Simple authentication "Will this work?"

Results 1 to 3 of 3

Thread: Simple authentication "Will this work?"

  1. #1
    Kim Andersen Guest

    Default Simple authentication "Will this work?"

    I am converting some databases to asp pages, and want to implement security. After reading several articles I have come to the conclusion that i dont want to use session or cookies, because they are not secure enough.<BR><BR>In all my access databases i run a function on each form that checks the database to see if they are allowed in.<BR><BR>I would like to convert this to asp in this way:<BR>After they have succesfully logged in a hidden textfield on each page is set equal to their access level. When a new page is being loaded i use the request form to see if their user level is good enough, and set the new pages hidden field equal to their access level.<BR><BR>I am not very experienced in www security matters and would like to know:<BR><BR>a. Will this work?<BR>b. How secure is it?<BR>c. Any other thoughts<BR><BR>Kim Helmer Andersen

  2. #2
    Join Date
    Dec 1969

    Default RE: Simple authentication

    I would think that this is not very secure at all as anybody can View the source of a page and look at the value of the hidden field. What they could do with this info , you will know, but I would not think it is very can set cookies to being secure by setting the SECURE seeting on them...I have not used it myself though. Also, if you don&#039t set an expiration date for a cookie, it is stored in memory and not on the users hard drive and will expire when the browser session ends. <BR><BR>Hope this helps.

  3. #3
    Join Date
    Dec 1969

    Default RE: Simple authentication

    a. Will this work?<BR>It will work. You will be able to validate the user&#039s access level based on the hidden form field.<BR><BR>b. How secure is it?<BR>Not in the slightest bit secure. If you only validate each form based on the hidden field, anyone could read the value and pass it.<BR><BR>c. Any other thoughts<BR>The best security you can get is with NT challenge. This is set up in the NT admin tool. It overrides IIS. But if you are using an ISP, you probably won&#039t have access to this.<BR><BR>I&#039d recommend a simple cookie that contains:<BR>a unique id<BR>e.g. session.sessionid + cint(now())<BR><BR>The unique id could reference a database table that temporarily stores login state.<BR>i.e. when a user logs in, create a new record in your login table that inserts the unique id, date/time, expiration, etc.<BR>Then write the unique id to a cookie.<BR>When a user hits your asp page again, read the cookie, grab the id, look for it in your database, and either grant access or make them log in again.<BR><BR>This does have performance impact cos access is so slow.<BR>But it&#039s safer.<BR><BR>Also have a think about encrypting the cookie value, and when you want it to expire.<BR><BR>When done properly, maintaining session state with cookies can be a viable solution for low-level security issues.<BR><BR>good luck<BR><BR><BR><BR><BR>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts