Programming Forums
Page 1 of 2 1 2 >
Show 40 post(s) from this thread on one page

Programming Forums (http://www.programmingforums.org/forumindex.php)
-   ASP (http://www.programmingforums.org/forum32.html)
-   -   S E C U R I T Y in asp scripts (http://www.programmingforums.org/showthread.php?t=6855)

paulchwd Nov 6th, 2005 5:00 PM
S E C U R I T Y in asp scripts
 
Hello all,

I'm looking to restrict access to various pages of my website. I have curently an app in place which queries a database for the credientials (user + password) entered and sets a flag to true if a match was found.

I heard about comparing the HTTP_REFERER header to the HTTP_HOST header, but heard it is useless because soem browsers dont support those headers and hackers can mess with them easily,

do you have any sugestions?


Thanks

bja888 Nov 6th, 2005 6:25 PM
You don't need to pass session data through the browser. Keep it on the server with the session object. If you really worried about it check browser and IP every time a page is accessed.

paulchwd Nov 6th, 2005 11:10 PM
2 Attachment(s)
Thanks for your reply

What do you mean by " Keep it on the server with the session object"--> could you show me an example pls...thanks

this is what i am doing now:(see attached, it wont let me upload a .asp or .inc file)

Validate is the main validation page that checks u at login

and val1 is the include file i use on each page to check if you logged in

Thanks

bja888 Nov 6th, 2005 11:15 PM
Your already useing it in your validate.txt file.
:
session("flag")=true

That is stored on the server is memory recalls. I believe there is no way for anyone to pull that off the server.

OpenLoop Nov 7th, 2005 8:42 AM
As far as i know, restricting access to parts of a website is the job of the web server. I'm not sure how to do that in IIS but if you're using apache, you can specify the directories that have restricted access.

paulchwd Nov 8th, 2005 8:00 AM
Oh ic, you mentioned checking ip's how would i go about that? And how do I componsate for dynamic (DHCP) ip's

InfoGeek Nov 8th, 2005 10:10 AM
I checked your Username/password validation script. It can be easily cracked in 1 min(and no thinking) using SQL injection. google SQL injection for more info about the attack.

bja888 Nov 8th, 2005 10:48 AM
Quote:
Originally Posted by paulchwd
Oh ic, you mentioned checking ip's how would i go about that? And how do I componsate for dynamic (DHCP) ip's
Personally, I would use a offline temp folder. Generate a random file name for a text file. Assoiate that file with the session.
:
Session("File") = "95862983.txt"
Write in that text file the persons IP address then check the file to see if it matches every time you open a page.

paulchwd Nov 9th, 2005 10:24 AM
Thanks for the reply

1) what do you mean by "offline temp folder." if its not on my server (this will eventually be uploaded to a server other then my IIS which i have limited control over) how will i reference it

2) To info geek: Thanks for the tip, how can i make it more secure ?

3) How can I protect my Access database so that it cannot be downloaded by going for example www.mydomain.com/mydatabase

thanks for all the help

InfoGeek Nov 10th, 2005 8:18 AM
Quote:
Originally Posted by paulchwd
how can i make it more secure
Read about the attack and find out why your script is vunerable to it. Then modify your script to make it secure.

Quote:
Originally Posted by paulchwd
How can I protect my Access database so that it cannot be downloaded by going for example www.mydomain.com/mydatabase
Don't give read permission to the world.(chmod 700 mydatabase)


All times are GMT -5. The time now is 6:13 PM.
Page 1 of 2 1 2 >
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.7.0, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2007 DaniWeb® LLC