Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
Let's say my web server calls
Tableau to get a ticket
POST on https://mytableau/trusted with client_ip parameters
to get a ticket number that we use on an IFrame.
Can the user share it with another person to spoof his login to other?
set
wgserver.extended_trusted_ip_checking to true
If the IP address is same then wgserver.extended_trusted_ip_checking is not going to stop userB from using the ticket generated for userA to 'spoof' the login for userA.
That being said, the trusted token is one-time-use only, so as soon as the view is rendered for userA the token becomes useless for userB.
Also there is a time out of 180 seconds after which the ticket expires. (This time can be reduced further by tweaking : vizqlserver.trustedticket.timeout_in_seconds)
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I am making a sign in with username in Firebase. I want to retrieve user email and sign in with email, while the user types username and password.
In other words, get an email from the database which corresponds entered a username.
let username = usernameTextField.text
Database.database().reference().child("members/email")
I cannot go further from this point
Why are you using the username for login? Use email password auth provided by firebase. see this https://firebase.google.com/docs/auth/ios/password-auth
What you are trying to do needs to expose all the username and emails from database to every one which is not a secure solution. Using firebase authentication you have to trade off username for email as username
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I am creating a facebook login functionality for my website.
When user login through facebook , then I want to fetch emailId ( which can come with public profile ).
Is it possible ( in any case ) that when I fetch public profile then it does not contain users email Id ?
Thanks
Amit Aggarwal
There are very less chances that you'll get email without asking for its permission as a public info.
You gotta ask for permission email to get one. But still there could be chances (3-4 in 100) that you'll not get email even when user gave you the permission and you can do nothing about that. You can check out this discussion for the reasons: Register with Facebook sometimes doesn't provide email
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
i searched many times but all of sites says that it will be in settings / security tab, but it's not there! why?
i just created my Facebook account.
It looks like FB is not currently using security questions. This is from FB:
If there ever comes a time where you can’t log into your Facebook account, we need ways to get in touch with you and make sure the account is yours. Here are some things you can do to help make sure you never get locked out of your account:
Add another email address to your account so you always have a
backup.
Make sure you and only you can access the email addresses listed on your Facebook account. Anyone with access to one of the email
addresses listed on your account can request a new password for your
Facebook account. If you lose access to one of your extra email
addresses, be sure to remove it from your Facebook account.
Add your mobile number to your account. We can also send things (ex: a code to reset your password) to your mobile phone.
Use your real name and date of birth on your account so we can find your timeline if you ever loose access to it.
You can find more details on this security features page.
facebook now does not offer any security questions for account safety. It uses now two-factor security model and sms authentication code. Don't go in that deeply.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
We have developed a website that allows users to subscribe to a service using their Facebook credentials.
How do we create test Facebook accounts that can be used to execute end-user test cases for this feature?
You can create test users via the Graph API. You shouldn't refer to them as "fake" users because that has some negative connotations; Facebook actively peruses and shut's down fake accounts. I believe what you are talking about though is accounts to test Facebook applications...
The documentation details how to create test users via the api -
https://graph.facebook.com/APP_ID/accounts/test-users?
installed=true
&name=FULL_NAME
&locale=en_US
&permissions=read_stream
&method=post
&access_token=APP_ACCESS_TOKEN
You'll need to substitute all your own data in the request and the response you'll get back should look something like this -
{
"id": "1234...",
"access_token":"1234567..." ,
"login_url":"https://www.facebook.com/platform/test_account..."
"email": "example...#tfbnw.net",
"password": "1234..."
}
You can then use that users credentials to test your applications authentication process and functionality.
In addition to creating test accounts via the api, you can also use the interface within the application's dashboard under the "Roles" section - https://developers.facebook.com/apps/APP_ID/roles
Had the test accounts set up with no problem. Finally found the parameter I was missing to get the accounts to interact with the website properly.
Cheers.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
Is it simply an artifact of the old fear (still around in some places) of cookies?
I also would like to know if it is bad practice to simply pass in user names from an outbound email.
Nothing is stopping the web app from always remembering the user for as long as they want on particular computer without asking explicit permission from the user. However, doing so has security and privacy implications on shared computers.
Imagine you go to a cyber-cafe or a library, sit on a shared computer and login to your bank website (which you shouldn't do from such places anyway :-)). The bank website tries to be "smart" and persists a cookie with a ticket based on your credentials. When you're done, you close the browser without logging off. Next person sits down, opens the browser, looks at the history and goes to the bank site. And now they have magically access to all your money.
That would probably be the last time you use that bank for anything.
Update: To answer the second part of the question (and the comment below)
If you are afraid of URL injection, you should probably not specify the username in the email URL itself. Instead, generate a one-time token (you could use a one-way hash of the user name and a website secret for example), which wouldn't mean anything to an external site, but would allow you to extract the user identity and prepopulate the field on the page.
Keep in mind that you should not include in the URL in the email enough information, so that clicking on that link would authenticate the user to your site. You still want the user to prove their identity.