Using Session Variables in a Secure/Correct Way.

[pkunal <pk...@yahoo.com>]

All,

My question is in purely ASP sense. 

My apache-asp based web site can support session variables. I 
followed the instruction from "www.apache-asp.org".

This is what I am doing:

1. At the "login.asp" page the user enters his "Login Name" 
and "Password". Hits "Submit"

2. It takes the user to "login_thanks.asp" where his input data is 
checked in the database. If the login name and password matches the 
entry in the database. I setup 2 Session variables:

$Session->{Login}
$Session->{Password}

Then on other asp pages I can just verify if the user's these 2 
session variables exist inorder for him to stay logged in 
successfully.

This all works but somehow I feel this is an insecure way of 
verifying as the user moves from one asp page to the other. It makes 
the site more vulnerable to hackers. What if someone just creates a 
web page himself and alters these session variables. Cause on all 
the following pages I will just check if these Session variables 
exist and not actually do a query in the database for its 
authenticity.

Please suggest a practical way to get this done. Examples will be 
appreciated.
Please reply to pkunal@yahoo.com

Thanks,
Kunal Parekh.


---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org

Re: Using Session Variables in a Secure/Correct Way.

[Josh Chamas <jo...@chamas.com>]

pkunal wrote:
> All,
> 
> My question is in purely ASP sense. 
> 
> My apache-asp based web site can support session variables. I 
> followed the instruction from "www.apache-asp.org".
> 
> This is what I am doing:
> 
> 1. At the "login.asp" page the user enters his "Login Name" 
> and "Password". Hits "Submit"
> 
> 2. It takes the user to "login_thanks.asp" where his input data is 
> checked in the database. If the login name and password matches the 
> entry in the database. I setup 2 Session variables:
> 
> $Session->{Login}
> $Session->{Password}
> 
> Then on other asp pages I can just verify if the user's these 2 
> session variables exist inorder for him to stay logged in 
> successfully.
> 

You could even just set $Session->{Login} without the password
for this implementation to be correct.  You have already authenticated
the password, so all you need is the Login name.

> This all works but somehow I feel this is an insecure way of 
> verifying as the user moves from one asp page to the other. It makes 
> the site more vulnerable to hackers. What if someone just creates a 
> web page himself and alters these session variables. Cause on all 
> the following pages I will just check if these Session variables 
> exist and not actually do a query in the database for its 
> authenticity.

Be sure to set SecureSession and consider setting ParanoidSession,
and read about these here:

   http://www.apache-asp.org/config.html#SecureSessio77114c01

You just need to make sure you are sending the session id cookie only
over https:// protocol so the communication is encrypted, otherwise
any hacker could packet sniff the session ids of another user, and
walk right into their account.

Don't worry though about a hacker creating a web page when it comes
to sessions.  If a hacker has that level of control of your system,
then session id security is a trivial point, as that hacker likely
has access to vital things like your database & operating system.
Also note that the only way a hacker could affect the $Session
data directly is by having write access to StateDir on your operating
system, so make sure that others do not have access to this data,
only trusted users & processes.

Regards,

Josh
________________________________________________________________
Josh Chamas, Founder                   phone:925-552-0128
Chamas Enterprises Inc.                http://www.chamas.com
NodeWorks Link Checking                http://www.nodeworks.com


---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org