Preventing Session ID Replay Attack
I am developing a Simple ASP Website with a login page. I want to
know how can I change Session ID after login and also Close the current
Session after User closes the Window or gets logged out of the Website. So
that every time user logs in into the website, Session ID will be unique.
View Replies
ADVERTISEMENT
In ASP classic pages,I want to know if it's possible to prevent
session variables from becoming zero length strings? I have tried
setting the Session.Timeout to a large value, but alwas, after 20
minutes, my session variable times out. I also tried setting the
session timeout in IIS manager to a high value, but this did no good
either.I just want to allow one particular session variable to last a long
time.
View Replies
View Related
I am seeing log entries that have SQL statements embedded in the actual forms.
View Replies
View Related
I have just started a new job and I'm in charge of the databases at a college. We have a web page that the students can access to see their profile and course details. which is causing problems.
The students have to login into an e-learning site called moodle which is fine (moodle is all written in php). They can from there just browse moodle which has news and a message board etc. They can then also click a link to their profile, it is then directed to an asp page but it uses their login details from the php moodle site to retrieve their details from the database and display on the asp web page.
THE FOLLOWING IS A CODE EXTRACT....
View Replies
View Related
when we register a email account, it hv a picture that got few words inside, n ask us to write the word to prevent automated registration attack. wat is this techinque called ? n anybody got this sample code ?
View Replies
View Related
I just wanted to share it with you guys and ask your opinions. Code:
View Replies
View Related
I'm using if for when the user deletes a record from the database. People using the website try and delete more than one record at a t time by placing commas between the IDnumber ie. 1,2,5,9 etc.
This creates an error. So instead of this error appearing, how can I get a small alert box telling hte user he/or she has entered the wrong data type?
The code for the form is :-
View Replies
View Related
Is there a script that change email adrdresses to prevent SPAM.
ex: ticul@myprovider.com
I want it to appear like this on my webpage ticul@xxxxxxx.com or something that look like this
View Replies
View Related
I have a permission tracking app that I am working on, and I have made the insert page for it. I am having issues on how to prevent duplicates from getting entered.
Currently the interface for the app has a mixture of select boxes, list boxes and checkboxes. The form submits the page to processAIMR.asp and then does the inserting. I am using a loop to insert a new record for each checkbox checked or listbox entry selected. Code:
View Replies
View Related
Does anyone know how to prevent the browser from automatically adding the password to a form after a user name is entered? I need to be able to over ride the brower setting so turning off the option in IE is not really a solution.
View Replies
View Related
I have a form that sends info to a preview page, then to a thank you page. The thank you page gets the data passed from the rpeview page and sends an email.
How can I prevent the user from refreshing the page, so it doesn't send the email again.
View Replies
View Related
I would like to prevent a user from logging in with their user/password combination on a different computer or even a different browser window, if they are already logged in. I have a login page, from which I use a DB check to verify user/password info. Also, I have a bit loggedIN field in the DB, which I use to see if they are currently logged in; if so, I prevent them from logging in a second time.
Unless they click the "Log Out" button, then the DB value does not get changed. Any suggestions as to how I can log them out, even if they simply close the browser window or jump to a different page?
View Replies
View Related
For instance here's a simple select statement Code:
("SELECT a, b,c d, e, f FROM Table WHERE a = "&CInt(j)&" and c= 0")
j is a dimmed variable which is a and it's numeric. Is the above protected against any non numeric instances? Like j=2,345..i've tested this and it works i'm just trying to see if i've covered all my tracks.
View Replies
View Related
How do people go about preventing the user from submitting a form for a 2nd time? For example, the user submits a form, clicks on the back button, and the submits the form again. I have used various techniques in the past (depending on circumstances) but I'd be interested in the techniques you guys currently use.
View Replies
View Related
Is there a way in ASP to prevent including the same file more than once?
Example:
dbutil.asp needs constants.asp, so I include constants.asp inside dbutil.asp.
transact.asp also needs constants.asp, so I include constants.asp inside transact.asp.
transact.asp doesn't need stuff in dbutil.asp, and dbutil.asp doesn't need stuff in transact.asp.
Then later I might have a main.asp that needs both dbutil.asp and transact.asp. So I include them both. However, the constants.asp will be found to be included twice!
What can I do to creatively prevent multiple inclusion of the same file in ASP? I know how to do it in C and C++, but I can't apply that to ASP, it seems.
View Replies
View Related
I have created an Intranet in my office using ASP (of course). Within it is a booking system, allowing booking of conference rooms, digital camera and other equipment. It works perfectly...almost, as there is no way to prevent double bookings.
I really don't know where to begin with this one. All bookings go to an Access DB, into a single table. The bookings have a start time and an end time (24hr).
I would like it so that when the user submits the form, if there is a clash in times instead of saying, thanks for your booking, to redirect them back to the booking page saying there is already a booking for this time and that I am very sorry!
I guess I have to check some value in access and return the info back to the webpage before it chooses where to redirect the user.
View Replies
View Related
My client received an email from a user who mentioned that by accident they had been typing (over the querystring I guess), and the url had become:
default.asp?pageid='asd
They then received a SQL Server error message.
My client contacted their webhost, who came back to them promptly and talked of 'SQL Injection', they said that we would need to secure the code as well as the permissions on the database(which I believe they have done)..
This is something I had over looked, and started to write a fix for a couple of nights ago...but I dont think its 100%....
Basically I now do this at the top of my default.asp page ...
View Replies
View Related
I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form injection attacks? I'm looking for good routines I can reuse on all of my form processing pages.
View Replies
View Related
We have 2 domains for internal purposes: one for users (have to login
and domain has SSL) and another for sponsors (have to login and domain
does NOT have SSL).
Now when a user logs in and there are pages that have info from the
sponsors domain, users are asked to login again with a warning message
saying if they want to see secure and nonsecure information. How can
I bypass the second login? Is there something I can do in active
directory, IIS, or ASP to not have the second login appear?
View Replies
View Related
How can I prevent this from happening? For example when the asp
application works in a public terminal where we don't want successive
users to know the login password and user name of the previous ones?
View Replies
View Related
SSL cert on our site is for www.mydomain.com.
When you enter our site with just mydomain.com (without the www) and then proceed to a section of the site that is https, the user receives a cert warning since mydomain.com doesn't match up with www.mydomain.com.
What is the easiest way to globally and seamlessly redirect users from mydomain.com to www.mydomain.com to prevent this? The site has about 3000 pages so changing every page with request_querystring isn't really an option.
It would be great if it would work off of child pages too, i.e., mydomain.com/somepage.asp would also redirect to www.mydomain.com/somepage.asp.
View Replies
View Related
how to find the session expired or not without using any session varaibles?
View Replies
View Related
I have a site that I'm trying to migrate to ASP.NET from ASP, and the
foremost stumbling block I'm hitting is session state between the ASP
and ASP.NET applications. In order to access this information, I'm
doing a HttpWebRequest from the ASP.NET side into an .asp page,
passing the session name on the get in order to request it from the
ASP side and write it back to the response stream, giving ASP.NET
access to it. Of course I change sessions each time I make the call
from the ASP.NET side.
Soooooo, I'm thinking to myself, "Self, shouldn't you be able to fake
out the server by getting the session cookie from the initial usage of
the asp, pass that data to the ASP.NET, and use that to send a request
back the ASP side under the appropriate session?"
From a real high level, I enter the site via a .asp page. This page
in turn calls .aspx page from within a frame ......
View Replies
View Related
I want to create an administration page which lists all the current users who are on the site at the moment.
I know coldfusion has this feature built in using the SessionTracker class... does ASP have something similar? If not... is there any way I can just iterate through all the session files on the server...?
View Replies
View Related
I have a site developed using ASP, but each page I enter has a different session id when accessing the site using the domain name of the site. When accessing the site from my network and using the internal IP address, it is OK. Any ideas?
View Replies
View Related
I want the suggestion what is better for use between:
Session.abandon
&
Session.Contents.Remove
View Replies
View Related
I wrote a website, which uses the session to store and track some vars.
Now I am gonna to covert it to desktop application by Activesite compiler 5, however, it doesnot support session , cookie , application() . SO ,I have no idea to find something can instead of session.
My orignal processing: Session -> modify Session var -> store to Database.
View Replies
View Related
There is a problem about ASP session ID. ASP session is implemented by storing session id in a session cookie, but I read this cookie in ISAPI Filter, get a string as following:
ASPSESSIONIDQADCQQTS = IAOFCBBCGDGMDGCNJIKPNBAN
But the real session ID is 554851848. (Real sessionID is sessionID property the ASP session object)
Problem is what is relation between them? And how to get real session ID from cookie session ID.
View Replies
View Related
I did a session("adminlogin")=1, if I post it to the same page, it returns true. But if I response.redirect to another page. This value doesn't exist anymore. This is on the actual server where all the ms security is updated.
The same script worked okay on my test server (the security patch not patched yet.)
Has anyone encountered this? How do you overcome it?
I tried searching the net it says the problem lies with a ms security patch. How I wish I can unintall that patch.
View Replies
View Related
when does a sesson object expire?
- at the end of 20 minutes
- after they close their browser ? does that end the session?
View Replies
View Related
I have a home page in html with two buttons to call my main.asp in another window my problem is:
1-From my home page I open another web page my main menu, this new page have a SessionID. (OK)
2-If I open another web page from the same home page, this new page have the same SessionID as the page open in first step
I want to get a new SessionID for every page I open from my home page and don't want to abandon the first session...
View Replies
View Related
I have asp and asp.net web application. When I run it in IE7 in first tab it
starts a new session. When I open second tab and browse to the same site the
new session is not started (infact I need to have new session there).
Whereas, 2 IE instances generate 2 unique sessions. Only issue is with IE
tabs. Firefox also has similar things but lets not talk about firefox here.
I am more concerned with IE only.
View Replies
View Related
In my login script I set session("User") = rs("User") the session timeout is set to 20 min
Do I need to setup some kind of update session variable on each page so that the timeout does run out or does iis update the variable aslong as I'm browsing the website ?
And another thing, <% application("something") %> works fine on my test server but once I implement it onto the main webserver I dont get any text out, is there some kind of switch that enables this function ?
View Replies
View Related