Hi List,
I am wondering what was the most secure way to allow users to access pages
after authentication, i.e.: user authenticates in toto.asp, and after that,
access is granted to tata_1.asp, tata_2.asp, ..., tata_n.asp. The trouble is
obviously to ask the user once for his login / password (just in tot.asp), and
to allow him to get to the other pages without asking each time his credentials.
Googling around, I saw a couple of ways to meet my needs, but all seem to be
weak:
- I can set a hidden field where I can say "yes, he is authenticated" or "no,
he is not", but anyone a little bit skilled can create a fake request having
this set up by hand (with a proxy ! ),
- I can check a session number or smth like that on each page...but this does
not seem very reliable,
- I can check IP adress...but when you use AOL for instance, IP adresses can
change !
So none of the ways I found seem to be the best...
Cheers list, for any reply / clue !
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
