it for in directory B, and pass both to rename().
-
Can anyone show me how to add "days" to this code?
requinix replied to man5's topic in Javascript Help
Okay, you got the "and a description of what's going wrong" part but you forgot about the "post the code you have". No, that's milliseconds. Probably to do with timezones. -
Doctrine fetches 160 results from a table when 3 are present
requinix replied to Stefany93's topic in Third Party Scripts
So if you go into a MySQL client program (like phpMyAdmin) and execute SELECT * FROM reactions WHERE topic_id = 1then you only get three rows? Dump out or log the value of $row2 somewhere. If it shows three rows then you're looking in the wrong place, and if it shows more than three rows then Doctrine is doing something spooky. -
Can anyone show me how to add "days" to this code?
requinix replied to man5's topic in Javascript Help
Should be pretty straightforward: take the lines that deal with hours/minutes/seconds, create a duplicate fourth line for the hours, and make sure you get the math right. Example 1: <span class="hour">00</span> <span class="min">00</span> <span class="sec">00</span>becomes <span class="day">00</span> <span class="hour">00</span> <span class="min">00</span> <span class="sec">00</span>Example 2: var hoursContainer = $(container).find('.hour'); var minsContainer = $(container).find('.min'); var secsContainer = $(container).find('.sec');becomes var daysContainer = $(container).find('.day'); var hoursContainer = $(container).find('.hour'); var minsContainer = $(container).find('.min'); var secsContainer = $(container).find('.sec');Go ahead and give it a shot. If you have problem, post the code you have and a description of what's going wrong. -
what are the reasons to upgrade from PHP5.2 to newer ?
requinix replied to chaiyo's topic in PHP Coding Help
Opinion? You should have upgraded YEARS ago. Because 5.2 stopped being supported YEARS ago. No updates since then. Not even security updates. Who knows how vulnerable the application is! It will take time and lots of testing but it needs to happen: upgrade to PHP 5.6. There are migration guides available to help with the process. -
Mail issue leads to need for complex str_replace?
requinix replied to sleepyw's topic in PHP Coding Help
You also need to be putting $new_recipient back into the array, not the original $recipient. Another thing. Keep in mind that strpos() can return 0 if the string starts with a @. And 0 == false. So you'd get something like "@foo@xyz.com". The alternative is "@foo" (looks like an email so don't change it), which isn't good either but it would probably be better to keep that. So use === false for an exact comparison. -
Mail issue leads to need for complex str_replace?
requinix replied to sleepyw's topic in PHP Coding Help
So you've got $new_recipients. explode() that into a new variable. It'll be an array, so you can foreach over it to get the various bits inside. foreach ($exploded_new_recipients as $key => $recipient) {Each $recipient bit will be an email address or name. If you exploded on just a comma (which I suggest) then there could be some spaces too that need to be trimmed off. Once you have the "plain" value, you need to tell if it's a name or email. The easy way to check is to see if there's an @ sign, given that the user should really only be entering names or email addresses. (You could really scrutinize them if you wanted to, though.) For email addresses you'd just leave them alone. For names you'll want to modify them to be email addresses instead: update $recipient with the new value (replace spaces and add "@xyz.com), then update the original array too with $exploded_new_recipients[$key] = $recipient;(Because updating $recipient won't also automatically update $exploded_new_recipients.) After all that, the array should be just email addresses. implode() it back together (using comma+space this time, for a more nicely formatted list) and you're back to a single string of everything. -
Mail issue leads to need for complex str_replace?
requinix replied to sleepyw's topic in PHP Coding Help
1. explode() on commas and foreach 2. Trim extra whitespace 3. If the thing isn't an email then replace space->period and add "@xyz.com" 4. implode() back together into a string -
You're suffering from PHP's loose typing. ^ is not a logical operator but a bitwise operator. It acts on numbers. true^true is interpreted as 1^1. The answer is, of course, 0.However ! is a logical operator. !true is false, but PHP decided that the string representation (ie, what you get when you try to echo it) is empty. Try echo "1 and 1 = "; echo (1 && 1 ? "1" : "0"); echo "<br>1 or 1 = "; echo (1 || 1 ? "1" : "0"); echo "<br> 1 xor 1 = "; echo (1 ^ 1 ? "1" : "0"); echo "<br>Not 1 = "; echo (!1 ? "1" : "0");or function showvalue($expr) { echo $expr ? "1" : "0"; } echo "1 and 1 = "; showvalue(1 && 1); echo "<br>1 or 1 = "; showvalue(1 || 1); echo "<br> 1 xor 1 = "; showvalue(1 ^ 1); echo "<br>Not 1 = "; showvalue(!1);You should also (re)acquaint yourself with PHP's various operators. I suggest you stick with the bitwise operators only, meaning use & and | instead of && and ||.
-
Yeah, there's more to it than just the nameservers. Say you have a question about your website. You go to Google and search for "where can I find my website?" Google does not tell you what the answer is, but rather it tells you where to find the answers. You still have to look at the search results. You try the first one, and you get the answer you need. Great. But maybe it doesn't have it. If not then you go to the second result. And third. Until you find your answer or run out of results and give up. Google is the domain registration. You asked it about your website and it told you where to look next. Google's search results are the list of nameservers. You try each one until you get the answer you need. All you did was tell Google what search results to show for the question. You still have to make sure that each search result has the right information.
-
You updated the domain registration to use the new nameserver, great. But did you update the nameservers themselves with the information for the domain? Do the nameservers have that configuration? Because it's not magic: you have to actually tell them the DNS records for the "thepizzacompany.co.uk" and "www.thepizzacompany.co.uk" and so on. Or alternatively, did you do a zone transfer from the old nameservers to the new ones?