prairieits
asked on
Security best practice
My apologies if this is not the right topic to ask this question in, but I have a Windows 2000 Server running IIS and SQL Server 2000 with Coldfusion 6.1.
Most of the sites I create simply use a query of a table in the database to authenticate and authorize users. The not so simple part of that is that I then need to write every page to include a security check.
As a best practice, what is your opinion of the most efficient, yet secure, way to build a site?
I would prefer to just set a folder's permission somehow and let the server check for the proper credentials each time someone accesses a page than for me to have to check for authentication and authorization on every page.
Using Active Directory integration isn't an option for us. I must use the sql server usernames and passwords for all authentication/authorizati
Thanks in advance,
Jerod
Most of the sites I create simply use a query of a table in the database to authenticate and authorize users. The not so simple part of that is that I then need to write every page to include a security check.
As a best practice, what is your opinion of the most efficient, yet secure, way to build a site?
I would prefer to just set a folder's permission somehow and let the server check for the proper credentials each time someone accesses a page than for me to have to check for authentication and authorization on every page.
Using Active Directory integration isn't an option for us. I must use the sql server usernames and passwords for all authentication/authorizati
Thanks in advance,
Jerod
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I write session variables and everything is written in Fusebox.
After authentication, a session variable is written to define authorization to each application. The application is in its own folder and the index page has a simple if statement for authorization to that specific application. If authorization fails, display the "no access, contact tech. dept." page.
After authentication, a session variable is written to define authorization to each application. The application is in its own folder and the index page has a simple if statement for authorization to that specific application. If authorization fails, display the "no access, contact tech. dept." page.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the feedback. Everything I write is for internal use only, so restricting by IP won't work. The people who I need to defend against are employees who don't have access to applications (in part or at all). Right now, I run the query, make a cookie if they are listed as an administrative user, make another cookie with their login's unique system id and then use those 2 items to both authenticate (are you logged in?) the user and authorize (do you have permission to see this portion of an application?)
I am putting that code on every page, so when I make an update, it is very slow because all pages need updating. What I would like to see is something like a package called Authentix (see it at flicks.com) The only problem is that it can handle initial authentication, but it doesn't handle authorization.
I will keep this open for a little while to see if anyone else brainstorms about something that may be useful.
Thanks,
Jerod