Security issue..

Results 1 to 6 of 6

Thread: Security issue..

  1. #1
    Rokea Guest

    Default Security issue..

    I am searching for the best way to password protect a web site that i am currently working on. The problem is, each solution i have found has a backfire, either sometimes dosnt work, easy to hack... <BR>Here are my current solutions:<BR>HiddenTextfields: Easy to hack<BR>Session variables: Tough to track<BR>Http_referer/ipaddress: sometimes dosnt work, can be faked<BR><BR>I would be happy to get your ideas and feelings about this.. <BR><BR>Rokea

  2. #2
    TekTronix Guest

    Default RE: Security issue..

    Hi,<BR><BR>I have a pretty big web-site myself with an entire section dedicated to registered users. The login-information for these users is stored in a central database. When someone logges in, the server stores the password and the userID in a cookie on the HD of the user. Now, this is somewhat easy to hack (although you only have your own password in a text-file), so i have used a vernam/rc4-encryption to encrypt the password in the cookie. When someone tries to perform an action which requires someone to be registed, the server gets the UserID from the cookie, looks up the password in the database, gets the encrypted password from the cookie, decrypts it and compares it with the password from the database.<BR><BR>Now, this may seem a bit technical, but it&#039s quite easy to make. The Vernam-encryption can be found here at 4Guys, and the RC4-encryption can also be found on this site. I have made a configuration-file where i can change what type of encryption is used.

  3. #3
    Rokea Guest

    Default RE: Security issue..

    Ok Thx a lot for your reply, ill give this a try!<BR><BR>Rokea

  4. #4
    Rokea Guest

    Default RE: Security issue..

    I just wanted to know a few things..<BR><BR>Since the code is so easy to find, and that we have both code Encrypt/decrypt.. it&#039s easy for a hacker to use the same decrypt/encrypt functions as we used to decrypt our<BR><BR>And there is something else that concerns me:<BR>Since you use cookies written on the client machine, once it is written, if, lets say, someone takes control (either by sitting in front of my computer in my absence or by getting access to my HD by a way or another), he will automatically get access to the restricted area, because of the cookies?<BR><BR>Same goes for internet caf├ęs..<BR><BR>tell me if im wrong about all that plz.. but these few things are scaring me a bit.. since the infos on my site is rather "precious"..<BR><BR>Rokea

  5. #5
    Join Date
    Dec 1969

    Default RE: Security issue..

    &nbsp;<BR>How precious is your data to you and your users?<BR>Is it valuable enough that they will accept restictions.<BR><BR>If you control the whole environment(IE), you can use WinNT Challenge-Response (NTLM) to validate users against valid NT user accounts and ACLs<BR><BR>General:<BR>If you use cookies, make sure they expire when the browser closes.<BR>Whatever else you do, use SSL aswell.<BR><BR>Most web security seems to be about making it as hard as possible to access priviliged content.<BR>

  6. #6
    TekTronix Guest

    Default RE: Security issue..

    Don&#039t be afraid about hackers having the source-code of your encryption-algorithms. It&#039s the key they need to give you a head-ache :) As long as you place the key in a text-file or in a database somewhere, you shouldn&#039t be afraid. Make sure to place the key far away from the site&#039s root or in a well-secured database (with password).<BR><BR>As for the cookies. There&#039s no way to truly secure everything. Everything can be hacked or abused. One option is to expire the cookies very fast so that the cookie is removed automatically, but make sure to test this with several browsers. Another option is to give the user the possibility to log-out (and make a function to destroy the cookie (overwrite it with an empty string and set the expiration date to &#039now - 1000&#039)).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts