WebApp Sec mailing list archives
Re: Control of cookies???
From: Erik Kangas <kangas () luxsci com>
Date: Wed, 28 Jan 2004 09:12:09 -0500
Marcelo Caffaro wrote:
Hello Guys, anyone can help-me to send ideas, solutions or samples to manage the session of one website.For Sample, i have one site (IIS) and below this structure of site i have the folder named docs, but if i put the complete url of the website document, everyone can see my document. I need create one method to authenticate my user, i dont know if cookie control is a best solution but i need to arrest the user, ip and cookie to control the user access, if the user is not authenticated the user cannot see the documents. Anyone can help-me?
The best thing to do is to put these documents into a separate folder that is NOT in the web site - i.e. no URL points directly to them. Then, you write a script that 1. verifies whatever authentication scheme you are using [cookies, form fields, etc.], 2. reads form fields, the query string, or extra path information to determine what document is requested, 3. verifies authorization if necessary, and 4. reads the document from the disk and returns it with the appropriate HTTP headers to the client.
In this scheme, the only way to access the secure documents is through the script where you can control authentication and authorization (and other factors).
What method you use to store session authentication state information depends a lot on your site architecture and requirements.
-Erik Kangas -- Erik Kangas, Ph.D. - Lux Scientiae, Incorporated - http://luxsci.com
Current thread:
- Control of cookies??? Marcelo Caffaro (Jan 28)
- Re: Control of cookies??? Erik Kangas (Jan 28)
- Re: Control of cookies??? Christian Schneemann (Jan 28)
- RE: Control of cookies??? Curt Purdy (Jan 28)
- <Possible follow-ups>
- Re: Control of cookies??? m . delibero (Jan 28)