RE: ASP authentication

["Zuech, Richard" <RichardZuech () miamibeachfl gov>]

Setting a Session Variable is the best way IMHO.

If it's just on one server the easiest way is to use a session variable that resides in memory.

If the application is spread across multiple servers, use a session variable that gets stored in a Database (rather 
than RAM) so that the session variable is not lost (in another server's memory) on subsequent web requests via 
Posts/Gets.

I hope that helps,

Rich

-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga] 
Sent: Thursday, August 26, 2004 1:50 PM
To: webappsec () lists securityfocus com
Subject: ASP authentication

Hi List,

I am wondering what was the most secure way to allow users to access pages after authentication, i.e.: user 
authenticates in toto.asp, and after that, access is granted to tata_1.asp, tata_2.asp, ..., tata_n.asp. The trouble is 
obviously to ask the user once for his login / password (just in tot.asp), and to allow him to get to the other pages 
without asking each time his credentials.

Googling around, I saw a couple of ways to meet my needs, but all seem to be weak:
- I can set a hidden field where I can say "yes, he is authenticated" or "no, he is not", but anyone a little bit 
skilled can create a fake request having this set up by hand (with a proxy ! ),
- I can check a session number or smth like that on each page...but this does not seem very reliable,
- I can check IP adress...but when you use AOL for instance, IP adresses can change !

So none of the ways I found seem to be the best... 
 
Cheers list, for any reply / clue !