Re: At What Point Does the Security Begin?
- From: salty <salty@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 23 Jun 2006 09:48:03 -0700
How does the hacker get that session id when the whole thing is sent through
SSL?
"Dominick Baier [DevelopMentor]" wrote:
Ok - and session ids are also transmitted via cookies - if i know the session.
id of an authenticated user, i can become that authenticated user...
back to square 1 :)
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Yes, a session variable that my app creates.
Something like:
If bValidated Then
Session("userID") = Request.Form("username")
Else
Session("userID") = ""
End If
All secure forms examine this variable, and if empty redirect to the
login page:
If Session("userID") = "" Then Response.Redirect("login.asp")
-salty-
"Dominick Baier [DevelopMentor]" wrote:
what server variable? in session?
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Thanks, Dominick.
Since this application is actually plain old ASP, not .NET (I still
haven't learned enough .NET to port the app, but it will be ported
as soon as I figure out the .NET equivalent of server-side includes
in the code section), I'm tracking it with a server variable, and
all pages behind the login are posted through SSL. Would this be
sufficient when I port this to .NET, too? When ported, I plan to use
forms-based auth, in which I understand .NET uses a cookie behind
the scenes without the need for user code.
My question came about because our web designers want to move the
login and password prompts to the home page, where they currently
reside on their own SSL-secured page. I've been arguing that this
isn't secure, but apparently I'm wrong.
"Dominick Baier [DevelopMentor]" wrote:
the post will be done over SSL in this case - which is OK.
but after the validation suceeded - how do you want to identify
that user as authenticated on subsequent requests? I guess you want
to issue something like a ticket (usually a cookie) - be awar that
when only your validate_login page is SSL secured, the cookie will
be transmitted back and forth using plain http and can be stolen,
thats of course not as bad as disclosed credentials - but still
this cookie could be used to logon to your application.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
If an ASP.NET page with the usual username and password fields is
not secure (it's called at http, not https) but posts to a page
through https that does the username/password lookups, is this
process secure? Or do both pages need to be going through https?
In other words:
http://mydomain/login.aspx
posts to https://mydomain/validate_login.aspx
- Follow-Ups:
- Re: At What Point Does the Security Begin?
- From: Dominick Baier [DevelopMentor]
- Re: At What Point Does the Security Begin?
- References:
- Re: At What Point Does the Security Begin?
- From: Dominick Baier [DevelopMentor]
- Re: At What Point Does the Security Begin?
- From: Dominick Baier [DevelopMentor]
- Re: At What Point Does the Security Begin?
- From: salty
- Re: At What Point Does the Security Begin?
- From: Dominick Baier [DevelopMentor]
- Re: At What Point Does the Security Begin?
- Prev by Date: Re: At What Point Does the Security Begin?
- Next by Date: Re: At What Point Does the Security Begin?
- Previous by thread: Re: At What Point Does the Security Begin?
- Next by thread: Re: At What Point Does the Security Begin?
- Index(es):
Relevant Pages
|
