QueryString Security
I was wondering if anyone could help me with a querystring problem. My problem is that users are assigned certain parts of a document, therefore users can only view parts of the document that they have been assigned.
The page with the document is called document.asp and when a user is assigned part of the document they are given a link to the document.asp with the section id in the querystring.
For example a user may be only allocated section 1 of the document. The link they receive has section=1 in the querystring. When clicked the link takes them to the document.asp. The header of the document.asp contains the following: Code:
View Complete Forum Thread with Replies
See Related Forum Messages: Follow the Links Below to View Complete Thread
Passing QueryString URL As A Paremeter In QueryString
The subject sounds confusing but here is what i want to do. I have a button on my page which says OnClick="javascript:window.open('reportsContainer.asp?pag eURL=Report1.asp?intCurrentPage=1&blnRetrieveFlag=1&Show=1',TasksRPT');" Now on the Conatiner.asp what i do is if Request.QueryString("Show") = 1 then pageURL = Request.QueryString("pageURL") end if And then i set the pageURL along with intCurrentPage and blnRetrieveFlag parameters to my fram src as <frame height=500 scrolling=auto name="pageFrame" id="pageFrame" border=0 src="<%=pageURL%>"> Code:
Security
I now have a login page for user authentication. But I am kind of paranoid about security. Is it enough just to have that to secure my site? How do hackers do "sniffing"? And how to prevent that? If there is any GOOD website security tutorial, I would love to read it.
Security
IIS can handle security on its own without the need for complex scripting and i like the idea of being able to just let the system do it however im not sure how to set such things up and would that mean that if you used something like integrated windows authentication that security is delt with by windows and its users info rather than getting the info from a database of my choosing ? the whole concept is quite confusing to me but there must be a simple ish way to set up at least some form of secure site area within my web.
Security
I am starting to learn asp and I have IIS installed on my WIN xp pro machine. Do I have to worry about security for any reason at all. I don't believe I have file sharing on at all, then again, I don't know if that has anything to do with this.
Security
How do I run security through all of the pages? The users log in, an asp checks their password, then what do I do to secure the pages from users that do not enter the password?
ASP Security
Developed a web application which adopts a custom security model which displays a login page and requests a username/password combination. The username works in a mixed-mode of usernames matched with the windows login name and some extra accounts (similar to SQL mixed-mode security). Web application is executed both in the corporate intranet and externally on the web. Getting user complaints about having to login to the web application when they have already logged-on to windows. I have coded a challenge/response (response.status=401) to get a user's window login through the ServerVariables. This seems to work OK for the intranet access. If the user's windows account is not located in the application database then I redirect to the standard login page for the username/password combination. When the application is executed across the internet through a firewall, the user is prompted by IE to enter the windows domain, username, and password. There seems to be no mechanism to avoid this because of the challenge/response code. I wish that with external access from the internet that users are automatically directed to the application login screen and not faced with the IE windows authentication dialog.
SECURITY And SSL!
1) How can i develop a secure website in ASP?! Do i need to use just the SESSION variables?! Such that the security relies on these variables unless no one knows which variable names i am using?! 2) What is SSL?! How can i use it in an ASP website?!
Security In ASP 3
Does anyone know how to implement one way hashing or encryption using ASP 3.0 and no additional components. I need to secure a intranet application which is being moved online, currently the passwords are stored in plain text, ideally id like to hash the passwords in the database and hash the form data when testing, but I don't seem to be able to find any hashing methods for standard ASP, perhaps someone has a nice code snippet for hashing.
NT Security
is there a way to login to a particular security group from asp?I use IP addresses and email addresses to identify web users and most have general IWAM_COMPUTERNAME access. Once web users login is there a way to give SOME of them access to a NT security group based on stored NT user/password information?
Security
I am working on a new feature on my website where people can write their own HTML files. They are actaully going to have .ASP extensions, and are hosted on my webserver. So, what security issues can you suggest? So far all I have got is disabling '<% %>' tags. Anything else?
Put Security
I'm developing a local intranet site. i'm just new in ASP, could anyone help me how to put security?i have username and password but i want the site not to go back on the previous pages after logging off. I'm using macromedia dreamweaver and VBscript, i have a database using MS Access.
Security
i am developing a project thats gonna handle some transactions too.Since this is my first commercial project so i am worried about its security. so my question is "is asp safe enough to use with something serious ?" or i should use something else like PHP .
Security Of ASA File?
I'd like to start using global.asa to store things like connection strings to databases and the like. As I understand it, you have to save the file in the root of your app. My concern is that storing the location of databases within the ASA file might be a security issue. Is there any way for a user to get at the information contained in that file and, by extension, get at the databases themselves?
Cookie Security ?
I'm not really asking about "someone stole my credit card info through cookies". Here's the deal: I have 2 sites (different domain names) running from one server. One is SSL the other is not. The SSL site has a login and password, which return the user's unique id, which is stuck into a session cookie. This cookie is then checked at every page because every page is built based on the user's id. If it is not present, the user is redirected to the login page. If the id is wrong, there will be no information shown on the page. My question is this, can the other (non-SSL) web site see this cookie? The site has no asp or anything else, but if someone "broke into" the non-secure site, could they read the cookie from the other site?
Cookie Security
If I store login information in a cookie is it possible for the PC owner to modify the cookie without it making it valid? For example if in the cookie I store the current user, say "Bob" - if Bob edits his cookie by hand to say "Alan" will the server accept the cookie as valid? Or will it realise that it has been tampered with and discard it? Anyone recommend a good reference on this sort of thing?
Security Testing
my system is at testing phase. how do i test my system to check its security especially at the login page? i am running it at localhost. i have tried sql injection but nothing happened. i just saw the invalid login username or password error only.
Web Application Security
you know when you have a browser based application (written in ASP or whatever), which uses a database, how can you ensure that the username and password of the database is secured? My ASP application has got a file containing all the information you need to connect to the SQL database, if anyone happens to get hold of that file on the Web server then he'll be able to do anything he wants.is there a safer way to handle this?
Forms Security
Can anyone direct me to a resource/tutorial for something similar to: Toughen Forms' Security with an Image article on this site--but for ASP Classic
Security Hazard
I just finished my database. There is one problem however, I had to give write permissions to my file with the extension mdb its an access file. The thing is that now all anyone has to do is figure out the page name and their browser will begin to download my database. That is a major security hazard, what the heck do I do. Am I supposed to just hope no one ever figures out what that specific page name is ?
LOGON_USER / NT Security
I'm trying to get the NT login id of a user on a web page without making the user type it into a login box. I'm using the LOGON_USER server variable. The problem is, if the web page allows anonymous access, LOGON_USER returns nothing. If the page is set to Basic Security, the NT login popup box comes up, even though the user is already logged into the network, and HAS access to this page. Moreover, if I try this on my PC instead of our webserver, it works like I would expect. That is, when set to Basic Security, it does NOT pop up a login box if the user is allowed to view the page, and LOGON_USER returns the userid. Is there some setting on the server I need to change? Or something else?
Access / Security
I have rolled out my simple ASP site, just updates a few fields in a database, it works fine for administrators, but the local users are getting a page can't be displayed error stating the database is opened exclusively (this is not the case) or they don't have rights. The database s shared to everyone as well as the actual web server.
Directories And Security
It's funny that this has not been invented yet, or has it?: You store your DB outside your default website. It is accessed only through your ASP code and a ODBC-connection. This way your DB is not obtainable for the web user. Why doesn't Any One create a connection corresponding to ODBC, lets call it FileConnect that in the same way allows us, in a web site, to have directories and files that are really hidden?
Web Application Security
I have to allow access for administrators to sections of my website which contain sensitive data. Ther is a link on the homepage called "Admin Login". They are asked for a PIN number which is a randon four letter four number combo and if they get that correct then have to enter their personal username and password. The text field inputs are cleaned before being used to make up dynamic SQL by replacing all apostrophes with the below function function clean(clean_this) clean=trim(replace(clean_this,"'","''")) end function Is this all safe....I am slightly uneasy about having the login on the website and it could be hidden in a special link only given to admins - but this is the same mechanism that ebay and amazon etc rely on to let people log in....
Form Security
I'm doing s simply email form, with just three fields, one each for name, email, and the message body of the email. It goes straight to CDO, and takes the user to a thank you page. What kind of damage can I expect to need to protect myself from? I mean, if there were a database involved, I'd need to protect against SQL injection, things like that. But in this case, there's no database. I plan to put a maxlength on the fields, but is there anything else I should beware of, and if so, what can be done about it?
ASP Security Files.
If in an ASP file I created several textfiles, they will be initially "locked" until I manually set them accessible.How can I make it accessible through the code not to set the security by hand?
Security Risk
does anyone know why exactly a scheduled task, in this case an asp script, on a shared Windows 2003 server is considered a security risk? I'm trying to find some sort of rebuttal to my isp. To me if I can run a script anyway, then why would scheduling it make it any more harmful? As far as I know, an ASP script doesn't get processed any differently when it's scheduled?If anyone can set me straight here, whether i'm right or wrong
Security Issue
I wonder whether it is safe to store the database username and password in a ASP page. Is there any chance that a user can down load the actual file?
Security Login
I've added a punlic domain security login page to one of my web applications. I did this because the number of users has increased to a couple of dozen, and having them all added as users on my machine was becoming cumbersome. I find this method a lot easier to manage the users. Previously I used windows authentication. Is this the method most people use ?
Asp Application Security
I'm working on an app SQL2k / ASP Classic, the quick and dirty is there is a "worklist" of items for users to fix items so that the bill can be payed, and there are also a series of reports. All items are grouped into 1 of 12 categories. Users are members of one of those 12 groups (categories). A users worklist can be "filtered" by an admin based on location, bill amount, first letter of payee's last name etc. Individual report access is also limited based on user rights. So.. how to maintain user security. A couple of ideas.. When a user logs in.. put a bunch of stuff into session variables that I can then access as needed. Second idea is to put just the logged in userID into a session variable, and then call an SP or a function to check security as needed. Third idea is to load up an array on login, stuff it on the session, call a function on the page(s) as needed to check for appropriate rights Last.. stuff some security info into a user specific Application var, and call that as needed.. and then kill it on logout Thanks for reading.. any thoughts on which may work better? Or a better solution perhaps?
Dreamweaver Security
I see that Dreamweaver MX has a pre-written ASP login script that you can just drop in, as well as a drop-in for every page to ensure users are logged in before they can view the page. Can any security-types out there tell me if this is any good? We're setting up one site where the database is above root level, so I'm hoping that the DW system will provide adequate security (since its SOOO easy to use). Will it?
FileSystemObject Security
By using FileSystemObject, I want a specific user from the server to write and delete folders, and not allow the IUSER_<server> to do that. Is it possible? If yes, how I can do that?
Database Security
I'm building a webshop using ASP and access database. I want to secure this database against stealing and people temporing with it. I've alreaddy added an SSL certificate. Now I want to secure the database when I go to the URL the database would be at http:www.rainbow-pc-design.biz/Database/rainbow.mdb nothing shows up even if I just type adres without the database name. Does this mean the folder is secure?? What else can I do to secure the database and how do I go about this. I've never done this before and I don't have a clue where to start or what to do.
Application Security
I have a database driven website with a backend area for content management. My admin area is secured in a very simple way: My username and password are stored in an SSInclude file. I enter my username and password in a form, and if the they are correct, an ‘administrator’ session is true, giving me access to the backend pages. If the admin session is false, you are redirected to the login when you try to access any of the backend pages. With my limited knowledge, this seems quite secure. The username and password are in an asp file so they can’t be downloaded and the source can’t be viewed. I also thought this would be better than putting them in the database as someone could guess the path and download it, or try SQL injection. Limited knowledge is the key phrase though! Am I missing something important and leaving myself wide open to trouble?
Variables Security
I'd like to know how secure are server variables: for example, if I use: Request.ServerVariables("SCRIPT_NAME") Request.ServerVariables("PATH_INFO") Request.ServerVariables("URL") to get my page path, are these information secure or can be modified by bad user who want hack web application? Request.ServerVariables("HTTP_REFERER")
Security Context
I am building an add user website.I have several asp scripts in this website such as, query for username,create user, etc. Ideally I would like to have users logon to the website,and have these scripts execute with their individual security context Can anyone point me in the right direction, mabe some samples somewhere
Login Security
I have a system which users enter with a username & password.Now my question is: After logging on to the system,for example user opens an asp page named: http://vkomdeneme/vestel/show.asp But he/she can also open this page before logging on just copying and pasting the link above.This should'nt be like this.Now how can I achieve this problem?
Activate The Security Tab
I had to move my application along with data in a new laptop with windows xp. Here I was looking for the security tab to give permission to the folder where the database is. However, this security tab is missing. How does oneactivate the security tab in winsows xp?
Login Security
I`m building a site that needs login and then check that the user is logged in to visit several pages. The login-stuff is ok and I can do the check on the pages I want, but the problems is that after a user has logged out, he/she can still use the browsers "back-button" and display the contents on the previuos pages, but when reloading the pages my "not logged in" messages appears. Is there anything I can do to prevent the "backbutton" possibility? My logout-page has only a "session.abandon" function for the logout-procedure.
Best Security Practices
What are some best practices for classic ASP security? Can you point me to some "how-to" articles in this regard?
Form Security
I have a few forms and find that people are intering all sorts of information into them that we dont want. Is there a way to stop people from entering things like ()*&^%$#@!+_=><"':; and so in into the forms. A form example on the site is basic. Something like this. <form name="form1" method="post" action=""> <input type="text" name="textfield"> </form>
Directory Security?
I would like to use ASP in a web page to modify the "Directory Security" settings of IIS. In Directory Security under "IP Address and Domain Name Restrictions" you have the ability to add an IP address of someone to ban from the web server. Does any ASP code exist to actually add a number into that field from the ASP automatically? This would allow the perfect honeypot web page situation.
Security Issue
Is it possible to define an account in <Identity> in web.config which dosen't exist in domain? I was viewing somebody's application I found the following line in his web.config <identity impersonate="true" userName="DOMAIN_NAMEASP_NET_TESTER" password="TEST"/> but problem is that I didn't find user ASP_NET_TESTER on the domain and application is working fine. By the way,he has enabeld annonymous access to his web application using a completely diferent account called "IUSR_DEV"
Session Security
Is it safe to store credit card information in the ASP session state to be ultimately transmitted to VeriSign? I have a set of forms that are in the format of a wizard and I need to maintain the information through the pages. I know cookies are potentially unsafe, and I don't want to be responsible for credit card information being stored in my databases. I would use this type of method. i have a VeriSign SSL certificate. <% Session("CCNumber") = Request.Form("CCNumber") %>
Security And User Authentication
how to create a user security and authentication. I mean in a form of logging in or registration automatically in to a database in access.
ASP Security Login Using Cookies ...
My login_process.asp ... <% Dim L_ID, L_Pass, conn, rs L_ID = Request.Form("member_id") L_Pass = Request.Form("member_pass") set conn=Server.CreateObject("ADODB.Connection") conn.Provider="Microsoft.Jet.OLEDB.4.0" conn.Open(Server.Mappath("Registration.mdb")) set rs=Server.CreateObject("ADODB.Recordset") rs.open "SELECT * from registration WHERE mem_id='"& L_ID & "' AND mem_pass='" & L_Pass & "'", conn if rs.EOF then Response.Cookies("LoginError")= "Wrong Member ID or Password" Response.Redirect("Login_Fail.asp") else Response.Cookies("login") = Request.Form("L_ID") Response.Redirect("Login_Success.asp") end if conn.Close %> I place this at the top of every page so that only those logged in can view the page ... <% if Request.Cookies("mem_id") <> "TRUE" then Response.Redirect ("Default.asp") end if %> CONCLUSION : IT'S NOT WORKING ...
ASP - Basic Security For Back-end...?
I have a ASP site. Very basic, few pages, 2 includes. There is no user input from the site, no fields they can insert SQL statements. I also have a login where the Admin can add/edit/remove news items, which are stored in a DB. What are the security issues linked with these? My login isn't querying the database, but should I use the sha() function to encrypt the pass? Although it's just 1 user adding to the system, should I "clean" up the input(add news/edit news) before it's stored in the Access DB? Should I restrict IPs solely to those within the building they use?
ClickBank Security Script
I have been trying to crack my head with this for sometime. Is there a way to make an ASP equivalent of this PHP/Perl function? It is a clickbank security script to verify purchases that uses SHA1. Code:
Flat File Security
I would like to use flat file data storage instead of database. Since I am new to it, I am wondering: What text file extension is a safe one to store my data online and how cost- and time-effective is this method (flat file data storage).
Security Using A Random Picture
I'ld like to know how it is possible to create (in asp) a random picture which will contain figures and letters. I want to use it when a client confirm his inscription on my site (just like when one sign in yahoo mail.)
|
TRACKER
