M
Mike Mueller
Due to having to feed something resembling security without
using NT authentication and with some funky settings imposed
on some users machines, I am trying to come up with
something that works for all. I just want to make it harder
to break.
I am using asp authentification against a database. I have
no issues with people logging in OK. The issues I get is
with some funky machines that will not work with checking
the session variable on the 'secured' pages. I came up with
something new and I want opinions on what I did (which works
on all so far) and how I could make it better.
From the validation script, I am redirecting to a page, and
passing a query string which is based on datediff multiplied
by a set number and converted to hex code. The 'secured'
pages then use a script to figure out that same query and
then compares it to the query string. I figured this would
only be weak on the day of use. Bookmarking would be
worthless any other day as the querystrings would not match.
None of the machines are 'public' terminals, and are only
used by the members and there immediate families. The
immediate families are not considered as risks for the
information contained.
Sample code after the validation is completed:
<%
Today = date()
NewYears = DateSerial (2000,1,1)
DaysSoFar = DateDiff ("y", NewYears, Today)
Response.Redirect "Member_Menu.asp?LoginID=" & DaysSoFar
%>
Sample code on the 'secured' pages:
<%
Today = date()
NewYears = DateSerial (2000,1,1)
DaysSoFar = DateDiff ("y", NewYears, Today)
CheckDate = request.querystring("LoginID")
Result = CheckDate - DaysSoFar
if result <> 0 then
response.redirect "login.asp"
End If
%>
using NT authentication and with some funky settings imposed
on some users machines, I am trying to come up with
something that works for all. I just want to make it harder
to break.
I am using asp authentification against a database. I have
no issues with people logging in OK. The issues I get is
with some funky machines that will not work with checking
the session variable on the 'secured' pages. I came up with
something new and I want opinions on what I did (which works
on all so far) and how I could make it better.
From the validation script, I am redirecting to a page, and
passing a query string which is based on datediff multiplied
by a set number and converted to hex code. The 'secured'
pages then use a script to figure out that same query and
then compares it to the query string. I figured this would
only be weak on the day of use. Bookmarking would be
worthless any other day as the querystrings would not match.
None of the machines are 'public' terminals, and are only
used by the members and there immediate families. The
immediate families are not considered as risks for the
information contained.
Sample code after the validation is completed:
<%
Today = date()
NewYears = DateSerial (2000,1,1)
DaysSoFar = DateDiff ("y", NewYears, Today)
Response.Redirect "Member_Menu.asp?LoginID=" & DaysSoFar
%>
Sample code on the 'secured' pages:
<%
Today = date()
NewYears = DateSerial (2000,1,1)
DaysSoFar = DateDiff ("y", NewYears, Today)
CheckDate = request.querystring("LoginID")
Result = CheckDate - DaysSoFar
if result <> 0 then
response.redirect "login.asp"
End If
%>