10 Replies - 3216 Views - Last Post: 09 February 2002 - 02:31 PM Rate Topic: -----

#1 klewlis  Icon User is offline

  • cur tu me vexas?

Reputation: 8
  • View blog
  • Posts: 1,723
  • Joined: 09-November 01

Security questions

Posted 08 February 2002 - 06:52 PM

hey all, I just want to brainstorm about something, and maybe some of you will have some tips.

I have a site that requires user registration, built in ASP. It's not on a secure server or anything; the information kept there is not anything special, just names and email addresses of students so that they can log in.

A lot of the students are using public computers to access this site. I have it set up so that the pages do not cache, so that if the session is logged out, you can't just go back into the pages under someone else's name. However, I just discovered tonight (and I don't know why this didn't occur to me before) that if you go all the way back to the login page and hit refresh, it resends the login information and you're in the account of whoever was there before you.

What can I do about this? Is there a way to prevent it from resending that password? I had assumed that a password field would not be able to resend anyway, without retyping it, but apparently I'm wrong.

Ideas?


Is This A Good Question/Topic? 0
  • +

Replies To: Security questions

#2 klewlis  Icon User is offline

  • cur tu me vexas?

Reputation: 8
  • View blog
  • Posts: 1,723
  • Joined: 09-November 01

Re: Security questions

Posted 08 February 2002 - 06:55 PM

I should add the closing the browser is not an option. The IS guys have the public computers set up so that you can't do ANYTHING. right-click is disabled, regular browser buttons are gone (only the ones they want you to have are there; I had to refresh by hitting f5 because there wasn't a button for it), etc. I hit alt-f4 but apparently that's disabled too. I'm going to talk to the IS guys about this and see if they can change that, because my problem would be solved if people could/would close the browser when they're finished with it...
Was This Post Helpful? 0
  • +
  • -

#3 Resonance  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 95
  • Joined: 08-February 02

Re: Security questions

Posted 08 February 2002 - 07:24 PM

That's not a problem. Just a few questions... how are you maintaining the user's current session? Cookies? Session Variables? What? Each has has it's own technique.
Was This Post Helpful? 0
  • +
  • -

#4 klewlis  Icon User is offline

  • cur tu me vexas?

Reputation: 8
  • View blog
  • Posts: 1,723
  • Joined: 09-November 01

Re: Security questions

Posted 08 February 2002 - 07:26 PM

I'm using session variables.

If login is true, it displays the page. If login is false, it displays a login box.

I think I could fix it by redirecting to the homepage instead of providing a login on every page. What do you think?

Was This Post Helpful? 0
  • +
  • -

#5 skyhawk133  Icon User is offline

  • Head DIC Head
  • member icon

Reputation: 1877
  • View blog
  • Posts: 20,284
  • Joined: 17-March 01

Re: Security questions

Posted 08 February 2002 - 08:29 PM

Sessions are awesome, they are totally the way to go when doing anything login related... cookies are just so unsecure nowadays.
Was This Post Helpful? 0
  • +
  • -

#6 Resonance  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 95
  • Joined: 08-February 02

Re: Security questions

Posted 08 February 2002 - 09:13 PM

Don't let something like that stand in your way bud. Make sure you're expiring the session using abandon. To to be extra sure, you might want to not cache each page. To be certain, you might want to make this an include on the pages you don't want cached:

<%
       'nocache.asp include file
'==================================
'Attempts to turn off cache
'==================================
Response.Buffer = TRUE
Response.ExpiresAbsolute = Now() - 1
Response.Expires = -999
Response.CacheControl = "no-cache"
%>

in simple logouts, when using session variables, I have that include file, along with Session.Abandon.

Be aware of Session variables when you make complex apps. They are not always the best way to go, for more info why session variables are evil, checkout:

http://www.4guysfrom...nced/faq4.shtml

Cheers

Was This Post Helpful? 0
  • +
  • -

#7 skyhawk133  Icon User is offline

  • Head DIC Head
  • member icon

Reputation: 1877
  • View blog
  • Posts: 20,284
  • Joined: 17-March 01

Re: Security questions

Posted 08 February 2002 - 09:19 PM

Resonance, thanks for helping! Great to see people around here contributing more and more lately!
Was This Post Helpful? 0
  • +
  • -

#8 Resonance  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 95
  • Joined: 08-February 02

Re: Security questions

Posted 08 February 2002 - 09:36 PM

Hey, no problem. I just found this site recently. Has a lot of my interests, including web dev/design. Keep up the good work.

Cheers

Was This Post Helpful? 0
  • +
  • -

#9 klewlis  Icon User is offline

  • cur tu me vexas?

Reputation: 8
  • View blog
  • Posts: 1,723
  • Joined: 09-November 01

Re: Security questions

Posted 09 February 2002 - 12:41 PM

Quote

Quote: from Resonance on 10:13 pm on Feb. 8, 2002
Don't let something like that stand in your way bud. Make sure you're expiring the session using abandon. To to be extra sure, you might want to not cache each page. To be certain, you might want to make this an include on the pages you don't want cached:

<%
'nocache.asp include file
'==================================
'Attempts to turn off cache
'==================================
Response.Buffer = TRUE
Response.ExpiresAbsolute = Now() - 1
Response.Expires = -999
Response.CacheControl = "no-cache"
%>

in simple logouts, when using session variables, I have that include file, along with Session.Abandon.

Be aware of Session variables when you make complex apps. They are not always the best way to go, for more info why session variables are evil, checkout:

http://www.4guysfrom...nced/faq4.shtml

Cheers

Thanks. As I stated above, I'm not caching any of the pages at all. And yes, I am using Abandon on the log out. Those don't help because, as I said, the person can just go all the way back to the login page and refresh, and it resends the information and logs them in again.

I'm going to have to use the redirect method, I think.

Was This Post Helpful? 0
  • +
  • -

#10 Resonance  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 95
  • Joined: 08-February 02

Re: Security questions

Posted 09 February 2002 - 01:38 PM

That's weird. I include that code because sometimes Response.Expires = -999 doesn't always work. I always do what you're trying to do, but I've never had a problem. #### security restrictions. =) Good luck solving it.

Cheers

Was This Post Helpful? 0
  • +
  • -

#11 klewlis  Icon User is offline

  • cur tu me vexas?

Reputation: 8
  • View blog
  • Posts: 1,723
  • Joined: 09-November 01

Re: Security questions

Posted 09 February 2002 - 02:31 PM

So I tried the redirect and it still didn't help, so I did this:

I added a one minute time limit to the form (through a hidden field). So if you try to resubmit the form after a minute, it doesn't work, and redirects you to the home page. Also, if you try to get into any restricted page without being logged in, it redirects to the home page. So the only page from which you can log in is the home page, which refreshes every 60 seconds (so that the form will always work from the home page, but not from any other page).

It's not perfect, but I think it's the best/only way considering my restrictions... :P

Thanks for the ideas.

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1