Re: how to avoid not using first page?
From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 09/20/04
- Next message: anonymous_at_discussions.microsoft.com: "spyware"
- Previous message: Zack Schneeberger: "Allowing only Authenticated Users to access the Web Page"
- In reply to: Fred: "how to avoid not using first page?"
- Next in thread: Fred: "Re: how to avoid not using first page?"
- Reply: Fred: "Re: how to avoid not using first page?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 20 Sep 2004 16:44:51 GMT
On Mon, 20 Sep 2004 17:09:58 +0200, "Fred" <fff@its.gb> wrote:
>Hi,
>
>We have an intranet appliction which begins with a start page, which checks
>the login of the user (the security in IIS is set to "Anonymous not
>allowed") . In function of that 'remote_user' variable, the user gets a
>specific menu (there are normal user menu and admin menu). Suppose an
>hacker-user guesses the path name (or he saw it in the browser path line) of
>the administration pages. So it's possible for him to type himself e.g.:
>http://ourserver/admin.asp and so to get access to that administration menu
>without passing by the start page and so not be redirected to the normal
>user menu..
>
>How can we prevent this? (There are hundred pages).
Many ways. Set a session variable on the start page for example,
check for it on the remaining pages and redirect to the start if it
isn't set.
Jeff
- Next message: anonymous_at_discussions.microsoft.com: "spyware"
- Previous message: Zack Schneeberger: "Allowing only Authenticated Users to access the Web Page"
- In reply to: Fred: "how to avoid not using first page?"
- Next in thread: Fred: "Re: how to avoid not using first page?"
- Reply: Fred: "Re: how to avoid not using first page?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
