WebApp Sec mailing list archives

Re: ASP authentication

From: "Saphyr" <saphyr () infomaniak ch>
Date: Wed, 1 Sep 2004 09:55:49 +0200

I usually don't implement anything crazy for authentication to
specific pages. At the top of each ASP page I have a function call
require(rolename), which checks the session variables to see if the
role is included. If not, redirect to the login. The login sets up the
roles. End of story.


Yeah.  I agree.  For *authentication*, that is pretty much it.  Behind
the scenes, encrypted sessions are a good thing solely as an added layer
of protection against database server breaches...nothing more.


We hereby have a practical example of the difference between what would
be theoretically perfect (ssl encryption, strong validation, impersonation, 
hijack detection, session replay attacks and so on...) and what was practicaly
implemented: checking if a session value tells wether you're in a role or not.

Like Ido said, it's good to think "what we should do best ?" but even far better
to think "who are we protecting against ?", thus often avoiding useless (and 
more expensive) work ; ) 

.antoine

Current thread:

Re: ASP authentication, (continued)
- - - Re: ASP authentication Ido Mordechai Rosen (Sep 01)
- RE: ASP authentication Zuech, Richard (Aug 27)
  - RE: ASP authentication focus (Aug 28)
  - RE: ASP authentication pfeito (Aug 29)
    - RE: ASP authentication focus (Aug 29)
    - Re: ASP authentication Ido Mordechai Rosen (Aug 31)
    - RE: ASP authentication Sarbjit Singh Gill (Aug 29)
- FW: ASP authentication Rishi Pande (Aug 27)
- RE: ASP authentication Scovetta, Michael V (Aug 31)
  - Re: ASP authentication Ido Mordechai Rosen (Sep 01)
    - Re: ASP authentication Saphyr (Sep 01)