Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Login using form posts - how secure.

Status
Not open for further replies.
columbo2

columbo2

Technical User
Jul 14, 2006
97
GB
Hi All,

I am working on a login for a website admin system, it's nothing mission critical or anything but I want to do it well.

At the moment the user logs in and I post the username and password to the next page where it is checked against database values.

Just now I've realised that I think a user could get the successfully logged in page from the browser history, once they have it they could use the firefox web developer plugin (or something similar) to view the hidden form values and then use them to log in.

I've been trying to think of a better way and I was wondering if it would be that you log in and your username and password are passed to a script only page that sets a temporary cookie - the prescence of this cookie is then tested for on each protected page.
I think a session cookie would be best as this times out after a period of inactivity.

Does anyone know of a good way to do this - I just need pointing in the right direction, cheers C
 
Sort by date Sort by votes
I'm not sure I understand the question but you might consider using [tt]Server.Transfer[/tt] to move operation from one ASP to another without any additional interaction with the browser.
 
Upvote 0 Downvote
Just an idea, but you could use a flag in the DB to tell wether the person is logged in or not. Keep track of how many users are logged in with that same username/password.

or Once the user is authenticated set a hidden page/session value that you use to see if the user is logged in or not.
 
Upvote 0 Downvote
Cookies or Session variables would probably be the fastest and easiest way to pass a flag or the users name so that you know they logged in. Session variables are stored on the server and are keyed against the users Session ID (which is passed to them the first time they touch your site in a cookie). Cookies are stored on the client system.
I would suggest not passing around the username and password for you user once they have logged in. Besides the issue you bring up this will also open you up to someone on their side running a packet sniffer and seeing the plain text username and password. Granted, they could do this on the very first login, but by not passing it around subsequent to login you will minimize the chances that it will be picked up in any fashion.

Best MS KB Ever:
 
Upvote 0 Downvote
yarp as Tarwn said, use sessions, and have an security include file check for the validity of the session, if invalid boot to logon screen.
 
Upvote 0 Downvote
Thanks all,
I'm implementing the session variable method.
It seems much easier and as you say it minimises teh sniffing issue.
Thanks for your help, much appreciated.
C
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

leifoet
  • Locked
  • Question
How to send HTML emails with ASP classic?
Replies
0
Views
262
leifoet
leifoet
leifoet
  • Locked
  • Question
How to check if a datatable is empty ?
Replies
0
Views
201
leifoet
leifoet
Krus1972
  • Locked
  • Question
msxml3.dll error '80072f7d' - An error occurred in the secure Channel support
Replies
7
Views
352
Krus1972
Krus1972
leifoet
  • Locked
  • Question
Using date picker gives an error message, only at application start
Replies
1
Views
202
MarkSweetland
MarkSweetland
DiDYRO_
  • Locked
  • Question
How do I make a VBS file that can collect dialog-type answers in a local .log file?
Replies
0
Views
171
DiDYRO_
DiDYRO_

Part and Inventory Search

Sponsor

Back
Top