INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Secure Login

Secure Login

(OP)
What is the most secure method of having a login form in ASP? Any suggestions would be greatly appreciated. Thanks.

Swi

RE: Secure Login

SSL certificate and HTTPS.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

RE: Secure Login

(OP)
ok, not a problem, however what is the best method of transferring data to check against my database? Session variables? Thanks.

Swi

RE: Secure Login

Quote:

Session variables? Thanks

No, because the data HAS to be 'transferred' to the server BEFORE it can be written to session variable

Your choices are POST and GET, a GET passes the data as key/value pairs parameters in the URL, while POSTing transfers it without exposing it directly.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

RE: Secure Login

(OP)
Ok, so user enters credentials, I verify with JavaScript and then use vbscript to bouce them against my database. Then you are suggesting to lost the data to the other form which will then so another database lookup as I am going to display info from my database on screen after a successful login. Is this correct? Sorry, new to classic ASP as I am supporting a legacy app and believe the authentication is not up to par. Thanks.

Swi

RE: Secure Login

(OP)
Do you have any samples? I can post the code I currently have Monday.

Swi

RE: Secure Login

Quote:

Ok, so user enters credentials, I verify with JavaScript and then use vbscript to bouce them against my database. Then you are suggesting to lost the data to the other form which will then so another database lookup as I am going to display info from my database on screen after a successful login. Is this correct?

No.
Verify with javascript that the patterns of the data is correct and all necessary fields have data in them, yes then when the form is submitted you check against the database.

http://www.4guysfromrolla.com/webtech/learnmore/Au...


One thing to absolutely avoid, is using AJAX to check if a username is valid while the user is still entering it, as that can be used by 'crackers' to build a list of valid user names without triggering any server side defences.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

RE: Secure Login

(OP)
Thanks for this unfortunately half the links do not go anywhere. Also, I have read that to prevent SQL injection I should be using parameterized queries if using Access which this is. Sorry for all of the questions but I want to make sure this site is secure and I am new to ASP as this is a legacy app. Thanks.

Swi

RE: Secure Login

(OP)
Also, after I verify the credentials I want to move them to another page and display data based on information in the database for that user.

What is the most secure way of passing the values to that page. Session variables, query string, etc...

Thanks.

Swi

RE: Secure Login

Query strings ABSOLUTELY NOT.

Use cookies and session variables, and NEVER store a password in a cookie, generate a hash 'token' that lasts only for the length of the session and check that each time the user tries to access a 'secure' page.

Also if you are using an Access database file (.mdb) do not store it in the folders of the website where it could be downloaded, put it above the document root and refer to it in your DSN or connection string using "../database_name" in a server.mappath() statement so it cannot be accessed outside of your code.



Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

RE: Secure Login

(OP)
Ok, thanks for the tips. Since a user could have cookies disabled then I guess session variables would be the safest way then?

Swi

RE: Secure Login

Sessions are actually cookies, only the 'session cookie' is ephemeral, meaning that it is expired by the very shortly after leaving the server so is not blocked by not accepting cookies.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

RE: Secure Login

(OP)
Thanks.

Swi

RE: Secure Login

(OP)
Ok, got some of it working. Integrating Bootstrap into the ASP code to give it a more updated responsive look and feel.

I followed your advice to POST the login page. When I POST to the next page I authenticate against the DB and then either populate the page with data if successful and if not I redirect back to the login page.

Unfortunately, when I do so it does not show that the user had an invalid login.

Just curious as to how people normally handle this. Should I just pass something back to the login page that I can read and say "Invalid Login Credentials".

Still a bit of work to do on the site especially with adding vulnerability code, parameterized queries, etc...

I appreciate your advice and patience.

Thanks.

Swi

RE: Secure Login

(OP)
Chris,

Do you normally POST the page to itself and verify the login or do you do what I state above and post to another page and verify there. Right now I post to another page to authenticate and if valid display the page and if not redirect to the login page with the failure reason. Thanks.

Swi

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close