ASP Authentication

From: Bénoni MARTIN (Benoni.MARTIN_at_libertis.ga)
Date: 08/25/04

  • Next message: Steven A. Fletcher: "RE: Blocking Access to Non-domain computers" 
    Date: Wed, 25 Aug 2004 11:06:47 +0100
To: <security-basics@securityfocus.com>

    Hi List,
     
    I am wondering what was the most secure way to allow users to access pages after authentication, i.e.: user authenticates in toto.asp, and after that, access is granted to tata_1.asp, tata_2.asp, ..., tata_n.asp. The trouble is obviously to ask the user once for his login / password (just in tot.asp), and to allow him to get to the other pages without asking each time his credentials.
     
    Googling around, I saw a couple of ways to meet my needs, but all seem to be weak:
    - I can set a hidden field where I can say "yes, he is authenticated" or "no, he is not", but anyone a little bit skilled can create a fake request having this set up by hand (with a proxy ! ),
    - I can check a session number or smth like that on each page...but this does not seem very reliable,
    - I can check IP adress...but when you use AOL for instance, IP adresses can change !
     
    So none of the ways I found seem to be the best...
     
    Cheers list, for any reply / clue !

    ---------------------------------------------------------------------------
    Computer Forensics Training at the InfoSec Institute. All of our class sizes
    are guaranteed to be 12 students or less to facilitate one-on-one
    interaction with one of our expert instructors. Gain the in-demand skills of
    a certified computer examiner, learn to recover trace data left behind by
    fraud, theft, and cybercrime perpetrators. Discover the source of computer
    crime and abuse so that it never happens again.

    http://www.infosecinstitute.com/courses/computer_forensics_training.html
    ----------------------------------------------------------------------------

  • Next message: Steven A. Fletcher: "RE: Blocking Access to Non-domain computers"

    Relevant Pages

    • Re: threading and iterator crashing interpreter
      ... "restricted mode" means that the current builtins are not the standard ... Googling says "Some googling suggests that this error is a hint that a ... ("session" in this case) ... happening is the Session object is deallocated, ...
      (comp.lang.python)
    • Re: Removable drive notification
      ... API WM_DEVICECHANGE message is responsible for this ... Googling and you will find several samples how to handle this message in C# ... Smth like this http://www.dotnet247.com/247reference/msgs/43/217435.aspx, Ying-Shen Yu reply ... Michael Nemtsev:: blog: http://spaces.msn.com/laflour ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: Starting programs as another user
      ... > Thanks, Craig. ... You saved me hours of googling I think. ... > Must I restart something for this to take effect? ... You need to log out and log in again, or start another session as the user ...
      (Fedora)
    • Re: [PHP] Persistent state applications
      ... After googling briefly on the subject of sessions, it looks like this is probably the way I'd want to go. ... because I can modularize the code and call different php scripts for different actions. ... I could have each script check for the proper session variables, and if they don't exist, redirect the user to the login page. ...
      (php.general)