Since a registration's expiration time is 90 Days.
So I plan to check first for every concern devices/registration before sending any notification.
Because I don't want to keep anything on server.
However, I'm not sure if it's good idea to do
Is it slow to do for lots devices ?
Also, I can not find a way to set Expiration time of any registration
So I've never seen result when sending to expired device ?
Can anyone suggest ?
the common recommended approach is to refresh registration on every app start-up per documented at https://azure.microsoft.com/en-us/documentation/articles/notification-hubs-registration-management/. This ensures that Notification Hubs holds the most recent token provided by the device PNS.
Related
I have an instagram feed on my website, i created a developers.facebook.com account and made a long lived access token.
However after 60 days I have to log back in and get a new token.
You can renew an access token before it expires.
My question is... can I or should I just create a script that renews the long lived access token server side every time the page is refreshed?
Seems a bit annoying to do that to instagram servers... but what other methods would I have.. i don't know how to run a script every 59 days to get a new token..
Any ideas?
Thanks
The renewal can be done only on tokens that are older than a day, so running it before that will make no difference. So, with that in mind, I run the refresh code with every call to the API. If it's already refreshed it will be ignored, so practically it will only get refreshed once a day.
Also, it's worth noting that Instagram limits the number of calls that you can make, so calling the API with every page refresh doesn't sound like a good idea. To avoid running out of quota, I cache the results and only call the API once per hour.
Here's a more detailed explanation of the exact steps that I took. It's been written with WordPress in mind, but for the most part, it doesn't matter much.
In our web application, we have a function where the user reset his/her password. Part of the process requires sending OTP via SMS. The thing is, we have a function in our page that allows user to resend the OTP in case it was not received due to certain reasons (sms provider error, network error etc.). Upon recent penetration testing, it was found that that the back end call for sending the OTP is vulnerable for DoS attacks. Hackers can run it to flood users with SMS.
We already have a mechanism in our firewall which detects automated attacks for denial of service. The problem is, there is a minimum limit of requests per second for the firewall classifies it as an attack. (e.g. 100 requests per second, the FW blocks it but anything below, it allows).
Lets say hacker did a program to resend otp via sms per second, the firewall would not be able to detect it. Another option we can do is handle it programatically but we can't think of a best way to do it. Can anyone advise us on this? We can't just limit the no of times an OTP can be resend because we are worried of its effect in user experience.
Two things come to my mind:
Take Macuistin's idea but make the timeouts grow over time. I know I wouldn't want 3 text messages a minute. After X number of messages don't send anymore and have them contact support. If this is a legitimate user, after so many messages something isn't right and you should just stop.
How about adding a step before this, send a link to the email address of the user with a one-time link, click on the link will send them to the page to enter in the OTP that triggered on the link (there could be a resend link on there as well which would not trigger another email).
Have you looked at the timings in real world use cases?
For example, if a real user takes 20 seconds before pressing retry then you could add that restriction to your service without real users knowing that the restriction is in place.
That doesn't mean that you couldn't accept another request before this time, it could just be queued until the timeout has passed.
This will not possible through WAF, Here you can use Captcha for failed attempts.
Captcha only pop up when particular limit cross. You can set limit on IP, UserID, and session variable.
I have some problem in this specific scenario:
If my XPages application
If I have my Domino HTTP configure with Single server setting the Ext.lib Keep-Alive control work well...and my session don't expire.
But I I use Domino HTTP configured with Multiple SSO (LPTAtoken) with Firebug I see the Ext.lib Keep-Alive control work well (I see the PING request) but I don't know because my session expire.
Have someone any suggest for me?
Tnx you
p.s. my release in 9 social on linux 32 bit
What kind of key did you use when you created the LTPA token?
When using WebSphere LTPA keys, a token is assigned and it will expire when the time specified in the field Expiration (minutes) elapses, no matter whether you are actively using your application or not.
When examining the documentation for products that use WebSphere server (Sametime, Connections) I found that IBM suggests to set Expiration time to a long interval (such as 600) minutes to minimize the risk of users being logged out in the middle of a working day. I admit that this does not sound like a good suggestion security-wise.
I assume it is the same when using Domino LTPA keys, with the added option of being able to specify Idle Session Timeout.
So, you can either increase the token expiration interval (depending on your requirements this could be an easy fix) or go with Stephan's suggestion. I don't know how to code his approach, but if I find a solution, I'll update this answer.
In a single server setting the server tracks the validity of the cookie. So whenever you hit the server it is updated. In a multi server environment you get a new cookie before expiry. So you need to process the incoming cookie to replace the predecessor. Easiest way using a regular page and an iframe
I have an application that runs on for example Google TV or Apple TV, which sends HTTP requests to a service of mine.
Now if someone listens in on this request, they can replay it and in that way execute a Denial of Service (DOS) attack our service.
Is there any way to make each request unique, so it cannot be replayed?
I thought of sending the time encrypted in the request and check the difference between the server time and the time the request was sent, but I'm getting too big time differences to compare.
Does anyone have a better idea?
You are in a good situation as you have control both on the server side and the client side (your application is talking). Include into your message
The current time in milliseconds plus + random number
The combined hash produced by these values plus (as a the third input) some key only your application knows. Use some good one way hashing algorithm.
Only the code who knows the mentioned key will be able to compute a correct hash. The used request records (hash and time stamp) can be stored for some expiration time that can be long. Very old request records can be easily expired as they contain the time stamp.
The positive feature of the proposed approach is it does not require to connect in advance in order to receive a token, needs no authentication, needs no registration and can use the open protocol. Using token just by itself does not help much against DoS as an attacker quickly writes a script to connect and obtain the token in advance as well.
I have been meaning to implement a "who is online" feature on my site.
Was wondering how would you decide if a user is online or not?
Some options are:
Last seen, less than N minutes ago (what is N?)
A comet server with long polling
Something else
If you are using session variables then the user is online if last_activity + session_expiry > current_date. Else the session has already expired and they are not online.
Now, it depends on what people will be able to do with this "who is online" feature. You might prefer a more conservative measure to have a higher confidence the user's active.
But, given the nature of the web, there's no sure fire way to ensure the user's really online and active in your site, short of requiring user interaction every once in a while, but that would be annoying.
I would go with option 1 and allow N to be set from a configuration file. Presumably user activity is being logged with a timestamp in some datastore, so calculating whether a user is considered online (seen less than N time ago) should be pretty straightforward. You may consider using a periodic AJAX request to update the online collection of users at regular intervals.
You could also use a ping method. Send a light ajax request from the client to server approximately every 30-60 seconds. Keep the request and response as small as possible to reduce bandwidth and this should perform almost as well as the Comet method.