Re: ASP authentication

[security () brimba nu]

Hi! 

If you are protected against xss then using session shouldnt be any problem. 

My suggestion is that you create a requiredloginINC.asp and include that 
page on all the pages that require that the user has logged in. In that page 
you have a script like 

<%
if not session("isLoggedIn") = true then
 'SEND TO LOGIN PAGE
 response.redirect "login.asp"
end if
%> 

and your login.asp sets the session("isLoggedIn") to true when you have 
verified the user. If you are verifying the user against a database please 
make sure you are protected against sql-injection. 

This is a pretty common way to secure pages using ASP. Another way could be 
secure them with IIS by not allowing anonymous access. What you do is that 
you create a couple of accounts on your server for your users and then you 
protect your pages or maybe a folder of anonymous access. 

Good luck 

///Patrik 

Bénoni MARTIN writes: 

> Hi List, 
>
> I am wondering what was the most secure way to allow users to access pages after authentication, i.e.: user authenticates in toto.asp, and after that, access is granted to tata_1.asp, tata_2.asp, ..., tata_n.asp. The trouble is obviously to ask the user once for his login / password (just in tot.asp), and to allow him to get to the other pages without asking each time his credentials. 
>
> Googling around, I saw a couple of ways to meet my needs, but all seem to be weak:
> - I can set a hidden field where I can say "yes, he is authenticated" or "no, he is not", but anyone a little bit 
> skilled can create a fake request having this set up by hand (with a proxy ! ),
> - I can check a session number or smth like that on each page...but this does not seem very reliable,
> - I can check IP adress...but when you use AOL for instance, IP adresses can change ! 
>
> So none of the ways I found seem to be the best... 
>  
> Cheers list, for any reply / clue !