Re: Secure website (cookie/session)

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 06/03/05

• Next message: Karl Levinson, mvp: "Re: Your opinion on SSL and common URL to access site from internal and external"
• Previous message: Markus Weber: "Re: Problem with IUSR account"
• In reply to: IkBenHet: "Secure website (cookie/session)"
• Next in thread: Ik Ben Het: "Re: Secure website (cookie/session)"
• Reply: Ik Ben Het: "Re: Secure website (cookie/session)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 03 Jun 2005 11:13:12 GMT

On 3 Jun 2005 02:17:45 -0700, "IkBenHet" <ikbenhet79@hotmail.com>
wrote:

>The default timeout value for session is 20 minutes. Because the
>session should stay alive during the complete time of the visit I was
>thinking of puting the session.timeout to 60 minutes. I set this at the
>beginning of every secure page: <%Session.timeout=60%>

You want to change this on the server.

>Basically I want to secure a website using ASP (because I am not able
>to change security settings on the webserver of my ISP).

>I am open for all suggestions, please help! In the future there are
>also money transactions going over this website, so it has to be
>secure! I will use HTTPS.

You may need a different host then. One that allows you the control
you're looking for. While it's hard for me to see that a secure
session must last more than 20 minutes, you can change the session
timeout on the server to handle this. Cookies make poor security
options since they are client side and can be spoofed.

One option is to secure only those areas that need security, such as
the transaction pages. You may also want to think about having
financial transactions handed off to a processing site.

Jeff

---

• Next message: Karl Levinson, mvp: "Re: Your opinion on SSL and common URL to access site from internal and external"
• Previous message: Markus Weber: "Re: Problem with IUSR account"
• In reply to: IkBenHet: "Secure website (cookie/session)"
• Next in thread: Ik Ben Het: "Re: Secure website (cookie/session)"
• Reply: Ik Ben Het: "Re: Secure website (cookie/session)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: IGNORE SECURITY! ... The shortcut will join the user to your secure workgroup before opening your ... "I'll assume that MSA can't cope with this" ... "since it uses Session Names for Security" ... User level security is complex but not impossible to deal with. ... (microsoft.public.access.security) Re: Need Help Adding user lvl Security to 2007 version ... the session before opening the db. ... You give the users a shortcut that joins the user to the secure db during the ... without security and not be prompted to login - until they use the shortcut ... (microsoft.public.access.security) Re: Secure login tutorial ... - if someone listens to my traffic, what use is it to try to secure ... This means he can put in there (in the session info) ... I'm not a PHP-er, but i have some PHP experience ... ... It is good you care about security, but if you seriously want to secure your ... (comp.lang.php) Re: security for AJAX-style function calls ... I might have been OK with the login ID rolled into a session ... > that one does not 'home-brew' security, ... > available and accepted as secure. ... (microsoft.public.dotnet.framework.aspnet) Re: Desktop Creation ... Your statement only gives one small piece of the security picture. ... The reason for no desktop window access by services is that an unsecured ... session 1 and communicate with an IPC with the SYSTEM service. ... API evolution. ... (microsoft.public.win32.programmer.kernel)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)