Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Web Site Security

Status
Not open for further replies.
ecugrad

ecugrad

MIS
Joined
Apr 17, 2001
Messages
191
Location
US
Need advice on security. I'm writing a application that will be used by 40-50 users consisting of at least 10 groups. Each group having different page access levels.

Do I use NT folder & file permissions or write something using ASP. If I need to use ASP, does anybody know a resource a beginner might be able to understand..

Thanks,Mike
 
Sort by date Sort by votes
I secure sections of a web site using sessions, the sessions are authenticated through a lookup in a database table which contains; password, userid, and which pages they can view. i.e., "Admin", "Sales", Whatever"...
This is a boleen field. If the user has permission to enter a page a session is created, i.e. Session("Admin") = "sure"

On the page you wish to secure place something like this on the first line.

<%if session(&quot;Admin&quot;) <> &quot;sure&quot; Then
response.redirect &quot;/noaccess.asp&quot;
End If%>

naturally you would want to create a noaccess.asp page to tell the creep he has no permission to view the page.

Also, make sure you protect your web site from SQL Injection where folks can malisiously enter code to bypass and mess with your data.

Hope this gets you started.

Mike Diaz...
 
Upvote 0 Downvote
Like Mdiaz states you can use Session or Cookie variables, but you do not want to rely upon those totally, becuase they are static text files being transferred on the internet. But, rather use those in conjunction with other options for passing the data, like Form Variables and Query String variables. Also, I find the best way to use a script like the one above, is to make it it’s own .asp and simply use a SSI to include it on every page, like:

<!-- #INCLUDE FILE=&quot;secure.asp&quot; -->

However, I would read up on enabling HTTP Authentication capabilities of IIS 5.0 if you are running that, but if not at least study up on Hybrid Authorization scripts in base64 encryption/ decryption, which is not the best, but better than a simple session or cookie variable. Most books have scripts pre-written for this (Wrox Press, Sam’s Teach Yourself, and of course O’Reilly).

One other thing to be wary of is placing a heavy load on your server. If your site is going to be getting more than your predicted user level, make sure the server is not checking X amount of people for x amount of pages every view.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mbrayc
  • Locked
  • Question Question
Stuck on 1st page of Legacy ASP site on new server (User ID now blank)
Replies
6
Views
545
mbrayc
mbrayc
PaulSc
  • Locked
  • Question Question
Some help please - asp/javascript security
Replies
2
Views
322
BigRed1212
BigRed1212
yaknowss
  • Locked
  • Question Question
Insert single quotes from web form into SQL database
Replies
3
Views
302
guitarzan
guitarzan
CMcC
  • Locked
  • Question Question
Validating a form on a webpage that someone saves to their desktop
Replies
14
Views
603
CMcC
CMcC
jslmvl
  • Locked
  • Question Question
Protected content in a web page
Replies
5
Views
353
jslmvl
jslmvl

Part and Inventory Search

Sponsor

Back
Top