Hi all

Please take a time to give your opinion and advise.

I have a database outside the root folder ( access 2000 ).

With a simple code like in every page having an include file that 

checks the session if the visitor is authorized or not

what level of security I have?

What do you think is best:

using this kind of security or a dll that verifies against a database?

Thank you for your time and the help you always provide

Best regards

Nikos

This message is in MIME format. Since your mail reader does not understand

this format, some or all of this message may not be legible.



------_=_NextPart_001_01C181C6.60E8CFA4

Content-Type: text/plain



The only advantage a dll is going to give you is speed (possibly, depending

on the amount of checking you have to do) and the hiding the source code. If

you are worried about people viewing your source code then use a dll.



regards

David Cameron

nOw.b2b

dcameron@i...



-----Original Message-----

From: Pappas Nikos [mailto:pappas@c...]

Sent: Monday, 10 December 2001 5:41 PM

To: ASP Databases

Subject: [asp_databases] security





Hi all

Please take a time to give your opinion and advise.

I have a database outside the root folder ( access 2000 ).

With a simple code like in every page having an include file that 

checks the session if the visitor is authorized or not

what level of security I have?

What do you think is best:

using this kind of security or a dll that verifies against a database?

Thank you for your time and the help you always provide

Best regards

Nikos








$subst('Email.Unsub').

--=====================_109495666==_.ALT

Content-Type: text/plain; charset="us-ascii"



Dear David

Thank you for your comments

I am not worried about my code ( nothing special )

I want to protect the database and to avoid access to

the info in it form not authorized persons

That's all

If the client will pay for SQL server database then I would prefer that from access.

Thank you again for this and the great help you provide in this place generally.

Any advise or direction is very welcome

Best regards

Nikos Pappas



At Tuesday11/12/2001, you wrote:



>The only advantage a dll is going to give you is speed (possibly, depending on the amount of checking you have to do) and the
hiding the source code. If you are worried about people viewing your source code then use a dll.

>

>regards 

>David Cameron 

>nOw.b2b 

>dcameron@i... 

>

>-----Original Message----- 

>From: Pappas Nikos [<mailto:pappas@c...>mailto:pappas@c...] 

>Sent: Monday, 10 December 2001 5:41 PM 

>To: ASP Databases 

>Subject: [asp_databases] security 

>

>Hi all 

>Please take a time to give your opinion and advise. 

>I have a database outside the root folder ( access 2000 ). 

>With a simple code like in every page having an include file that 

>checks the session if the visitor is authorized or not 

>what level of security I have? 

>What do you think is best: 

>using this kind of security or a dll that verifies against a database? 

>Thank you for your time and the help you always provide 

>Best regards 

>Nikos 

>

>--- 

>Change your mail options at <

Actually, I think a dll would be much more secure.  Correct me if I'm 

wrong, but I don't think there's a simple ASP way to authenticate 

someone to the system.  Our situation is similar:  we have an ASP page 

where people enter their username and password.  This gets verified 

against a table in SQL server, and shows them a page saying 'invalid 

login' or whatever if they don't pass.  If they do pass, they're shown a 

'staff only' type of page, with links to other ASP pages (all of which 

check the session variable indicating if they can access those pages) 

and some pdf and doc files.  The problem is that Windows still considers 

them to be the anonymous web user.  If I set the file permissions on the 

pdf and doc files to disallow the anonymous web user to access them, 

then their browser would ask them them to authenticate to Windows if 

they tried to click on one of them.  But if the anonymous web user has 

access to them, then anyone who knew the filename and the directory they 

were in could access them directly...the only thing checking for the 

session variable at the top of the script does is hide the links to 

those files.



What I wanted to do was use ASP to get their username and password, 

verify it against our SQL table, and log them in as a system account 

that does have access to those files.  That way we'd only need one 

system account for like hundreds of different people.  I quickly 

discovered this wasn't possible with ASP...there may be a perl module 

out there that could accomplish it, but I'm not sure.  And there are 

several commercial products that allow you to authenticate to the system 

against custom databases and such, but of course they cost money.  I'm 

still trying to learn enough about ISAPI dlls to write my own 

authentication filter, but I've been too busy with other things to mess 

with it lately.  I have some c source code for a filter that does just 

what I need it to, but I'd need to modify it to work the way I need it 

to, talk to our database and such...if anyone wants it I'd be happy to 

send it.



Josh



----- Original Message -----

From: David  <mailto:dcameron@i...> Cameron

To: ASP Databases <mailto:asp_databases@p...> 

Sent: Monday, December 10, 2001 5:02 PM

Subject: [asp_databases] RE: security





The only advantage a dll is going to give you is speed (possibly, 

depending on the amount of checking you have to do) and the hiding the 

source code. If you are worried about people viewing your source code 

then use a dll.



regards

David Cameron

nOw.b2b

dcameron@i...



-----Original Message-----

From: Pappas Nikos [ mailto:pappas@c...]

Sent: Monday, 10 December 2001 5:41 PM

To: ASP Databases

Subject: [asp_databases] security





Hi all

Please take a time to give your opinion and advise.

I have a database outside the root folder ( access 2000 ).

With a simple code like in every page having an include file that

checks the session if the visitor is authorized or not

what level of security I have?

What do you think is best:

using this kind of security or a dll that verifies against a database?

Thank you for your time and the help you always provide

Best regards

Nikos








$subst('Email.Unsub').






$subst('Email.Unsub').

Dear Josh

I got the code as well but didn't look at it yet.

Many thanks for your help .

I agree with your comments

I said that I am not  experienced programer but

with my limited knowledge looks to me like a dll would be more advantaged 

in some ways

and I agree also that we have to find some more time to play with ISAPI

using a good book on the side.



HAPPY Christmas and new year everybody

Best wishes and see you next year as I am going for holidays now.

Regards

Nikos



At 13:27 11/12/2001 -0500, you wrote:

>Actually, I think a dll would be much more secure.  Correct me if I'm 

>wrong, but I don't think there's a simple ASP way to authenticate someone 

>to the system.  Our situation is similar:  we have an ASP page where 

>people enter their username and password.  This gets verified against a 

>table in SQL server, and shows them a page saying 'invalid login' or 

>whatever if they don't pass.  If they do pass, they're shown a 'staff 

>only' type of page, with links to other ASP pages (all of which check the 

>session variable indicating if they can access those pages) and some pdf 

>and doc files.  The problem is that Windows still considers them to be the 

>anonymous web user.  If I set the file permissions on the pdf and doc 

>files to disallow the anonymous web user to access them, then their 

>browser would ask them them to authenticate to Windows if they tried to 

>click on one of them.  But if the anonymous web user has access to them, 

>then anyone who knew the filename and the directory they were in could 

>access them directly...the only thing checking for the session variable at 

>the top of the script does is hide the links to those files.

>

>What I wanted to do was use ASP to get their username and password, verify 

>it against our SQL table, and log them in as a system account that does 

>have access to those files.  That way we'd only need one system account 

>for like hundreds of different people.  I quickly discovered this wasn't 

>possible with ASP...there may be a perl module out there that could 

>accomplish it, but I'm not sure.  And there are several commercial 

>products that allow you to authenticate to the system against custom 

>databases and such, but of course they cost money.  I'm still trying to 

>learn enough about ISAPI dlls to write my own authentication filter, but 

>I've been too busy with other things to mess with it lately.  I have some 

>c source code for a filter that does just what I need it to, but I'd need 

>to modify it to work the way I need it to, talk to our database and 

>such...if anyone wants it I'd be happy to send it.

>

>Josh

>

>----- Original Message -----

>From: David  <mailto:dcameron@i...> Cameron

>To: ASP Databases <mailto:asp_databases@p...>

>Sent: Monday, December 10, 2001 5:02 PM

>Subject: [asp_databases] RE: security

>

>

>The only advantage a dll is going to give you is speed (possibly, 

>depending on the amount of checking you have to do) and the hiding the 

>source code. If you are worried about people viewing your source code then 

>use a dll.

>

>regards

>David Cameron

>nOw.b2b

>dcameron@i...

>

>-----Original Message-----

>From: Pappas Nikos [ mailto:pappas@c...]

>Sent: Monday, 10 December 2001 5:41 PM

>To: ASP Databases

>Subject: [asp_databases] security

>

>

>Hi all

>Please take a time to give your opinion and advise.

>I have a database outside the root folder ( access 2000 ).

>With a simple code like in every page having an include file that

>checks the session if the visitor is authorized or not

>what level of security I have?

>What do you think is best:

>using this kind of security or a dll that verifies against a database?

>Thank you for your time and the help you always provide

>Best regards

>Nikos

>

>




>




>

>