All,
My question is in purely ASP sense.
My apache-asp based web site can support session variables. I followed the instruction from "www.apache-asp.org".
This is what I am doing:
1. At the "login.asp" page the user enters his "Login Name" and "Password". Hits "Submit"
2. It takes the user to "login_thanks.asp" where his input data is checked in the database. If the login name and password matches the entry in the database. I setup 2 Session variables:
$Session->{Login} $Session->{Password}
Then on other asp pages I can just verify if the user's these 2 session variables exist inorder for him to stay logged in successfully.
You could even just set $Session->{Login} without the password for this implementation to be correct. You have already authenticated the password, so all you need is the Login name.
This all works but somehow I feel this is an insecure way of verifying as the user moves from one asp page to the other. It makes the site more vulnerable to hackers. What if someone just creates a web page himself and alters these session variables. Cause on all the following pages I will just check if these Session variables exist and not actually do a query in the database for its authenticity.
Be sure to set SecureSession and consider setting ParanoidSession, and read about these here:
http://www.apache-asp.org/config.html#SecureSessio77114c01
You just need to make sure you are sending the session id cookie only over https:// protocol so the communication is encrypted, otherwise any hacker could packet sniff the session ids of another user, and walk right into their account.
Don't worry though about a hacker creating a web page when it comes to sessions. If a hacker has that level of control of your system, then session id security is a trivial point, as that hacker likely has access to vital things like your database & operating system. Also note that the only way a hacker could affect the $Session data directly is by having write access to StateDir on your operating system, so make sure that others do not have access to this data, only trusted users & processes.
Regards,
Josh ________________________________________________________________ Josh Chamas, Founder phone:925-552-0128 Chamas Enterprises Inc. http://www.chamas.com NodeWorks Link Checking http://www.nodeworks.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
