QueryString Security Problem.....(help me!!)

Results 1 to 2 of 2

Thread: QueryString Security Problem.....(help me!!)

  1. #1
    Josh Hames Guest

    Default QueryString Security Problem.....(help me!!)

    ok, heres the problem. I have child pages communicating to each other w/ QueryStrings in my framed ASP application. The strings are encrypted and this application requires the user to login in first. I need to validate the user and check their ID before allowing them to do anything. If they look in thier history the pages theyve looked at in my app are of coarse there. They wont be able to understand it because the querystrings are encrypted. However, the problem is, whats to stop some random person from just walking in, opening the history, and clicking a link to send a URL to the application that contains one of the valid encrypted querystrings? essentially, they are logging in w/o even knowing any of the username or password data. This is a major security breech that im stumped on and i dont want to use session variables. How do i prevent this?? help me!!!

  2. #2
    Join Date
    Dec 1969

    Default RE: QueryString Security Problem.....(help me!!)

    Unless you use cookies or session variables, you can&#039t really fix this problem the way you sound like you want it to be fixed. However, you could send the password and username along with POST instead of the querystring. You see, if the page doesn&#039t have the posted data, then it just displays the login page, and the individual documents displayed in their respective locations all get the data via querystring, just incase someone tries to make his own frameset document. Try this:<BR><BR>&lt;%<BR>/*<BR>Check to see the values of Request.Form("username") and Request.Form("password") are, and if they are valid, then do this:<BR>*/<BR>if (valid){<BR>%&gt;Do the frameset.&lt;%<BR>} else {<BR>%&gt;Do the login page. i.e. &lt;form action=thispage.asp method=post&gt; &lt;input type=text name=username&gt; etc.<BR>&lt;%<BR>}<BR>%&gt;<BR><BR>If you need help understanding that, or if you need any help to do anything else I mentioned, just ask. :)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts