Single user mode looses connection

So just a quick background, we are trying to update the database design, in a production environment. But we want to be sure, no users try to login during that time. So we started looking into single user mode, but that gave us some trouble, sometimes we would lose the connection in the middle of the update. So we setup a test environment to replicate the behavior.

We are using Microsoft SQL server 2017, with the AdventureWorks2017 database to replicate the issue. On the database we have turned off Auto close and Auto Update Statistics Asynchronously

If we then have two connections to the server, using the master database. Tell one of them to run this script

USE MASTER SET DEADLOCK_PRIORITY HIGH ALTER DATABASE [AdventureWorks2017] SET SINGLE_USER WITH ROLLBACK IMMEDIATE GO  DECLARE @kill varchar(max) = ''; SELECT @kill = @kill + 'KILL ' + CONVERT(varchar(10), spid) + '; ' FROM master..sysprocesses  WHERE spid > 50 AND dbid = DB_ID('AdventureWorks2017') EXEC(@kill);  USE AdventureWorks2017 GO  DECLARE @cnt INT = 0; WHILE @cnt < 10000 BEGIN   SELECT TOP 1000 * from Person.Person;    SET @cnt = @cnt + 1; end; 

And then on the other repeatedly run

SELECT TOP 1000 * FROM AdventureWorks2017.Person.Person; GO; 

At some point the first script stops working, and complains with an error

Database ‘AdventureWorks2017’ is already open and can only have one user at a time.

But to our understanding, this should not happen cause it still has the connection. Note this doesn’t happen all the time. But it’s still fairly consistent.

Is there anything that we are missing, or can this be an issue with the SQL server?

How do I create a column and display user data from custom registration field

Our registration form has a custom field for Hospital Name. In SQL wp_usermeta the meta_key is user_registration_hospital. I have tested a number of snippets in the functions.php file to add a "Hospital" column to the Users admin table, all of which work. This is one of the snippets that adds the Hospital column:

function add_user_columns($  column) { $  column['hospital'] = 'Hospital';  return $  column; 

} add_filter( ‘manage_users_columns’, ‘add_user_columns’ );

What code do I need to add to the functions.php file to have the Hospital data from wp_usermeta populate the Hospital column?

Solution to User Initial HTTP Requests Unencrypted Despite HTTPS Redirection?

It is my understanding that requests from a client browser to a webserver will initially follow the specified protocol e.g, HTTPS, and default to HTTP if not specified (Firefox Tested). On the server side it is desired to enforce a strict type HTTPS for all connections for the privacy of request headers and as a result HTTPS redirections are used. The problem is that any initial request where the client does not explicitly request HTTPS will be sent unencrypted. For example, client instructs browser with the below URL command.

google.com/search?q=unencrypted-get

google.com will redirect the client browser to use HTTPS but the initial HTTP request and GET parameters were already sent unencrypted possibly compromising the privacy of the client. Obviously there is nothing full-proof that can be done by the server to mitigate this vulnerability but:

  1. Could this misuse compromise the subsequent TLS security possibly through a known-plaintext
    attack (KPA)?
  2. Are there any less obvious measures that can be done to mitigate this possibly through some DNS protocol solution?
  3. Would it be sensible for a future client standard to always initially attempt with HTTPS as the default?

how to create user profile pages and display them based on users roles

Example: I have a website with 3 different user roles (amongst others): *developers *designers *contributors

I would like to have profile pages for users and would like to be able to display users on pages based (filtered) by their role. Hope this is clear. I have researched quite a few membership plugins and found that they are just bloated with features and ended up with TMI and no answers/solutions, so if you can help I would appreciate it. Do you know of any plugins suitable of doing that?

Thanx in advance

Who (Designer or User) Should be Resposible for the Correct/Secure Usage of a Tool Intended for Developers/Admins?

There is a healthy debate around a series of stack overflow posts that refer to the "RunAs" command. Specifically the discussion is in reference to design decision that the folks at Microsoft made a long time ago, to users of this command to enter the users password in one specific way, Raymond Chen accurately summarizes one side of the argument quite clearly:

The RunAs program demands that you type the password manually. Why doesn’t it accept a password on the command line?

This was a conscious decision. If it were possible to pass the password on the command line, people would start embedding passwords into batch files and logon scripts, which is laughably insecure.

In other words, the feature is missing to remove the temptation to use the feature insecurely.

If this offends you and you want to be insecure and pass the password on the command line anyway (for everyone to see in the command window title bar), you can write your own program that calls the CreateProcessWithLogonW function.

I’m doing exactly what is being suggested in the last line of Raymond’s comment, implementing my own (C#) version of this application that complete circumvents this restriction. There are also many others who have done this as well. I find this all quite irritating and agree with sentiment expressed by @AndrejaDjokovic who states:

Which is completely defeating. It is a really tiresome that idea of "security" is invoked by software designers who are trying to be smarter than the user. If the user wants to embed the password, then that is their prerogative. Instead all of us coming across this link are going to go and search other ways to utilize SUDO equivalent in windows through other unsavory means, bending the rules and wasting times. Instead of having one batch file vulnerable, i am going to sendup reducing overall security on the machine to get "sudo" to work. Design should never smarter than the user. You fail!

Now while I agree with the sentiment expressed by Microsoft and their concern with "embedding passwords into batch files" (I personally have seen poor practice myself way too many times), it really does strike me as wrong what Microsoft has done here. In my specific example I’m still following best practices and my script won’t store credentials, however I’m forced to resort to a workaround like everybody else.

This decision really follows a common pattern at Microsoft of applications acting in ways that are contrary to the needs of the specific users with the intention of "helping" the users by preventing them from completing a action that is viewed as unfavorable. Then obfuscating or purposely making the implementation of workarounds more difficult.

This leads us to a broader question, extremely relevant to this issue, who is the true responsible party when it comes to security around credentials, the user of the software or the designer of the software? Obviously both parties hold some responsibility, but where is the dividing line?

When you create tools for other developers should you seek to the best of your ability to prevent them from using your application in an insecure manner, or do you only need to be concerned about the application itself and whether it’s secure internally (irregardless to how the user invokes it)? If you are concerned about "how" they are using your application, to what extent do you need validate their usage (example: should "RunAs" fail if the system is not fully "up to date" i.e. insecure in another way), if that example seems far fetched, then define that line, in the case of "RunAs" the intention is quite clear, the developers who created it are not only concerned about managing credentials securely internally with their application but also care deeply about the security implications of how you use it. Was their decision correct in validating the usage in this case, and if so/or not where should that dividing line be for the applications that are created in the future?

Is it less secure to force periodic user logouts vs keep them logged in?

I’ve been unable to find any research or information on this.

Google periodically signs me out and forces me to sign back in. I have multiple devices and multiple google accounts so it’s a bit frustrating but that’s just how it is. However I was thinking about whether this practice is actually secure.

  1. It seems to encourage easy-to-remember / easy-to-type passwords over longer stronger passwords
  2. There’s more chance for a keylogger to intercept a password
  3. There’s more chance for a physical observer to watch you enter a password
  4. It may desensitise users and lead to them automatically entering their password without checking a url

How does this balance this against the inherent insecurity of indefinitely extending a login’s lifetime?

It’s worth noting that Google doesn’t ever log me out of my mobile device – I wonder why it treats this environment differently? Security vs UX concerns?

Specify Host for User in docker compose file

I’ve started messing with Docker and the MySQL 5.7 image, and have created a docker-compose.yaml file to quickly bring up a DB instance with the root password set, a new user & password created, and a new database. When I log in to the new DB, I see that the new user is set with a host of %. I would like to be able to set this to a host of my choice in the yaml, but I can’t find any docs or notes on what environmental variable to specify in the docker-compose file.

Thoughts about how to accomplish this? I did attempt to set MYSQL_USER: dbadmin@host but this just created the user as dbadmin@host with the host still set to % in MySQL.

Having a backdoor password for each user to allow impersonation

For some context, I want my api to be able to ‘impersonate’ (or connect as) a user on my ldap database as most of the api’s access controls are on the ldap database and tied to the user you are connected as.

In order to do this I have an idea where I will generate a random password for each user. The random password will then be encrypted with a key only the api has access to. The encrypted string will then be stored under the user’s entry. Now when the api wants to impersonate a user, it will get the encrypted string, decrypt it and then connect as that user.

How bad of an idea is this?