login security check

Ok.... As a banner it fails in one important respect: It isn't a specific banner size. Most banners are 468x60 or there abouts. This is a monster at 731x164...
Why ALL that black? there's about 20 pixels at the top you don't need and it's all wasted space. It is easy to read, but it doesn't grab my attention and it looks dull. There's what... turqoise, white and black.
More importantly... What the hell is HDH? Harddriveheroes? Forums, ladders, downloads, news, reviews, chat... About what?! Is it counterstrike? What game? I can't tell.

u may want to take a look at my dead site's banner

http://www31.brinkster.com/gwxthebest/

yours is ok, I think.... to me...

Well.. it is going to be the home to like 20-30 games so far. We are going to have TOns of competitions for each game with prizes for the winning team/person. So far we have, Tribes 1, Tribes 2, All the Star Wars, Battlefield, Counterstrike, Halo, and some others I havent heard of before..

I've created a login script that takes you to an admin page. However, if somebody goes directly to the admin page they can get access without having to login.

I'm sure there is a simple solution for this but I can't seem to find any example login scripts that address this particular problem.

Any help on this would be much appreciated.

Ta

The normal way to combat this is to create an include file which you include in all the pages which need to be password protected.

The code for this would look something like this:

Code: Select all

If Session("Authenticated")=False Then
Response.Redirect "Login.asp"
End If

...of course when the user logs in you need to created a session called "Authenticated" and set it to True.

Hope that helps

Yup, cookies and sessions are the way to go with that.

As session variables are stored in cookies.... would it not be very easy for someone who knew what they were doing to 'fake' a valid login by just simply messing with the cookie?

I would always store user / pass in an encrypted form in either session, or cookies and check user / pass from that location on each page.

Anything else, is just open to abuse.

I stress though, you should encrypt the session / cookie data.


That'll be 12 cans of Grolsch for me please!! :wink:

__________________
Click the 'Thanks!' button if this post has helped you

Rob - Webforumz Founder

Ah sessions - yes that does make everything easier. I understand the code you've written but what will the code for the following look like?

<blockquote id="quote"><font size="1" face="verdana, arial" id="quote">quote:<hr height="1" noshade id="quote">...of course when the user logs in you need to created a session called "Authenticated" and set it to True.<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">

<blockquote id="quote"><font size="1" face="verdana, arial" id="quote">quote:<hr height="1" noshade id="quote">Originally posted by Rob
As session variables are stored in cookies.... would it not be very easy for someone who knew what they were doing to 'fake' a valid login by just simply messing with the cookie?

I would always store user / pass in an encrypted form in either session, or cookies and check user / pass from that location on each page.

Anything else, is just open to abuse.

I stress though, you should encrypt the session / cookie data.


That'll be 12 cans of Grolsch for me please!! :wink:<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">

Yep, will look into thids when I get me head around the whole 'Sessions' thing...only 12 cans? Shame on you

Rob, Sessions arent actually stored in physical cookies tho are they? An ASPSESSIONID is created anyway for each user, this is an encrypted string (i think) which you would have to hijack in order to steal a session from someone.

Also, whilst modifying the contents of a cookie is easy, stealing a cookie from someone isnt easy, is it?

I agree that the contents of a persistant cookie should be encrypted.

<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />Originally posted by Lizard-
Ah sessions - yes that does make everything easier. I understand the code you've written but what will the code for the following look like?
<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">

Before you redirect the user, once you have authenticated them, add this line:

Code: Select all

Session("Authenticated")=True

HTH

It works! Great! Thanks very much. Is session a VBScript built in variable then? Unique for each user?

yes it is!

As far as sessions go.... yes the are a *little* more secure than cookies..... but which ever method you use, I would check encrypted user / pass on each secured page.
Also, for pages where you can change credentials, or affect critical data, then you should re-gather username and password from the user...... this stops the case where they've walked away from the pc leaving it logged in.... only for someone else to come along and start playing.

Even though you are logged into webforumz.com, if you want to delete your post, or change your profile, you are asked for your login credentials again.... this is just standard security.

Webforumz.com stores encrypted username / password hash in cookies, and these are crossed checked against the database on EVERY page.... this really is just a standard procedure when you a not dealing with NT logins and using anonymous web access.

__________________
Click the 'Thanks!' button if this post has helped you

Rob - Webforumz Founder