Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: ASP authentication

from [Sarbjit Singh Gill] Network Security [Permanent Link]
Subject: RE: ASP authentication
Date: Mon, 30 Aug 2004 00:19:13 +0800 
 Upgrade to ASP.Net and use ASP.Net authentication/authorization.

You could use:
FORM based authentication  and URL based authorisation.
IIS based authentication and ACL based authorization.

/Gill



With regards to 


-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN@libertis.ga]
Sent: Thursday, August 26, 2004 1:50 PM
To: webappsec@lists.securityfocus.com
Subject: ASP authentication

Hi List,

I am wondering what was the most secure way to allow users to access 
pages after authentication, i.e.: user authenticates in toto.asp, and 
after that, access is granted to tata_1.asp, tata_2.asp, ..., 
tata_n.asp. The trouble is obviously to ask the user once for his 
login / password (just in tot.asp), and to allow him to get to the 
other pages without asking each time his credentials.

Googling around, I saw a couple of ways to meet my needs, but all seem 
to be weak:
- I can set a hidden field where I can say "yes, he is authenticated" 
or "no, he is not", but anyone a little bit skilled can create a fake 
request having this set up by hand (with a proxy ! ),
- I can check a session number or smth like that on each page...but 
this does not seem very reliable,
- I can check IP adress...but when you use AOL for instance, IP 
adresses can change !

So none of the ways I found seem to be the best...

Cheers list, for any reply / clue !
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: ASP authentication, focus
Next by Date:  RE: key storage, Ajay
Previous by Thread:  Re: ASP authentication, Ido Mordechai Rosen
Next by Thread:  FW: ASP authentication, Rishi Pande
Indexes:  [Date] [Thread] [Top] [All Lists]