"Ralf Huwald" <[EMAIL PROTECTED]> wrote: >You are right, i could check the login in OnPreHTP, but this would give a >chance to anybody, to access my site with >http://www.somewhere.com/csp/abc/Login.csp?User=aaa&Password=bbb... After >enough tries, he may get successful. Maybe i am wrong, but i think this >could happen.
Yes, this can happen - if you accept GET style form submits (they are easy to check for). POST style submits would make this a little bit more difficult, but I wonder if it would be all that difficult to fake the #server()# calls. If you want to defend against possible hackers, you might as well try to do it right. I'd probably err on the side of safety and simply disable an account after a certain number of (subsequent) failed logins, assuming someone is attempting unauthorized access. This should not be too difficult to build. Gertjan. [Disclaimer: I am definitely not a security expert, and although you can perhaps believe me when I tell you something is *not* secure, you should *not* believe me if I were to make the mistake to tell you something *is*. ;)] -- Gertjan Klein
