Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Secure Login 1
- Thread starter Swi
- Start date
ChrisHirst
IS-IT--Management
SSL certificate and HTTPS.
Chris.
Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
Chris.
Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
- Thread starter
- #3
ChrisHirst
IS-IT--Management
No, because the data HAS to be 'transferred' to the server BEFORE it can be written to session variable
Your choices are POST and GET, a GET passes the data as key/value pairs parameters in the URL, while POSTing transfers it without exposing it directly.
Chris.
Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
- Thread starter
- #5
Ok, so user enters credentials, I verify with JavaScript and then use vbscript to bouce them against my database. Then you are suggesting to lost the data to the other form which will then so another database lookup as I am going to display info from my database on screen after a successful login. Is this correct? Sorry, new to classic ASP as I am supporting a legacy app and believe the authentication is not up to par. Thanks.
Swi
Swi
- Thread starter
- #6
ChrisHirst
IS-IT--Management
No.
Verify with javascript that the patterns of the data is correct and all necessary fields have data in them, yes then when the form is submitted you check against the database.
One thing to absolutely avoid, is using AJAX to check if a username is valid while the user is still entering it, as that can be used by 'crackers' to build a list of valid user names without triggering any server side defences.
Chris.
Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
- Thread starter
- #8
Thanks for this unfortunately half the links do not go anywhere. Also, I have read that to prevent SQL injection I should be using parameterized queries if using Access which this is. Sorry for all of the questions but I want to make sure this site is secure and I am new to ASP as this is a legacy app. Thanks.
Swi
Swi
- Thread starter
- #9
Also, after I verify the credentials I want to move them to another page and display data based on information in the database for that user.
What is the most secure way of passing the values to that page. Session variables, query string, etc...
Thanks.
Swi
What is the most secure way of passing the values to that page. Session variables, query string, etc...
Thanks.
Swi
ChrisHirst
IS-IT--Management
Query strings ABSOLUTELY NOT.
Use cookies and session variables, and NEVER store a password in a cookie, generate a hash 'token' that lasts only for the length of the session and check that each time the user tries to access a 'secure' page.
Also if you are using an Access database file (.mdb) do not store it in the folders of the website where it could be downloaded, put it above the document root and refer to it in your DSN or connection string using "../database_name" in a server.mappath() statement so it cannot be accessed outside of your code.
Chris.
Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
Use cookies and session variables, and NEVER store a password in a cookie, generate a hash 'token' that lasts only for the length of the session and check that each time the user tries to access a 'secure' page.
Also if you are using an Access database file (.mdb) do not store it in the folders of the website where it could be downloaded, put it above the document root and refer to it in your DSN or connection string using "../database_name" in a server.mappath() statement so it cannot be accessed outside of your code.
Chris.
Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
- Thread starter
- #11
-
1
- #12
ChrisHirst
IS-IT--Management
Sessions are actually cookies, only the 'session cookie' is ephemeral, meaning that it is expired by the very shortly after leaving the server so is not blocked by not accepting cookies.
Chris.
Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
Chris.
Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
- Thread starter
- #13
- Thread starter
- #14
Ok, got some of it working. Integrating Bootstrap into the ASP code to give it a more updated responsive look and feel.
I followed your advice to POST the login page. When I POST to the next page I authenticate against the DB and then either populate the page with data if successful and if not I redirect back to the login page.
Unfortunately, when I do so it does not show that the user had an invalid login.
Just curious as to how people normally handle this. Should I just pass something back to the login page that I can read and say "Invalid Login Credentials".
Still a bit of work to do on the site especially with adding vulnerability code, parameterized queries, etc...
I appreciate your advice and patience.
Thanks.
Swi
I followed your advice to POST the login page. When I POST to the next page I authenticate against the DB and then either populate the page with data if successful and if not I redirect back to the login page.
Unfortunately, when I do so it does not show that the user had an invalid login.
Just curious as to how people normally handle this. Should I just pass something back to the login page that I can read and say "Invalid Login Credentials".
Still a bit of work to do on the site especially with adding vulnerability code, parameterized queries, etc...
I appreciate your advice and patience.
Thanks.
Swi
- Thread starter
- #15
Chris,
Do you normally POST the page to itself and verify the login or do you do what I state above and post to another page and verify there. Right now I post to another page to authenticate and if valid display the page and if not redirect to the login page with the failure reason. Thanks.
Swi
Do you normally POST the page to itself and verify the login or do you do what I state above and post to another page and verify there. Right now I post to another page to authenticate and if valid display the page and if not redirect to the login page with the failure reason. Thanks.
Swi
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question