Solved

asp login

Posted on 1998-06-27
8
167 Views
Last Modified: 2013-12-25
is this type of login secure???
<%
 If Session("Authenticated") = 0 Then
   Response.Redirect ("login2.htm")
 End If
%>
0
Comment
Question by:chongkong
  • 4
  • 4
8 Comments
 
LVL 28

Expert Comment

by:sybe
ID: 1858453
what do you mean by "secure" ?

Any browser will respond to this, since it is server side code, and there is no way to get around it (for the same reason).

0
 

Author Comment

by:chongkong
ID: 1858454
what i mean is it easily hackable or the user can request for the header
0
 
LVL 28

Accepted Solution

by:
sybe earned 40 total points
ID: 1858455
It is not easily hackable. The session variable is kept on the server and is related to the browser by the ASP-cookie.

Each time a ASP-session is started, a new cookie is send to the browser.

So to hack this, one should be able to change the cookie in the browser to the value of the cookie of another browser who is having a session at the same time.

It might be possible, since the ASP-cookie code is not generated randomly, but each next session gets the next number in a row. Maybe this setting can be changed though.

I don't know if it is possible to change the cookie in a browser without closing and restarting the browser. Maybe someone else knows.


0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 

Author Comment

by:chongkong
ID: 1858456
i'm not using cookie but use something below

<% if request("userpass") = "abc" then Session("Authenticated")= 1
..
%>


0
 
LVL 28

Expert Comment

by:sybe
ID: 1858457
Maybe you don't use cookies, but ASP does :)

You will find out that if you set your browser to not accepting cookies, the Session variable in ASP will not work. Also you can display the ASP-cookie by:

<%
Response.write Request.ServerVariables("HTTP_COOKIE")
%>



0
 

Author Comment

by:chongkong
ID: 1858458
i see what you mean but where is the cookie store
0
 
LVL 28

Expert Comment

by:sybe
ID: 1858459
The cookie stored on the browser.

It is needed for SessionVariables. Normally the browser ask for one page on the server, and the server gives it. It does not matter what the browser has done before. And then there is no contact between server and browser.

In the case of SessionVariables, the server stores some values in its memory, which relate to a specific browser. The question is how does the server know which values belong to which browser. That is where the cookie is used for. The server stores the values together with the cookie-id in its memory. When a browser ask for another page, it send with the request, the value of the ASP-cookie. So that is how the server can recognize which stored values belong to that browser.

The thing is that if you can hack the cookie, you can make the server think that it is a different browser. And especially if you can find out which other values of the cookie make sense to the server (because another browser actually uses it), then you could hack the security you want.

What I said was that it is not difficult to find out which other cookie values might be used by another browser (and be valid), because the cookie values are not generated randomly, but in a row.

Browser 1 comes to the server and the server gives it (for example) cookie-id ASPSESSION1230005. Then Browser 2 comes and get cookie-id ASPSESSION1230006. Browser 3 gets ASPSESSION1230007 etc.

So if you are browser 1 and you can hack your cookie to ASPSESSION1230007, the server will think you are browser 3, and gives you all access that browser 3 has.

The only thing is that i don't know if it is possible to hack the cookie that resides in your browser. I guess it is, but i never tried.

Security would improve a lot if the server can/will be set to generate the cookie-id randomly.





0
 

Author Comment

by:chongkong
ID: 1858460
thanks alot
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Wordpress Only run code if on a certain page 11 34
Why "Mobile First"? 5 37
How to control cache of some js files ? 7 55
WordPress 8 54
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
There’s a good reason for why it’s called a homepage – it closely resembles that of a physical house and the only real difference is that it’s online. Your website’s homepage is where people come to visit you. It’s the family room of your website wh…
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question