Peter
Fri Apr 09 12:31:54 CDT 2004
"Detournay Kerckhaert" <info@blsolutions.be> wrote in message
news:78zdc.65606$N05.4177035@phobos.telenet-ops.be...
> I'm trying to create a website login page/form that has a simple
> UserName/Password feature. The page/form checks MS SQL Database Table to
see
> if the UserName/Password exists. If it exists, it sends the user to the
page
> depending on what UserName/Password they entered. I have a 'URL' field in
> the MS SQL 'LOGIN' table to accomodate the 'redirection' info.
You might take a look at this article:
http://www.aspfaq.com/show.asp?id=2114
Though I'm going to suggest a slight deviation from this article.
> I also want
> to pass the 'UserName' and 'Password' as session variables and protect
each
> page to avoid unauthorized viewing based on 'User Level' info.
Actually, what you want to do is pass a unique user identifier, NOT the
username and password. There are a couple reasons you don't want to pass
the username and password for each page. First, I'm assuming you would do a
lookup of the user for each page, which is a relatively expensive operation
(string compares). But more importantly, many times you will use SSL to
process the username/password, keeping the data secure as it's transmitted
to the server. However, you don't want to use SSL for EVERY page that the
user connects to (at least not in most cases). But if you were going to be
passing the username and password for each page, you would need to serve
every page on an SSL connection to prevent someone from being able to see
the username and password as they were transmitted. This is inefficient,
and potentially a security hole.
SQL has a unique "autonumber" that can be assigned for each record, which
gives us a unique way of identifying each user. The problem with
autonumbers, though, is that they are incremented by 1, making them easy to
guess. So if I were user 150, then the person who was registered before me
would be user 149. If this ID were passed around, I could easily guess
other user ID's, and use this to access information for someone else. So
passing the raw autonumber value is not safe either.
The solution to this problem is to encrypt the ID value, and pass around the
encrypted value. The server would handle the decrypting of this value to
find the actual user information. For example, I would log in via a secure
page, passing my username and password. The database would find the
username and password, and return the autonumber ID value to the
application. The application would then encrypt this value and store the
encrypted value in the session variable. Then, on the secure page, the
application would get the encrypted session variable, decrypt the value at
the server, and lookup the decrypted value in the database. If it finds the
record with the decrypted ID, then I'm obviously authenticated. If not,
redirect the user to the login page.
My approach is similar to the approach listed in the ASPFAQ article above,
except instead of assuming that any value in session("login") means you have
been authenticated, this will actually verify that you have been
authenticated, and it does it securely.
You will need some method to encrypt/decrypt data on the server, preferably
a COM object (or some compiled executable) so that your
encryption/decryption scheme is not viewable. There are several options
available, for example ASPEncrypt.
Hope this helps,
Peter Foti