WebApp Sec mailing list archives
RE: ASP authentication
From: "Sarbjit Singh Gill" <ssgill () gilltechnologies com>
Date: Mon, 30 Aug 2004 00:19:13 +0800
Upgrade to ASP.Net and use ASP.Net authentication/authorization. You could use: FORM based authentication and URL based authorisation. IIS based authentication and ACL based authorization. /Gill With regards to
-----Original Message----- From: BĂ©noni MARTIN [mailto:Benoni.MARTIN () libertis ga] Sent: Thursday, August 26, 2004 1:50 PM To: webappsec () lists securityfocus com Subject: ASP authentication Hi List, I am wondering what was the most secure way to allow users to access pages after authentication, i.e.: user authenticates in toto.asp, and after that, access is granted to tata_1.asp, tata_2.asp, ..., tata_n.asp. The trouble is obviously to ask the user once for his login / password (just in tot.asp), and to allow him to get to the other pages without asking each time his credentials. Googling around, I saw a couple of ways to meet my needs, but all seem to be weak: - I can set a hidden field where I can say "yes, he is authenticated" or "no, he is not", but anyone a little bit skilled can create a fake request having this set up by hand (with a proxy ! ), - I can check a session number or smth like that on each page...but this does not seem very reliable, - I can check IP adress...but when you use AOL for instance, IP adresses can change ! So none of the ways I found seem to be the best... Cheers list, for any reply / clue !
Current thread:
- Re: ASP authentication, (continued)
- Re: ASP authentication George Capehart (Aug 30)
- Re: ASP authentication Ido Mordechai Rosen (Aug 30)
- Re: ASP authentication Saphyr (Aug 31)
- RE: ASP authentication Brett Moore (Sep 01)
- Re: ASP authentication Ido Mordechai Rosen (Sep 01)
- Re: ASP authentication Saphyr (Aug 31)
- RE: ASP authentication Zuech, Richard (Aug 27)
- RE: ASP authentication focus (Aug 28)
- RE: ASP authentication pfeito (Aug 29)
- RE: ASP authentication focus (Aug 29)
- Re: ASP authentication Ido Mordechai Rosen (Aug 31)
- RE: ASP authentication Sarbjit Singh Gill (Aug 29)
- FW: ASP authentication Rishi Pande (Aug 27)
- RE: ASP authentication Scovetta, Michael V (Aug 31)
- Re: ASP authentication Ido Mordechai Rosen (Sep 01)
- Re: ASP authentication Saphyr (Sep 01)
- Re: ASP authentication Ido Mordechai Rosen (Sep 01)