Re: At What Point Does the Security Begin?



How does the hacker get that session id when the whole thing is sent through
SSL?

"Dominick Baier [DevelopMentor]" wrote:

Ok - and session ids are also transmitted via cookies - if i know the session
id of an authenticated user, i can become that authenticated user...

back to square 1 :)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Yes, a session variable that my app creates.

Something like:

If bValidated Then
Session("userID") = Request.Form("username")
Else
Session("userID") = ""
End If
All secure forms examine this variable, and if empty redirect to the
login page:

If Session("userID") = "" Then Response.Redirect("login.asp")

-salty-

"Dominick Baier [DevelopMentor]" wrote:

what server variable? in session?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Thanks, Dominick.

Since this application is actually plain old ASP, not .NET (I still
haven't learned enough .NET to port the app, but it will be ported
as soon as I figure out the .NET equivalent of server-side includes
in the code section), I'm tracking it with a server variable, and
all pages behind the login are posted through SSL. Would this be
sufficient when I port this to .NET, too? When ported, I plan to use
forms-based auth, in which I understand .NET uses a cookie behind
the scenes without the need for user code.

My question came about because our web designers want to move the
login and password prompts to the home page, where they currently
reside on their own SSL-secured page. I've been arguing that this
isn't secure, but apparently I'm wrong.

"Dominick Baier [DevelopMentor]" wrote:

the post will be done over SSL in this case - which is OK.

but after the validation suceeded - how do you want to identify
that user as authenticated on subsequent requests? I guess you want
to issue something like a ticket (usually a cookie) - be awar that
when only your validate_login page is SSL secured, the cookie will
be transmitted back and forth using plain http and can be stolen,

thats of course not as bad as disclosed credentials - but still
this cookie could be used to logon to your application.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
If an ASP.NET page with the usual username and password fields is
not secure (it's called at http, not https) but posts to a page
through https that does the username/password lookups, is this
process secure? Or do both pages need to be going through https?

In other words:

http://mydomain/login.aspx
posts to https://mydomain/validate_login.aspx



.



Relevant Pages

  • Re: Setting up HTTPS w/subdomain on Apache2
    ... Secure data transfer ... The docs recommended using SSL, ... I'm mistaken, HTTP w/SSL = HTTPS. ... Authentication would be basic or digest (Personally I'm using basic ...
    (Ubuntu)
  • Re: Setting up HTTPS w/subdomain on Apache2
    ... Secure data transfer ... The docs recommended using SSL, ... I'm mistaken, HTTP w/SSL = HTTPS. ... Authentication would be basic or digest (Personally I'm using basic ...
    (Ubuntu)
  • Researcher demonstrates SSL attack
    ... Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. ... The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions. ... Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. ...
    (alt.privacy)
  • Re: iis not transferring clients to ssl port
    ... individual ASP pages, inside of IIS metabase at a per-URL level, or inside ... because for all intents and purposes, the "transfer" from HTTP to HTTPS is ... Select the file to require SSL, choose right-click properties, and go to ... he wants the webmasters to be able to secure only the pages they want ...
    (microsoft.public.inetserver.iis.security)
  • Re: At What Point Does the Security Begin?
    ... OK - if ALL pages the user access afterwards are behind SSL and the use cannot somehow "log out" and come back to the non-SSL area, ... Otherwise the browser will happily send the session cookie also for non-SSL resources. ... All secure forms examine this variable, and if empty redirect to the ... page through https that does the username/password lookups, ...
    (microsoft.public.dotnet.security)