Secure Cookie-based Login
I have researched several login scripts and I have a few questions that I haven't been able to find the answers for.
First if of all, my goal is to create a cookie-based, non-SSL, login system. I have many, many users that are going to be logged in for extremely long periods of time, so I absolutely do not wish to use session variables under any circumstances.
I've come across several great algorithms and one-way hash's that seem to work great for encoding the password. However, they all seem to have one thing in common. Once the user successfully "logs in", the site simply sets a cookie using the User ID of the login account. On all password protected pages, the only check that is made is the User ID stored in the cookie- compared to the value in the database.
I'm curious if it is possible for a hacker to create a false cookie on their system, storing simply the UID. Is it possible to do this, or is there some kind of internal OS security that prevents such an action? In other words, if I go to a co-workers computer, review their temp files, find the cookie for the site they're logged into and take the UID... Could I recreate that cookie on my own computer at a later time and gain entry?
This may not be so much of a security issue on a site that only stores a temporary cookie, but what if when they login, I set the cookie to expire after a year? (so they don't have to login every time they visit the site).
I'm not saying this method isn't secure, I guess I'm looking for an explanation. Also, any ideas on where I can obtain more information about creating a login application that's not based on session variables?
View Replies
ADVERTISEMENT
I have multiple domains all pointing to the same generic dynamic webpage. Depending on the domain used, I want to query my database and retrieve certain display settings such as certain graphics, background colors and so on. What would be the best way to do this without using any redirects or Request.ServerVariables(*"http_referer") or anything like that? Is there any way it can be done server side or something really completely transparent to the visitor.
View Replies
View Related
I'd like to create a secure login from an ASP page to a specific SQL Server
2000 Db. Is there an accepted methodology for doing this? Are there any
resourses that show how this can be done?
View Replies
View Related
any good tutorial sites that could help me code a members area. In a nut shell what im planning to do is.
member login - 3 attempts at accessing members area.different access levels for different users. i also want to allow admin to upload files [word docs mainly] and allow the members to download them. I have previously built an asp login but it was very basic and had no security put in place.
if you know of more security features i need then please share the knowledge, it has been a while since i coded a dynamic site.
View Replies
View Related
How can I secure the pages for login users in a "professional way"? I could set a global variable to true when a user successfully sign in but that's not how the experts do it right?
View Replies
View Related
My questions concerns building a login system based on checking for the
existence of the user's email address only....
1. Is it ok for me to use IP address to allow user to bypass all login and
registration systems if IP is present in database? I wish to save the user
time....if the IP is not present I will present the LOGIN email screen....
2. I am consideirng using Session variable on each page I wanted I
protected...I think I know how to do this but I am not sure on whether I
should be using the global.asa to handle loggin in or logging out or whether
I should so all the code on the secure page itself.
3. I wish to use a sql server backend to house my tables: tblProspect,
tblProspectPageSelections......is it okay to use the following branching
code to switch between my test and production server with regards the
physical database path as I have multiple sites on our remote server which
need to feed off the same database....I am thinking about something like
this:
If InStr(Request.ServerVariables("SERVER_NAME"), "publicserver.com") > 0
Then
' Set Public Server Paths
Else
' Set Private Server Paths
End If
Can this work?
View Replies
View Related
We have an intranet which is personalized using a cookie which we set. I have an outside vendor who is developing an application which will live on a seperate server. Is there a way they can read the cookie which we set to log user into their application so that we can make it a seamless transition?
View Replies
View Related
I have downloaded a nice upload script from the internet, it works great, but I would like to have it protected,so that only the admin user can use this upload page, I'm getting the following error:
Microsoft VBScript runtime error '800a01b6'
Object doesn't support this property or method: 'Request.Session'
If I change it in Request.Cookies, that won't work either.....
View Replies
View Related
When I set a cookie in global.asa in the sub session_onstart, even if
I have "privacy" in IE 6.X set to "block all cookies" the cookie is
still set, and I can get it on other pages.
I can't find an article that addresses this as a specific issue. Why
does the browser get the cookie when it is set in the session_onstart
event even when I have "block all cookies" set?
View Replies
View Related
i have an ecommerce site that is split across two domains, a secure space that retains cc details and the main site where contact information and order details are held. I need to be able to produce a report that displays both sets of info in a printable document. aside from using iframes is there a better way of doing this?
View Replies
View Related
I want to know what's the differences between session cookie and regular cookie.
In ASP, when we create cookie, we do the following to identify an user:
Response.Cookies("name") = value
Is this regular cookie? How about session cookie? and when to use which?
View Replies
View Related
I am building a website to pull data from a remote https site using xmlhttp. The data from the https site is behind a login screen. I can successfully get through the login screen with:
set objXMLHTTP = Server.CreateObject("Msxml2.ServerXMLHTTP")
objXMLHTTP.Open "POST", "https://website.com/validate-login2.asp", false
objXMLHTTP.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objXMLHTTP.Send "Username=uname&password=pwd&company=O"
That works great - but then, when I try to go to the next page (where the data is that I want to pull) - I use the same process and I get kicked back out to the login screen? Could there be some cookies, referer, strings being passed normally that I am not including in my second request - How do i find out for sure?
I have used the software IETrace and it looks like some cookies being passed, but how do I know for sure if (and what exactly) it is using?
View Replies
View Related
I want to login to a page using MSXML2.ServerXMLHTTP.4.0 or an object like this, I must send the form variables needed to login when I try to login to the page. But the problem is, that the page looks like a exe file (not a asp file or php file or what ever). The name of the page I try to login is something like "/pw?/session/login", nothing more, without extension. I have tried the code with a normal asp file with session registration and login process and it worked, but not with this file.
View Replies
View Related
How do I stop pages being active in the history.
I have tried this,
<% Response.Expires = -1 %>
But the pages are still active in the history and are being cached somewhere on the machine win2k.
View Replies
View Related
If I create a simple login page and then store the UserId is a session and check its validity in the subsequent pages, How secure will the site be. I know the same question has been asked in the PHP forum
Code:
http://www.sitepoint.com/forums/showthread.php?t=233118
But how can I make my site secure enough in asp
View Replies
View Related
I may be in over my head on this one... VERY new to ASP. I have a potential client which is a marine loan broker. He wants an online credit application for the boat dealers he works with (20 different ones). He wants the credit app to be co-branded. Dealer/LoanCompany logos at the top would be sufficent. The dealer would have a link on there own site to the loan company's site but wants it to look like they are "Partners" and not just being shullde from one site to the next.
Is there a way to display different dealer logos based on the referrer URL? I would rather have one creditapp.asp that displays the proper logos depending on the referrer over building 20 creditapp.asp's. He doesn't need the form data written to a database. He just wants the form data emailed to him. (this I can do) How secure is that emailed data?
View Replies
View Related
Right now, I'm trying to use WSH to run PSCP (command-line version of
PuTTY). I've tested the command I'm using by opening a DOS box
manually on the server, and the test file is successfully transferred.
I've run Filemon and Regmon while running my sample ASP page, and see
no permissions problems. I've tried running cmd.exe and passing PSCP
as the parameter.
I've tried running PSCP.exe directly. I've even
tried using ASPexec to run it instead of WSH. None of these have
worked. I always get the same thing -- error code 0 (success) returned
from WSH or ASPexec, but when I look at the second server the file
never got there, and when I look at terminal services on the Web server
PSCP is still running.
View Replies
View Related
I need to secure my web page, when it is reading a file from the
physical folder.
Say for eg.. I have a page Page1.aspx, which displays a list of links
that corresponds to
the available text files in one of the files. All the other pages are
secured except this
page. So when I click the link, it redirects it to for eg..
http://localhost/folder1/one.txt.
But this should not happen. As the user can type this without even
logging into the website.
So I need to know how to stream this file and display it in another
page, rather than just showing it.
View Replies
View Related
Iīve made a loginpage in asp, and a page that receives
the data from the form and logs you in.
But how do i make the loginpage secure?
Do i have to use https, and if so, how do i change from
http to https when the loginpage is included in another
asp-file?I donīt know if i have explained myself correctly
View Replies
View Related
Here's what I/m doing to sanitize/validate/secure my input.
1. The front end checks what kind of data is entered.
2. I am using parameterized query instead of concatenated strings (Against XSS)
3. I am replacing symbols like <,>,# etc with their appropriate entity number eg. & #32; without the space. (Agains SQL Injection)
View Replies
View Related
Can someone please explain to me the basics of creating a secure connection (we're looking at using Authorize.net) and possibly point me in the direction of other resources for getting some info?
View Replies
View Related
I have a site designed with ASP 3.0 code (HTML and vbscript) that I want to protect from being visible. I want this code to be non-visible and hack-proof. Is there a way to either encrypt or protect another way to ensure that my code is not stolen?
View Replies
View Related
do know how can i prevent my page from cross side
like using <marquee></marquee>
View Replies
View Related
I have a client with their own W2k server and their IT guy refuses to turn on the SMTP service for fear of it becoming hijacked by spammers.
However, they also want their web site to perform some emailing functions I would normally use CDOSYS for.
I'm having them look into alternate SMTP servers to use with CDOSYS, but I was wondering if anyone here can recommend a 3rd-party ASP-based SMTP app that might be more secure than IIS' built-in service?
View Replies
View Related
I've an ASP page in wich the customer write his card number for the payment. How can I make this information secure when it's sent to the server?
View Replies
View Related
I have written a simple script that is called every 75 seconds or so to test whether the SQL Server database is running. The script is contained in a page that is not linked to in the site.
The thing is I have hard coded the database information on the page, I was thinking of putting the connectionstring into my global.asa file as an application variable.
How secure are the two options?
Will there be any performance issues? Bearing in mind that this page is called every 75 seconds.
View Replies
View Related
I have set up an asp script which writes the output of a form to a database.I have achieved my database connection like this:Code:
DIM objConn
Set objConn = Server.CreateObject("ADODB.Connection")
objConn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & _
Server.MapPath ("contact-2000.mdb") & ";User ID=admin"
objConn.Open
How do i go about making the database secure? at the moment anyone could view the source of the asp script and download the database.Which folder should the database be stored in? iv heard of using the root folder? at present the database is located in the same folder as my asp file.is there a way of setting up a password on the databas ein access and passing the password from my asp script to the database. the password would have to be encrypted though.
View Replies
View Related
We have a need to allow our users to enter Credit Card #'s on a web page, so we need a secure page (have the little lock at the bottom of the browser) in order to do this.
1) What is this called? (I've heard the term SSL (Secure Socket Layer)tossed around, I don't know if this is the same or something different).
2) If I need a certificate of some sort for our server, how do I get it?
View Replies
View Related
I have written a web app in asp3 which is used by lots of users.The data is all held server side.However,I want it so that the users can export the data in a csv file,much
like you can download a statement from online banking.
However,I don't want to save the file to the server,as then anyone else might guess the filename and download it.Is there any way to directly generate a file from an asp script.i.e.instead of asp returning html,it returns csv data which the user can save
away.
View Replies
View Related
there is a way to post form variables in the best secure way... i don't sure how or what is the technical way to do this and that is the aim of this subject... but somehow the form write all the inputes into cookie and than the asp file read the form outputs from the cookie and not from the form itself... why? how it works?
View Replies
View Related
I have an ASP application that I would like to give out to customers. how do I control the licencing. They will get the source code.. (I know I can put it into a DLL - its a possibility) but even then they can simple copy it elsewhere.
So what I thought was some code looks at the servers name, IP and current date and generates a code based on that. Then, I create a code at my end that will only work for that server name, IP and up to a date I specify. The code would be encrypted somehow. Does that sound like it would work?
View Replies
View Related
how do i restrict anyone by changing an asp file. can it be done using visual source safe? Is there any way that i can stop any one from making changes in my asp file.
View Replies
View Related
Is it safe to store credit card information in the ASP session state to be ultimately transmitted to VeriSign? I have a set of forms that are in the format of a wizard and I need to maintain the information through the pages. I know cookies are potentially unsafe, and I don't want to be responsible for credit card information being stored in my databases. I would use this type of method...
Code:
<% Session("CCNumber") = Request.Form("CCNumber") %>
If it helps, I have a VeriSign SSL certificate.
View Replies
View Related
