WebApp Sec mailing list archives
Re: ASP authentication
From: "Saphyr" <saphyr () infomaniak ch>
Date: Wed, 1 Sep 2004 09:55:49 +0200
I usually don't implement anything crazy for authentication to specific pages. At the top of each ASP page I have a function call require(rolename), which checks the session variables to see if the role is included. If not, redirect to the login. The login sets up the roles. End of story.Yeah. I agree. For *authentication*, that is pretty much it. Behind the scenes, encrypted sessions are a good thing solely as an added layer of protection against database server breaches...nothing more.
We hereby have a practical example of the difference between what would be theoretically perfect (ssl encryption, strong validation, impersonation, hijack detection, session replay attacks and so on...) and what was practicaly implemented: checking if a session value tells wether you're in a role or not. Like Ido said, it's good to think "what we should do best ?" but even far better to think "who are we protecting against ?", thus often avoiding useless (and more expensive) work ; ) .antoine
Current thread:
- Re: ASP authentication, (continued)
- Re: ASP authentication Ido Mordechai Rosen (Sep 01)
- RE: ASP authentication Zuech, Richard (Aug 27)
- RE: ASP authentication focus (Aug 28)
- RE: ASP authentication pfeito (Aug 29)
- RE: ASP authentication focus (Aug 29)
- Re: ASP authentication Ido Mordechai Rosen (Aug 31)
- RE: ASP authentication Sarbjit Singh Gill (Aug 29)
- FW: ASP authentication Rishi Pande (Aug 27)
- RE: ASP authentication Scovetta, Michael V (Aug 31)
- Re: ASP authentication Ido Mordechai Rosen (Sep 01)
- Re: ASP authentication Saphyr (Sep 01)
- Re: ASP authentication Ido Mordechai Rosen (Sep 01)