Secure Session Keys
I would like to implement user authentication and session management for my
applications. I've been using solution 1 (below) for most of my
applications in the past since the target audience is mostly intranet based.
Now that I'm creating a more global application, I want to use a method that
does not require cookies, yet maintain a farily high level of security and
fault tolerance.
Is there a better way to handle this problem? What method does the big
Internet shopping companies use?
Scenario:
A user is authenticated and is given a session key. The session key is
passed to the user in an HTML page and returned to the server using a query
string. The user then copies the URL and gives it to his friend to see.
Since the URL now contains the session key, how does the server distinguish
between the authenticated user and his friend?
Solution 1:
Use an ASP session variable to store the session key between page requests.
This solution requires that the client have session cookies enabled. If the
session is not encrypted (i.e. SSL), the ASP session id is still passed via.
clear text, and is vulnerable.
Solution 2:
Use a session key that identifies the location (IP address) of the user. If
the submitted session key doesn't match the user's location, then the
session key is invalid. The session key can be passed as part of the URL
and does not require cookies. This method is vulnerable to IP spoofing, and
breaks if the user is behind a NAT server, or web caching server that masks
the true IP address.
Solution 3:
Have the session key returned to the server via an HTTP POST request. This
method does not require cookies, but is clear text and vulnerable if the
session is not encrypted. The session key is lost if the user navigates to
a page manually issuing an HTTP GET request.
View Replies
ADVERTISEMENT
Is it safe to store credit card information in the ASP session state to be ultimately transmitted to VeriSign? I have a set of forms that are in the format of a wizard and I need to maintain the information through the pages. I know cookies are potentially unsafe, and I don't want to be responsible for credit card information being stored in my databases. I would use this type of method...
Code:
<% Session("CCNumber") = Request.Form("CCNumber") %>
If it helps, I have a VeriSign SSL certificate.
View Replies
View Related
I am trying to develop a forum in asp. I want to try and make it as secure as possible. I understand that if someone knows or guesses a session ID they can post requests to the server and potentially gain unauthorised access. How can I go about doing this securely?
I did think about using random strings as session id's but then how could i check to see if the user is logged in if i dont know what the session id is.
View Replies
View Related
Example:
session("IsLoggedIn")=false
Can this be changed on the user's machine by editing the cookie directly? (Please tell me it can't!). If so, will ASP know it has been tampered with, and refuse to "accept" it if changed to "true" ?
View Replies
View Related
Are session variables more secure then cookies?
Session cookies (cookies with no expiration) are destroyed when the browser is destroyed.
Session variables are destroyed when the browser is destroyed OR after a time period.
So, in that way, they are secure from the data persisting on the client.
However, while they are in use, can cookies and/or session variables be made secure without encryption?
How much more secure are session variables than cookies?
View Replies
View Related
ive seen alot of communites that use the session("") cookie to assaign
the userid after the login Since this is a cookie, isnt it easy to modifie it and become which user you want at the current community ?
View Replies
View Related
I am designing Admin pages for my web site.I am using HTML frames, VBscript, Javascript, ASP , Microsoft Access as database etc.
I want when any Administrator put focus on any perticular frame and press some shortcut keys (like CTRL+A) then in the same frame one link called 'Admin' should be visible and active which then drive Administrator in Admin area to make necessary changes.For the rest user this Admin section would not be visible at all.
View Replies
View Related
Does anyone know how I can open up an entry in a microsoft access database table using its primary key through asp?
View Replies
View Related
Is there a way to trap F1, F2, F3, F4 etc. keys on ASP and have our own
codes to do whatever necessary for each of those keys ?
View Replies
View Related
Is it possible to ascertain which fields are the primary keys from an Access table just using asp? If so how?
View Replies
View Related
I want to do something that should be simple, it is in php, but i can't seem to find any array functions in asp to do this. I have an array with x number of items (the x may change, could be 10/50/etc.) that will start with 1 and end with x.
For example (excuse my poor syntax):
myArray[0] = 1
myArray[1] = 2
myArray[2] = 3
myArray[3] = 4
etc.
What I want is to call a function and randomize the array as a new array, so for example:
randArray[0] = 3
randArray[1] = 1
randArray[2] = 4
randArray[3] = 2
View Replies
View Related
Is it possible to get a key from the registry if a remote machine?We have three print servers (tin) serving an ERP application for different areas of the business.Currently someone has to logon and check to see if the servers are still running each morning.
However while they are running they increment a key in the registry once every second each time they poll. If I can get ASP to read this value, I should be able to setup a
webpage to monitor the situation.I've found RegObj.dll on the Microsoft site, but this
doesn't seem to work in ASP.
View Replies
View Related
creating a script that will create a primary key base on the date today and a number ( ex. 1124204-1, 112404-2) with the last number increasing by one. the script should automatically increase the number if the key has already been used.
View Replies
View Related
I am trying to store some information (like application paths) in the web.config file of my ASP C# project. To that end I did the following: Code:
View Replies
View Related
I'm trying to insert into a table with foreign keys. The statement works in query analyzer but not when I do it in asp to insert the data from a form. Code:
View Replies
View Related
I'm using cookies to maintain a shopping cart. I can find plenty of tutorials and articles on deleting a cookie, but only deleteing a single key within a cookie is harder to find...
Surely there is a more efficient way to remove a cart item from my cookie than setting it equal to "", isn't there?
I mean, technically the cookie will still hold the text cartitem1 = "", right? Which takes up unnecessary space...
View Replies
View Related
I have disabled the function keys (F1-F12). I would like each funtion key to submit a form. I'm not quite sure how to tell each function key to submit (post) for me.
View Replies
View Related
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Sybase][ODBC Driver]Integrity constraint violation: no primary key value for foreign key 'MemberCode' in table 'PersonMember'
/admin/Member_New-Sybase.asp, line 39
What i am doing is first i have added a record to my persons table the next step is i need to add this person id to the PersonMember table with a new MemberCode and then finally add more information to a membership table. Code:
View Replies
View Related
i have an ecommerce site that is split across two domains, a secure space that retains cc details and the main site where contact information and order details are held. I need to be able to produce a report that displays both sets of info in a printable document. aside from using iframes is there a better way of doing this?
View Replies
View Related
How do I stop pages being active in the history.
I have tried this,
<% Response.Expires = -1 %>
But the pages are still active in the history and are being cached somewhere on the machine win2k.
View Replies
View Related
If I create a simple login page and then store the UserId is a session and check its validity in the subsequent pages, How secure will the site be. I know the same question has been asked in the PHP forum
Code:
http://www.sitepoint.com/forums/showthread.php?t=233118
But how can I make my site secure enough in asp
View Replies
View Related
I may be in over my head on this one... VERY new to ASP. I have a potential client which is a marine loan broker. He wants an online credit application for the boat dealers he works with (20 different ones). He wants the credit app to be co-branded. Dealer/LoanCompany logos at the top would be sufficent. The dealer would have a link on there own site to the loan company's site but wants it to look like they are "Partners" and not just being shullde from one site to the next.
Is there a way to display different dealer logos based on the referrer URL? I would rather have one creditapp.asp that displays the proper logos depending on the referrer over building 20 creditapp.asp's. He doesn't need the form data written to a database. He just wants the form data emailed to him. (this I can do) How secure is that emailed data?
View Replies
View Related
Right now, I'm trying to use WSH to run PSCP (command-line version of
PuTTY). I've tested the command I'm using by opening a DOS box
manually on the server, and the test file is successfully transferred.
I've run Filemon and Regmon while running my sample ASP page, and see
no permissions problems. I've tried running cmd.exe and passing PSCP
as the parameter.
I've tried running PSCP.exe directly. I've even
tried using ASPexec to run it instead of WSH. None of these have
worked. I always get the same thing -- error code 0 (success) returned
from WSH or ASPexec, but when I look at the second server the file
never got there, and when I look at terminal services on the Web server
PSCP is still running.
View Replies
View Related
I'd like to create a secure login from an ASP page to a specific SQL Server
2000 Db. Is there an accepted methodology for doing this? Are there any
resourses that show how this can be done?
View Replies
View Related
I need to secure my web page, when it is reading a file from the
physical folder.
Say for eg.. I have a page Page1.aspx, which displays a list of links
that corresponds to
the available text files in one of the files. All the other pages are
secured except this
page. So when I click the link, it redirects it to for eg..
http://localhost/folder1/one.txt.
But this should not happen. As the user can type this without even
logging into the website.
So I need to know how to stream this file and display it in another
page, rather than just showing it.
View Replies
View Related
Iīve made a loginpage in asp, and a page that receives
the data from the form and logs you in.
But how do i make the loginpage secure?
Do i have to use https, and if so, how do i change from
http to https when the loginpage is included in another
asp-file?I donīt know if i have explained myself correctly
View Replies
View Related
Here's what I/m doing to sanitize/validate/secure my input.
1. The front end checks what kind of data is entered.
2. I am using parameterized query instead of concatenated strings (Against XSS)
3. I am replacing symbols like <,>,# etc with their appropriate entity number eg. & #32; without the space. (Agains SQL Injection)
View Replies
View Related
Can someone please explain to me the basics of creating a secure connection (we're looking at using Authorize.net) and possibly point me in the direction of other resources for getting some info?
View Replies
View Related
I have a site designed with ASP 3.0 code (HTML and vbscript) that I want to protect from being visible. I want this code to be non-visible and hack-proof. Is there a way to either encrypt or protect another way to ensure that my code is not stolen?
View Replies
View Related
do know how can i prevent my page from cross side
like using <marquee></marquee>
View Replies
View Related
I have a client with their own W2k server and their IT guy refuses to turn on the SMTP service for fear of it becoming hijacked by spammers.
However, they also want their web site to perform some emailing functions I would normally use CDOSYS for.
I'm having them look into alternate SMTP servers to use with CDOSYS, but I was wondering if anyone here can recommend a 3rd-party ASP-based SMTP app that might be more secure than IIS' built-in service?
View Replies
View Related
I've an ASP page in wich the customer write his card number for the payment. How can I make this information secure when it's sent to the server?
View Replies
View Related
I have written a simple script that is called every 75 seconds or so to test whether the SQL Server database is running. The script is contained in a page that is not linked to in the site.
The thing is I have hard coded the database information on the page, I was thinking of putting the connectionstring into my global.asa file as an application variable.
How secure are the two options?
Will there be any performance issues? Bearing in mind that this page is called every 75 seconds.
View Replies
View Related