|
Home > Archive > IIS Server Security > June 2005 > Secure website (cookie/session)
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Secure website (cookie/session)
|
|
| IkBenHet 2005-06-03, 7:49 am |
| Hello,
First of all, I am aware that there is already alot of information
about this subject on this an other resources. Probably the question I
am going to ask is already asked. But in the information I can find, I
am losing track of what is usefull for me. So, Sorry for maybe asking a
question that is already been posted.
I want to do something very simpel. Secure a part of my website. The
site is mainly ASP based. The webserver is an IIS6 and I do NOT have
access to server settings (session timeout, security,...).
I use sessions to secure it.
Basically you are redirected to a form where you can give a username
and password, this is validate with the values in a database. If the
password and username are ok a session value is set
<%=Session("Validated")=True%>.
At the beginning of each secure page I start with:
<%If Session("Validated") = False Then Response.Redirect("Login.asp")
End If%>
So if the session value 'validated' is true you can see the secured
pages else you are redirected to the logon page.
The default timeout value for session is 20 minutes. Because the
session should stay alive during the complete time of the visit I was
thinking of puting the session.timeout to 60 minutes. I set this at the
beginning of every secure page: <%Session.timeout=60%>
Users keep on contacting me saying that they have to RE-logon quiet
often. This also seems to happen when a user is not on the website for
20 minutes already. I tested it myself and have the feeling the I am
indeed regularly redirected. Sometimes after 10 minutes, other times 30
minutes, ... There seems not to be any logic in the time that users are
redirected to the logon page.
Because the website is used to fill in a lot of HTML forms, it is very
frustrating for the users when they are completing a form and then
pressing "Submit" being redirected to the logon page and lose all
entered data.
I was thinking of changing from a session based to a cookie based
system. So i.o. setting the session variable 'validated' to true,
writing a cookie. (Maybe with the valuez
Response.Cookie("Validated").Domain and .Path to more secure it)
Now I face the problem that I only can set the expiration time for the
cookie to Date+1. This actually means that if a user other then the
validated user is browsing the same website. He/She is able to access
the secured website. And this for the rest of that day. A possible
solution could be setting no expiration date, but than you are again
using sessions (or am I wrong in this?), which was the main reason to
use cookie i.o. sessions.
Basically I want to secure a website using ASP (because I am not able
to change security settings on the webserver of my ISP).
The user must logon EVERYTIME he STARTS using the secure website and
this process should end when he is closing his browser (so no user
other then the validated one can abuse it credentials). I already
buildin a "Logoff" that removes the cookie, but nobody seems to be
using it. The users may NEVER be redirected when submitting data so we
do not lose time re-submitting it because the use was redirect to the
logon screen.
I am open for all suggestions, please help! In the future there are
also money transactions going over this website, so it has to be
secure! I will use HTTPS.
Thanks for you help!
| |
| Jeff Cochran 2005-06-03, 7:49 am |
| On 3 Jun 2005 02:17:45 -0700, "IkBenHet" <ikbenhet79@hotmail.com>
wrote:
>The default timeout value for session is 20 minutes. Because the
>session should stay alive during the complete time of the visit I was
>thinking of puting the session.timeout to 60 minutes. I set this at the
>beginning of every secure page: <%Session.timeout=60%>
You want to change this on the server.
>Basically I want to secure a website using ASP (because I am not able
>to change security settings on the webserver of my ISP).
>I am open for all suggestions, please help! In the future there are
>also money transactions going over this website, so it has to be
>secure! I will use HTTPS.
You may need a different host then. One that allows you the control
you're looking for. While it's hard for me to see that a secure
session must last more than 20 minutes, you can change the session
timeout on the server to handle this. Cookies make poor security
options since they are client side and can be spoofed.
One option is to secure only those areas that need security, such as
the transaction pages. You may also want to think about having
financial transactions handed off to a processing site.
Jeff
| |
| Ik Ben Het 2005-06-03, 6:01 pm |
| Hello,
I have no access on the server as I stated in my first post. This means
that I can not change session values on the server itself and the ISP is
not willing to do it.
Applying only security on the transaction pages would result in the same
timeout behavior. As soon as data needs to be processed, the user needs
to be validated first and that the form values are cleared.
The only solution I can think of is passing the post information to the
logon page and then redirect after validation back to the transaction
page.
Is there somebody who can give me more info on the strange session
behavior? For me it is not normal that a session times out in that
unlogic way.
Thanks
*** Sent via Developersdex http://www.codecomments.com ***
| |
| IkBenHet 2005-06-04, 7:47 am |
| Hello,
How can you reset the timeout counter on a session in ASP? What I was
thinking of was that I am doing it maybe wrong.
Now the session variable that let a user have access to the site is set
once at logon time: (<%=3DSession("Validated")=3DTrue%>=AD). Then it is
checked on every page that the user opens (<%If Session("Validated") =3D
False Then Response.Redirect("Login.asp")
End If%> )
Would it be a good idea to re-set the variable every time a user
accesses page? Like <%If Session("Validated") =3D False Then
Response.Redirect("Login.asp") Else Session("Validated")=3DTrue End If%>
Would this reset the timer that times out the session? Or do I have to
add something like <% Session.Abandon %> before setting the variable
again?
What would this do on the server performance?
Is this a good way of working with sessions?
Thanks
|
|
|
|
|