Loading ...
Sorry, an error occurred while loading the content.

Using Session Variables in a Secure/Correct Way.

Expand Messages
  • pkunal
    All, My question is in purely ASP sense. My apache-asp based web site can support session variables. I followed the instruction from www.apache-asp.org . This
    Message 1 of 2 , Jun 9, 2003
    • 0 Attachment
      All,

      My question is in purely ASP sense.

      My apache-asp based web site can support session variables. I
      followed the instruction from "www.apache-asp.org".

      This is what I am doing:

      1. At the "login.asp" page the user enters his "Login Name"
      and "Password". Hits "Submit"

      2. It takes the user to "login_thanks.asp" where his input data is
      checked in the database. If the login name and password matches the
      entry in the database. I setup 2 Session variables:

      $Session->{Login}
      $Session->{Password}

      Then on other asp pages I can just verify if the user's these 2
      session variables exist inorder for him to stay logged in
      successfully.

      This all works but somehow I feel this is an insecure way of
      verifying as the user moves from one asp page to the other. It makes
      the site more vulnerable to hackers. What if someone just creates a
      web page himself and alters these session variables. Cause on all
      the following pages I will just check if these Session variables
      exist and not actually do a query in the database for its
      authenticity.

      Please suggest a practical way to get this done. Examples will be
      appreciated.
      Please reply to pkunal@...

      Thanks,
      Kunal Parekh.


      ---------------------------------------------------------------------
      To unsubscribe, e-mail: asp-unsubscribe@...
      For additional commands, e-mail: asp-help@...
    • Josh Chamas
      ... You could even just set $Session- {Login} without the password for this implementation to be correct. You have already authenticated the password, so all
      Message 2 of 2 , Jun 9, 2003
      • 0 Attachment
        pkunal wrote:
        > All,
        >
        > My question is in purely ASP sense.
        >
        > My apache-asp based web site can support session variables. I
        > followed the instruction from "www.apache-asp.org".
        >
        > This is what I am doing:
        >
        > 1. At the "login.asp" page the user enters his "Login Name"
        > and "Password". Hits "Submit"
        >
        > 2. It takes the user to "login_thanks.asp" where his input data is
        > checked in the database. If the login name and password matches the
        > entry in the database. I setup 2 Session variables:
        >
        > $Session->{Login}
        > $Session->{Password}
        >
        > Then on other asp pages I can just verify if the user's these 2
        > session variables exist inorder for him to stay logged in
        > successfully.
        >

        You could even just set $Session->{Login} without the password
        for this implementation to be correct. You have already authenticated
        the password, so all you need is the Login name.

        > This all works but somehow I feel this is an insecure way of
        > verifying as the user moves from one asp page to the other. It makes
        > the site more vulnerable to hackers. What if someone just creates a
        > web page himself and alters these session variables. Cause on all
        > the following pages I will just check if these Session variables
        > exist and not actually do a query in the database for its
        > authenticity.

        Be sure to set SecureSession and consider setting ParanoidSession,
        and read about these here:

        http://www.apache-asp.org/config.html#SecureSessio77114c01

        You just need to make sure you are sending the session id cookie only
        over https:// protocol so the communication is encrypted, otherwise
        any hacker could packet sniff the session ids of another user, and
        walk right into their account.

        Don't worry though about a hacker creating a web page when it comes
        to sessions. If a hacker has that level of control of your system,
        then session id security is a trivial point, as that hacker likely
        has access to vital things like your database & operating system.
        Also note that the only way a hacker could affect the $Session
        data directly is by having write access to StateDir on your operating
        system, so make sure that others do not have access to this data,
        only trusted users & processes.

        Regards,

        Josh
        ________________________________________________________________
        Josh Chamas, Founder phone:925-552-0128
        Chamas Enterprises Inc. http://www.chamas.com
        NodeWorks Link Checking http://www.nodeworks.com


        ---------------------------------------------------------------------
        To unsubscribe, e-mail: asp-unsubscribe@...
        For additional commands, e-mail: asp-help@...
      Your message has been successfully submitted and would be delivered to recipients shortly.