All,
My question is in purely ASP sense.
My apache-asp based web site can support session variables. I
followed the instruction from "www.apache-asp.org".
This is what I am doing:
1. At the "login.asp" page the user enters his "Login Name"
and "Password". Hits "Submit"
2. It takes the user to "login_thanks.asp" where his input data is
checked in the database. If the login name and password matches the
entry in the database. I setup 2 Session variables:
$Session->{Login}
$Session->{Password}
Then on other asp pages I can just verify if the user's these 2
session variables exist inorder for him to stay logged in
successfully.
This all works but somehow I feel this is an insecure way of
verifying as the user moves from one asp page to the other. It makes
the site more vulnerable to hackers. What if someone just creates a
web page himself and alters these session variables. Cause on all
the following pages I will just check if these Session variables
exist and not actually do a query in the database for its
authenticity.
Please suggest a practical way to get this done. Examples will be
appreciated.
Please reply to [EMAIL PROTECTED]
Thanks,
Kunal Parekh.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
