|
|
 |
|
|
Thread Tools | Display Modes |
Nov 6th, 2005, 5:00 PM
|
#1 |
|
Hobbyist Programmer
Join Date: Mar 2005
Posts: 139
Rep Power: 4
 |
S E C U R I T Y in asp scripts
Hello all,
I'm looking to restrict access to various pages of my website. I have curently an app in place which queries a database for the credientials (user + password) entered and sets a flag to true if a match was found. I heard about comparing the HTTP_REFERER header to the HTTP_HOST header, but heard it is useless because soem browsers dont support those headers and hackers can mess with them easily, do you have any sugestions? Thanks |
|
|
|
Nov 6th, 2005, 6:25 PM
|
#2 |
|
Hobbyist Programmer
Join Date: Oct 2005
Location: Central, FL
Posts: 213
Rep Power: 0
  |
You don't need to pass session data through the browser. Keep it on the server with the session object. If you really worried about it check browser and IP every time a page is accessed.
|
|
|
|
|
Nov 6th, 2005, 11:10 PM
|
#3 |
|
Hobbyist Programmer
Join Date: Mar 2005
Posts: 139
Rep Power: 4
|
Thanks for your reply
What do you mean by " Keep it on the server with the session object"--> could you show me an example pls...thanks this is what i am doing now  see attached, it wont let me upload a .asp or .inc file)Validate is the main validation page that checks u at login and val1 is the include file i use on each page to check if you logged in Thanks |
|
|
|
|
Nov 6th, 2005, 11:15 PM
|
#4 |
|
Hobbyist Programmer
Join Date: Oct 2005
Location: Central, FL
Posts: 213
Rep Power: 0
|
Your already useing it in your validate.txt file.
session("flag")=trueThat is stored on the server is memory recalls. I believe there is no way for anyone to pull that off the server. |
|
|
|
|
Nov 7th, 2005, 8:42 AM
|
#5 |
|
Expert Programmer
Join Date: May 2005
Location: East Lansing, MI
Posts: 647
Rep Power: 4
|
As far as i know, restricting access to parts of a website is the job of the web server. I'm not sure how to do that in IIS but if you're using apache, you can specify the directories that have restricted access.
|
|
|
|
|
Nov 8th, 2005, 8:00 AM
|
#6 |
|
Hobbyist Programmer
Join Date: Mar 2005
Posts: 139
Rep Power: 4
|
Oh ic, you mentioned checking ip's how would i go about that? And how do I componsate for dynamic (DHCP) ip's
|
|
|
|
|
Nov 8th, 2005, 10:10 AM
|
#7 |
|
Professional Programmer
Join Date: Jun 2005
Location: India, The great.
Posts: 435
Rep Power: 3
|
I checked your Username/password validation script. It can be easily cracked in 1 min(and no thinking) using SQL injection. google SQL injection for more info about the attack.
__________________
PFO - My daily dose of technology. |
|
|
|
|
Nov 8th, 2005, 10:48 AM
|
#8 | |
|
Hobbyist Programmer
Join Date: Oct 2005
Location: Central, FL
Posts: 213
Rep Power: 0
|
Quote:
Session("File") = "95862983.txt" |
|
|
|
|
|
Nov 9th, 2005, 10:24 AM
|
#9 |
|
Hobbyist Programmer
Join Date: Mar 2005
Posts: 139
Rep Power: 4
|
Thanks for the reply
1) what do you mean by "offline temp folder." if its not on my server (this will eventually be uploaded to a server other then my IIS which i have limited control over) how will i reference it 2) To info geek: Thanks for the tip, how can i make it more secure ? 3) How can I protect my Access database so that it cannot be downloaded by going for example www.mydomain.com/mydatabase thanks for all the help |
|
|
|
|
Nov 10th, 2005, 8:18 AM
|
#10 | ||
|
Professional Programmer
Join Date: Jun 2005
Location: India, The great.
Posts: 435
Rep Power: 3
|
Quote:
Quote:
__________________
PFO - My daily dose of technology. |
||
|
|
|
|
| Bookmarks |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
