Re: Is this adequate website security?

From: vag (vag@earthling.net)
Date: 10/06/02 

From: vag <vag@earthling.net>
Date: Sun, 6 Oct 2002 11:16:36 +0000 (UTC)

On 4 Oct 2002 07:21:19 -0700, v218266@yahoo.com (Mike) wrote:

>Is this security model too easily compromised? The intention is just
>to be able to redirect visitors if they try to invoke an asp page
>without logging in first.

Seems a little overly complex if anything

>The expiration time can only be one of a limited set of values, so on
>the server it's feasible to create several versions of the encrypted
>string (one with each possible expiration time), and compare them with
>the cookie value to see if the encrypted string matches the provided
>user id and IP address, and that the session hasn't expired.

If the timout is 20 mins (as you suggest later in your post) that
would make 72 MD5s (3 per hour *24) you would have to calculate every
time someone requested an ASP page. That'll make the server sweat if
the site gets busy :)

>What's wrong with this security model and how can it be made better?

Nothing wrong with the security really, but it might be simpler to
keep all the session info on the server:

1) User 'FRED' logs in successfully, an MD5 hash is generated
(possibly username, system time, secret value)

2) The username and MD5 hash are sent back to the client as cookies

3) A file is created in a directory (out of the web root) named
FRED.txt that contains:

The Session Creation/Last Accessed time
the MD5 hash value
clients IP address

4) User request ASP page ( sends username and MD5 value cookies)

5) Server tries to load file FRED.txt (if it doesn't exist, session is
invalid)

6) Server compares MD5 value in file to value sent with request (if it
doesn't match session is invalid)

7) Server compares creation/las access time to current time (if this
exceeds timeout value, session is invalid)

8) Server updates last access time

Hope this is of some use to you,

Tony

Relevant Pages

  • session_start problems among other things?
    ... The third party has a shopping cart which must be saved in the ... the hosted server that we do not see on our internal development ... save and restore the cart to the session so as to concentrate the ... ASP.NET APIs could be called from ASP pages but the development was ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: ASP sessionstate
    ... ASP doesn't know or care what browser it ... If html is already sent ... What is a session number? ... Session initialisation is done by the server system, ...
    (microsoft.public.inetserver.asp.general)
  • Re: asp question about post vars
    ... > I've had a couple people tell me that I need to do query strings and pass ... PostBack, store data in Session (or Application, depending upon the scope ... uses Session space on the server to store the data. ... > applications that were written in php with an ASP alternative. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: iis 4.0 asp site copied to iis 6. Session variables dont work
    ... Front Page Server Extensions have nothing to do with ASP session/application ... looked into the cookie situation and I have automatic cookie handling on. ... I just tried out Session and Application variables and ...
    (microsoft.public.inetserver.iis)
  • Re: RWW Timing
    ... I understand that you want to monitor when and how ... > to an internal Windows XP or Terminal Server computer. ... SBS creates a connection to the internal client on port 3389 which is ... But it can not tell which one session from the RWW, ...
    (microsoft.public.windows.server.sbs)