Though I despise ASP (I prefer Python or PHP or even Perl), here are a few
ASP-relevant sources of information on single sign-on using sessions.
This one is a tutorial intended to teach ASP, but it covers an "extended
member's area" which uses some single sign-on techniques.
http://www.theukwebdesigncompany.com/article.php?id=392
Ido, and list,
Reading the link you provided made clearly understand one among the reasons
you might 'dispise' ASP.
As an ASP developer myself, I must react about the link you just provided in
order to help Benoni about some authentication shemes examples.
If you read the article, you will see the author has implemented at least two
major critical flaws in his authentication sheme:
- user credentials (login and password) are directly hard-coded into the
source scripts.
- the authentication logic flow is based upon a cookie value, a sensitive
data repository highly vulnerable to spoofing (pretending you're someone
or something you aren't) and sniffing (listening to a communication from a
point between the 'speaker' and the 'listener') techniques.
Any professional having a minimal authentication and secure web development
culture knows such example should never be implemented in a real world
application because of its almost-inexistent security level.
Although your answer telling what sessions are made of and how they work was
a really good reading, the examples you provided shouldn't even be linked
somewhere on the net. Sorry for the author if he reads this...
Did you at least read the link you provided ?
Some link like the one below should be far better for a beginner in ASP
authentication. Good basics are given:
- use of includes
- use of session based authentication
- use of database stored credentials
...which is fare closer to what commercial web applications provide today.
A simple ASP authentication system
http://www.kamath.com/tutorials/tut003_auth.asp
Best regards,
.antoine
--
Blog Dev et Sécu Web (Swiss blog about Web Security and Development)
http://www.nxtg.net/is/
