Re: ASP authentication

[ido () cs uchicago edu (Ido Mordechai Rosen)]

Responses inline.  (Summary: Thanks, I wasn't thinking w.r.t. the link.)

On Tue, 31 Aug 2004 08:56:38 +0200
"Saphyr" <saphyr () infomaniak ch> wrote:

> > Though I despise ASP (I prefer Python or PHP or even Perl), here are
> > a few ASP-relevant sources of information on single sign-on using
> > sessions.
> >
> > This one is a tutorial intended to teach ASP, but it covers an
> > "extended member's area" which uses some single sign-on techniques.
> > http://www.theukwebdesigncompany.com/article.php?id=392
>
> Ido, and list,
>
> Reading the link you provided made clearly understand one among the
> reasons you might 'dispise' ASP.

I didn't actually look at the link I provided.  Sorry.

> As an ASP developer myself, I must react about the link you just
> provided in order to help Benoni about some authentication shemes
> examples.
>
> If you read the article, you will see the author has implemented at
> least two major critical flaws in his authentication sheme:
>
>     - user credentials (login and password) are directly hard-coded
>     into the source scripts.
>      - the authentication logic flow is based upon a cookie value, a
>      sensitive
>     data repository highly vulnerable to spoofing (pretending you're
>     someone or something you aren't) and sniffing (listening to a
>     communication from a point between the 'speaker' and the
>     'listener') techniques.
>
> Any professional having a minimal authentication and secure web
> development culture knows such example should never be implemented in
> a real world application because of its almost-inexistent security
> level.

I agree.  I was providing it as an example, not a final product.

> Although your answer telling what sessions are made of and how they
> work was a really good reading, the examples you provided shouldn't
> even be linked somewhere on the net. Sorry for the author if he reads
> this...
>
> Did you at least read the link you provided ?

No. :)  Sorry!!!  It was really late and I lost my sources/links before
ending the message due to some trigger-happy mouse clicking.  I was
writing mostly from memory.

> Some link like the one below should be far better for a beginner in
> ASP authentication. Good basics are given:
>
>     - use of includes
>     - use of session based authentication
>     - use of database stored credentials
>
> ...which is fare closer to what commercial web applications provide
> today.
>
> A simple ASP authentication system
> http://www.kamath.com/tutorials/tut003_auth.asp

Many many thanks for providing this better example.  I'm sure it'll help
beginners out there.  I "despise ASP" because it is so darn
proprietary-feeling and your scripts/whatnot only *really* works as
intended on IIS and then only on web hosts with specific IIS
configurations, and because it has these things called "components" that
only work in Windows and force you to use a specific type of Microsoft
platform and sometimes even a specific web host.  Anyhow, I don't want
to make this a debate about why ASP is good/bad.  ASP would be really
nice were it to be truly multi-platform and server-independent from the
start (i.e.: if Microsoft didn't try to monopolize yet another industry
by making it so darned proprietary-feeling)...  But I do not despise
Microsoft -- they probably weren't thinking about being
multi-platform-friendly/linux-friendly when initially developing ASP,
and probably just wanted to get the product out for IIS ASAP.  (Haha,
ASP and ASAP...get it? :)

Ido

> Best regards,
>
> .antoine
> --
> Blog Dev et S?cu Web (Swiss blog about Web Security and Development)
> http://www.nxtg.net/is/