Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: ASP authentication

from [pfeito] Network Security [Permanent Link]
Subject: RE: ASP authentication
Date: Sat, 28 Aug 2004 18:17:38 +0100 
You could hash or encrypt the UserID and store it in a session variable.
This adds an extra layer of security. Its not bullet proof but its more safe
and it adds little cpu overhead.

Hash would be better than symmetrical encryption, but then you'll need the
passwords hashed in the database also.

-pfeito



-----Original Message-----
From: Zuech, Richard [mailto:RichardZuech@miamibeachfl.gov]
Sent: sexta-feira, 27 de Agosto de 2004 22:41
To: Bénoni MARTIN; webappsec@lists.securityfocus.com
Subject: RE: ASP authentication

Setting a Session Variable is the best way IMHO.

If it's just on one server the easiest way is to use a session variable
that resides in memory.

If the application is spread across multiple servers, use a session
variable that gets stored in a Database (rather than RAM) so that the
session variable is not lost (in another server's memory) on subsequent
web requests via Posts/Gets.

I hope that helps,

Rich

-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN@libertis.ga]
Sent: Thursday, August 26, 2004 1:50 PM
To: webappsec@lists.securityfocus.com
Subject: ASP authentication

Hi List,

I am wondering what was the most secure way to allow users to access pages
after authentication, i.e.: user authenticates in toto.asp, and after
that, access is granted to tata_1.asp, tata_2.asp, ..., tata_n.asp. The
trouble is obviously to ask the user once for his login / password (just
in tot.asp), and to allow him to get to the other pages without asking
each time his credentials.

Googling around, I saw a couple of ways to meet my needs, but all seem to
be weak:
- I can set a hidden field where I can say "yes, he is authenticated" or
"no, he is not", but anyone a little bit skilled can create a fake request
having this set up by hand (with a proxy ! ),
- I can check a session number or smth like that on each page...but this
does not seem very reliable,
- I can check IP adress...but when you use AOL for instance, IP adresses
can change !

So none of the ways I found seem to be the best...

Cheers list, for any reply / clue !
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  enumerate a directory structure on web server, Serg Belokamen
Next by Date:  RE: Web Scams, Jerry Dixon
Previous by Thread:  RE: ASP authentication, focus
Next by Thread:  RE: ASP authentication, focus
Indexes:  [Date] [Thread] [Top] [All Lists]