WebApp Sec mailing list archives
RE: ASP authentication
From: "pfeito" <pfeito () netcabo pt>
Date: Sat, 28 Aug 2004 18:17:38 +0100
You could hash or encrypt the UserID and store it in a session variable. This adds an extra layer of security. Its not bullet proof but its more safe and it adds little cpu overhead. Hash would be better than symmetrical encryption, but then you'll need the passwords hashed in the database also. -pfeito
-----Original Message----- From: Zuech, Richard [mailto:RichardZuech () miamibeachfl gov] Sent: sexta-feira, 27 de Agosto de 2004 22:41 To: Bénoni MARTIN; webappsec () lists securityfocus com Subject: RE: ASP authentication Setting a Session Variable is the best way IMHO. If it's just on one server the easiest way is to use a session variable that resides in memory. If the application is spread across multiple servers, use a session variable that gets stored in a Database (rather than RAM) so that the session variable is not lost (in another server's memory) on subsequent web requests via Posts/Gets. I hope that helps, Rich -----Original Message----- From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga] Sent: Thursday, August 26, 2004 1:50 PM To: webappsec () lists securityfocus com Subject: ASP authentication Hi List, I am wondering what was the most secure way to allow users to access pages after authentication, i.e.: user authenticates in toto.asp, and after that, access is granted to tata_1.asp, tata_2.asp, ..., tata_n.asp. The trouble is obviously to ask the user once for his login / password (just in tot.asp), and to allow him to get to the other pages without asking each time his credentials. Googling around, I saw a couple of ways to meet my needs, but all seem to be weak: - I can set a hidden field where I can say "yes, he is authenticated" or "no, he is not", but anyone a little bit skilled can create a fake request having this set up by hand (with a proxy ! ), - I can check a session number or smth like that on each page...but this does not seem very reliable, - I can check IP adress...but when you use AOL for instance, IP adresses can change ! So none of the ways I found seem to be the best... Cheers list, for any reply / clue !
Current thread:
- Re: ASP authentication, (continued)
- Re: ASP authentication Erik Kangas (Aug 27)
- Re: ASP authentication saphyr (Aug 28)
- Re: ASP authentication security (Aug 29)
- Re: ASP authentication George Capehart (Aug 30)
- Re: ASP authentication Ido Mordechai Rosen (Aug 30)
- Re: ASP authentication Saphyr (Aug 31)
- RE: ASP authentication Brett Moore (Sep 01)
- Re: ASP authentication Ido Mordechai Rosen (Sep 01)
- Re: ASP authentication Saphyr (Aug 31)
- RE: ASP authentication Zuech, Richard (Aug 27)
- RE: ASP authentication focus (Aug 28)
- RE: ASP authentication pfeito (Aug 29)
- RE: ASP authentication focus (Aug 29)
- Re: ASP authentication Ido Mordechai Rosen (Aug 31)
- RE: ASP authentication Sarbjit Singh Gill (Aug 29)
- Re: ASP authentication Erik Kangas (Aug 27)
- FW: ASP authentication Rishi Pande (Aug 27)
- RE: ASP authentication Scovetta, Michael V (Aug 31)
- Re: ASP authentication Ido Mordechai Rosen (Sep 01)
- Re: ASP authentication Saphyr (Sep 01)
- Re: ASP authentication Ido Mordechai Rosen (Sep 01)