Hi Everyone,

Im after some advise on how everyone tightens up protected content (Admin / Members section) running Sessions (not Server Side Protected) and the vulnabilities you guys know about Sessions.

Here is my Login process (Please pick holes in it!)

1.Login Page
2.Check Loging Page
  - Invalid charaters
(if ok then)
  - Check for valid username, password and account status on the DB
(if ok then)
  - Create a couple of obscure Sessions
  - Set timeouts
  - Redirect to main page

Then i basically use a include eg ValidSession.asp or something like that on all the pages within the secure section and have a control stucture to check if these sessions exist and not null. If they are empty i redirect to login page.

Is this the best way of doing it?

Your advise will be much appreciated.

Thanks

Tim :)

TDA

__________________
TDA

Dear you can do it very simple by crating a session at login time and check that session on each page if it is valid login then goto that page other vise goto the login page for relogin and remember that in logoff page that session must be ended

Numan
--------------------------------------------------
Love is the most precious thing of this world. So find and grab it!

This is one of the most widely used methods to protect pages from anonymous access. This is sufficient for most of the cases and AFAIK, there is no flow for this method. The only two problems are :

1) If session is not enabled on browser, this will fail.

2) Timeout is another problem. When user needs to fill a long form with many large texts etc., by the time, they fill it (after taking sufficient free time in between), the session might have timed out. Then they may have to enter all those details again.

The other method is to use Windows NT / 2000 based security. The admin pages all need to put in a directory (possibly with sub-directories also). Let the directory name be "admin".

Then server administrator need to create a user account on server. The folder admin together with all its sub-directories and all files in them should be accessible only to this user. This can be done by right-clicking the folder and selecting properties. Then open the security tab. Normally all server administrators will be able to do it.

Then through IIS manager, Open the property sheet for the admin folder. Click directory security tab. De-select the checkbox labelled anonymous access. This will prevent the access to the pages of this directory through the user IUSR_<computername>.

Now, there are two types of authenticated access. 1) Basic authentication 2) windows NT challenge / response. In basic method, the username / password are sent through the HTTP header whenever a page is accessed. The username and password will be sent (through HTTPheader) in uuencoded form. This provides only a basic level of privacy. A hacker can decode them without much problem.

Select windows NT challenge / response option. In this method, password is sent always in an encrypted fashion between client and server. The key for encryption will also change from request to request. (I am not explaining the full series of operations).

There are 3 drawbacks for windows NT challenge / response method.

1) It will work only in IE 3.0 and later only. To make it work in netscape a free software known as Microsoft Authentication proxy for Netscape Navigator needs to be downloaded from microsoft site and installed.

2) This method will not work through proxies. Only basic method will work

3) When resources (databases, images) need to be accessed through multiple servers, this method fails.

Then when a page from admin folder is accessed for the first time, it will display a login box. Visitor needs to supply a username, password and a domain in some cases. You don't need to check anything for each page.

The following code gives the authentication username, password and authentication method incase you need it for some purpose.

Request.ServerVariables("AUTH_USER") - username
Request.ServerVariables("AUTH_PASSWORD") - password
Request.ServerVariables("AUTH_TYPE") - Type of authentication.

You will not get the password if authentication type is windows NT challenge / response.

NT based security is best for preventing direct download of some exe / PDF files which are distributed through net.

Dear madhukp how can we implement this type of scurity when we have thousends of user and the files are on our hosting server where we donot have any access to implement these type of secutiies ?




Numan
--------------------------------------------------
Love is the most precious thing of this world. So find it and grab it!

Hello Numan,

I am sorry. I don't know any script based / program based methods to do this on a remote server.

May be possible through IIS metabase administration. If anybody knows a script based solution, please post it.

Then its mean that the first methode is used to protect the unautherised access to the web pages by using sessions. Kindly tel me if u know that how one can increase the time of the session ?


Numan
--------------------------------------------------
Love is the most precious thing of this world. So find it and grab it!

Thanks guy for the replies,

I guess both sides have their down falls. And i tend to agree that Server Side Authentification is not always practicle. As you said for strict files and that sort of thing Server Side Authentification is the safer way, How ever i don't think clogging up your server with ACL's for every web application that requires some sort of authentification is the solution.

So i guess what im asking is there some tips or functions to maybe patch some of the vulnrabilities of session variables to make it hard as possible to hack session to gain access to your protected pages?

Thanks

Tim :)

TDA

Session based protection is enough for most of the sites. It can cater to almost all types of requirements of security.

I was just pointing out some of the drawbacks of this method and also suggest there are other methods of securing pages.

AFAIK, session timeout cannot be increased beyond 20 minutes. It is giving some error like illegal value. May be somebody can suggest some methods to increase session timeout beyond 20 minutes.

Hi madhu,
Actually Session times out in 20 mins which is default value. It can be given any higher value too. I am not sure why you were facing the problem of illegal value. It works perfect for any higher value than 20 mins. Check this out - Session.Timeout

Also I am afraid if Windows based security could work well with internet. It is bet fit for intranet web applications. Also user management is not going to be an easy task, when you have something like user registration mechanism for which the sysadmin has to create users for every such request, where manual intervention is a must. Within a network(intranet scenario) in a corporate setup this could be the best solution for web authentication. But I don't recommend this for internet web applications, though not sure if that works well in that setup.

_________________________
- Vijay G
Strive for Perfection

Hello Vijay,

I agree with you that windows based security is not a practical solution when users keep on changing. I don't recommend replacement of session based protection with this method.

I was just telling there are other methods to protect web pages. I thought that is what TIM was looking for. (May be I was little excited to give this method as I have successfully done a windows based security system for a corporate network recently.)

I will check with the session timeout and let you know.