Re: ASP authentication

[George Capehart <gwc () acm org>]

On Thursday 26 August 2004 13:50, Bénoni MARTIN allegedly wrote:
> Hi List,
>
> I am wondering what was the most secure way to allow users to access
> pages after authentication, i.e.: user authenticates in toto.asp, and
> after that, access is granted to tata_1.asp, tata_2.asp, ...,
> tata_n.asp. The trouble is obviously to ask the user once for his
> login / password (just in tot.asp), and to allow him to get to the
> other pages without asking each time his credentials.
>
> Googling around, I saw a couple of ways to meet my needs, but all
> seem to be weak: - I can set a hidden field where I can say "yes, he
> is authenticated" or "no, he is not", but anyone a little bit skilled
> can create a fake request having this set up by hand (with a proxy !
> ), - I can check a session number or smth like that on each
> page...but this does not seem very reliable, - I can check IP
> adress...but when you use AOL for instance, IP adresses can change !
>
> So none of the ways I found seem to be the best...

Kerberos has been around a long time and we understand very well how to 
use it to authenticate users and how to use the ticket as an 
authorization token.  Rather than reinventing the wheel, why not just 
create a session that uses a Kerberos ticket?  Now, there are lots of 
ways to implement and manage sessions, but, if you're going to do 
authentication, you're going to want to do some kind of session 
management anyway, aren't you?

Cheers,

/g