You are viewing a plain text version of this content. The canonical link for it is here.
Posted to asp@perl.apache.org by pkunal <pk...@yahoo.com> on 2003/06/10 01:19:40 UTC
Using Session Variables in a Secure/Correct Way.
All,
My question is in purely ASP sense.
My apache-asp based web site can support session variables. I
followed the instruction from "www.apache-asp.org".
This is what I am doing:
1. At the "login.asp" page the user enters his "Login Name"
and "Password". Hits "Submit"
2. It takes the user to "login_thanks.asp" where his input data is
checked in the database. If the login name and password matches the
entry in the database. I setup 2 Session variables:
$Session->{Login}
$Session->{Password}
Then on other asp pages I can just verify if the user's these 2
session variables exist inorder for him to stay logged in
successfully.
This all works but somehow I feel this is an insecure way of
verifying as the user moves from one asp page to the other. It makes
the site more vulnerable to hackers. What if someone just creates a
web page himself and alters these session variables. Cause on all
the following pages I will just check if these Session variables
exist and not actually do a query in the database for its
authenticity.
Please suggest a practical way to get this done. Examples will be
appreciated.
Please reply to pkunal@yahoo.com
Thanks,
Kunal Parekh.
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org
Re: Using Session Variables in a Secure/Correct Way.
Posted by Josh Chamas <jo...@chamas.com>.
pkunal wrote:
> All,
>
> My question is in purely ASP sense.
>
> My apache-asp based web site can support session variables. I
> followed the instruction from "www.apache-asp.org".
>
> This is what I am doing:
>
> 1. At the "login.asp" page the user enters his "Login Name"
> and "Password". Hits "Submit"
>
> 2. It takes the user to "login_thanks.asp" where his input data is
> checked in the database. If the login name and password matches the
> entry in the database. I setup 2 Session variables:
>
> $Session->{Login}
> $Session->{Password}
>
> Then on other asp pages I can just verify if the user's these 2
> session variables exist inorder for him to stay logged in
> successfully.
>
You could even just set $Session->{Login} without the password
for this implementation to be correct. You have already authenticated
the password, so all you need is the Login name.
> This all works but somehow I feel this is an insecure way of
> verifying as the user moves from one asp page to the other. It makes
> the site more vulnerable to hackers. What if someone just creates a
> web page himself and alters these session variables. Cause on all
> the following pages I will just check if these Session variables
> exist and not actually do a query in the database for its
> authenticity.
Be sure to set SecureSession and consider setting ParanoidSession,
and read about these here:
http://www.apache-asp.org/config.html#SecureSessio77114c01
You just need to make sure you are sending the session id cookie only
over https:// protocol so the communication is encrypted, otherwise
any hacker could packet sniff the session ids of another user, and
walk right into their account.
Don't worry though about a hacker creating a web page when it comes
to sessions. If a hacker has that level of control of your system,
then session id security is a trivial point, as that hacker likely
has access to vital things like your database & operating system.
Also note that the only way a hacker could affect the $Session
data directly is by having write access to StateDir on your operating
system, so make sure that others do not have access to this data,
only trusted users & processes.
Regards,
Josh
________________________________________________________________
Josh Chamas, Founder phone:925-552-0128
Chamas Enterprises Inc. http://www.chamas.com
NodeWorks Link Checking http://www.nodeworks.com
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org