Yes, big thanks to the Fed crew. Awesome environment.
DK
On 5/18/07, Ajas Mohammed <[EMAIL PROTECTED]> wrote:
Hello everyone,
It was a great session and very well organized.
Good work ACFUG & Federal Reserve guys. Well done.
Also it was nice meeting people whom I hav
Hello everyone,
It was a great session and very well organized.
Good work ACFUG & Federal Reserve guys. Well done.
Also it was nice meeting people whom I have known only through there email
ids especially Teddy, Precia, Charlie, Mischa to name a few.
--
http://ajashadi.b
You can generate certs through keytool, part of the JDK.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
--Thomas Jefferson
On May 18, 2007, at 9:53 AM, Mischa Uppelschoten ext 10 wrote:
: 2. On my local server these are the same because I do
: 2. On my local server these are
the same because I don't have SSL set
up.: That's why it works fine there.
I had the same issue and I "resolved
it" by exporting my certificate from production
onto my test server. The browser will throw
and error message saying that the certificate
do
Cool, I figured that was what you were thinking.
If you talk to many of our security folks they would take a one size fits
all approach which is ridiculous. You don't apply the same level of rigor
to the candy dish on the counter that you would to the vault with the gold
bars. Security has man
Congratulations to our winners last night!
Thank you everyone who attended the event last night.
I did not have a chance towards the end of the meeting, but a special thanks
to those who helped from the Federal Reserve:
Aman Aslami, Patrick Baker, Brooks Wilson, Stanley Fong, Shawn Gorrell,
Dav
Right, hence a risk based approach. You know the risks, you can best
determine what steps are needed to protect yourself.
I know I often say things that sound absolute. But security is a
balance of risk vs. costs and we need to make sure we strike the
correct balance.
-dhs
Dean H. Sax
That was kind of my original line of thought with moving in and out of
secure URL.
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, May 18, 2007 9:00 AM
To: discussion@acfug.org
Subject: [SPAM] Re: [ACFUG Discuss] problem with session variab
Now this makes sense to me. thx
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Friday, May 18, 2007 8:11 AM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] problem with session variables (i think) -
DISREGARD I SOLVED IT
Actually, if you use SS
I feel like I won the Super Bowl. I'm going to Disneyland
Great meeting. Huge kudos to Brooks for organizing it. He singlehandedly
made the arrangements on our end, among other things. All I did was hand
out nametags and look pretty;) He put in a ton of work and dealt with the
myriad of hea
Not exactly. Let's say that my initial login process goes against AD or
other LDAP, but the rest of the app is a public FAQ. If the session is
hijacked there would be no way for them to get or change the login
information unless methods were provided within the application to do so
(which you w
Congratulations to Shawn Gorrell winning a licence of Scorpio (aka
ColdFusion 8) and Scott Talsma winning a licence of Flex 2.
Precia
-
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage yo
No, because if you login and then switch to plain HTTP, what is to
prevent me from stealing your session token at that point? And what
if I can then change your password? I own your account. =)
From a risk based standpoint, I understand your argument Shawn and
many sites (slashdot, beer a
But what if the only really important data in the app is the initial login
credential? If the other data besides that is not sensitive, isn't it sort
of a waste?
Shawn Gorrell
Web Development Applications Architect
Federal Reserve Bank - Atlanta
Office (404) 498-8449
"Dean H. Saxe" <[EMAIL
Actually, if you use SSL at all, you need to use if from the
beginning to the end of the session. Otherwise all of the value of
SSL is lost once the user begins transmitting his session tokens
(JSESSIONID) across an insecure link.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
Here in
I ran into a similar problem as well. I found out
that some servers are not "sticky". In other words,
when a user makes request to a clustered server group
over a session then they may not get routed to the
same machine every time. Since Session variables are
stored on that particular machine wh
16 matches
Mail list logo
