Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security issues 1

Status
Not open for further replies.
achmo

achmo

Programmer
Aug 30, 2001
56
IL
Hello,

I have built a site for our intranet, and all was well. To enter the site, one must enter username and password (and every page on the site kickes the user out to the entry page if the correct session variables are not found).

But now The Big Boss insists on entering without username and password. I tried explaning about security, but he really insists. I thought of creating a cookie on his computer, and changing the entry page to enter freely a user with this cookie.

So my question is, how dangerouse is it. I'm not worried about someone seeing the information on the site, it's not *that* classified. But if someone gains access to the site, does this fact itself give them a leverage point for doing damage? On the other hand, for someone to read the code and discover that they can enter freely by planting a cookie on their computer, they would have to break anyway into the server to see the code where this is stated, so if they have already broken in, I'm not worse off, right?

Thoughts, anyone?

thanks,

Yael Achmon
 
Sort by date Sort by votes
Achmo,

The only damage they'll be able to do is only what you would allow them to do. I mean, if you're website allows people to delete records from a database, then I suppose an intruder could do the same thing.

However, without hacking they're way into the server (which is a totally seperate issue), they can't see your ASP code, or do damage to the server. Make sure you write / retreive the cookies using ASP. It can be done in JavaScript, but this can be viewed in the source code so you're off to a good start using ASP.

Also, don't store the actual username and password in the cookie if you can help it. Store a userID or something like that that references a record in the database like you would do to originally authenticate a user.

ToddWW
 
Upvote 0 Downvote
Could you do something like check the IP address of the computer requesting the page, and if it's the bosses (I presume on your intranet there are fixed IP addresses), then forgo the login? Just a suggestion, help me think this through...

Ben
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PaulSc
  • Locked
  • Question
Some help please - asp/javascript security
Replies
2
Views
129
BigRed1212
BigRed1212
evr72
  • Locked
  • Question
query issues with user id and multiple records
Replies
2
Views
83
evr72
evr72
wvdba
  • Locked
  • Question
URL parms security issue?
Replies
9
Views
135
vicvirk
vicvirk
dexeloper
  • Locked
  • Question
Security for opening Word/PDF documents 1
Replies
19
Views
133
vicvirk
vicvirk
Spork52
  • Locked
  • Question
ASP session variable security question
Replies
3
Views
77
DreXor
DreXor

Part and Inventory Search

Sponsor

Back
Top