RE: ASP authentication

["Sarbjit Singh Gill" <ssgill () gilltechnologies com>]

 Upgrade to ASP.Net and use ASP.Net authentication/authorization.

You could use:
FORM based authentication  and URL based authorisation.
IIS based authentication and ACL based authorization.

/Gill



With regards to 
> -----Original Message-----
> From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga]
> Sent: Thursday, August 26, 2004 1:50 PM
> To: webappsec () lists securityfocus com
> Subject: ASP authentication
>
> Hi List,
>
> I am wondering what was the most secure way to allow users to access 
> pages after authentication, i.e.: user authenticates in toto.asp, and 
> after that, access is granted to tata_1.asp, tata_2.asp, ..., 
> tata_n.asp. The trouble is obviously to ask the user once for his 
> login / password (just in tot.asp), and to allow him to get to the 
> other pages without asking each time his credentials.
>
> Googling around, I saw a couple of ways to meet my needs, but all seem 
> to be weak:
> - I can set a hidden field where I can say "yes, he is authenticated" 
> or "no, he is not", but anyone a little bit skilled can create a fake 
> request having this set up by hand (with a proxy ! ),
> - I can check a session number or smth like that on each page...but 
> this does not seem very reliable,
> - I can check IP adress...but when you use AOL for instance, IP 
> adresses can change !
>
> So none of the ways I found seem to be the best...
>
> Cheers list, for any reply / clue !