Email conversation
From | Tim Cliff |
To | Me |
Subject | Possible security using javascript and asp combination |
Date | 29 September 2006 09:38 |
Hi
I was reading your site in the javascript security section trying to get
some tips when i realised that what i had already may already be unique and
wanted to run it by you to see what you think (and probably find it isn't
that good after all, lol)
I am currently developing an Ajax based website that must access a MS SQL
database and quickly realised that it is not directly possible so after much
searching i found that i could use a Asp server page to query the sql and
return the results in XML which javascript is much better suited to reading.
In this process i was asked to implement simple security so that different
people could access different features of the site without inputting a
password directly (the system is only to be used internally and users must
log on to their machines with a unique username). In the process of
developing this i found that if i used asp to check the validity of the
users windows login name for the session i am able to exclude/include
different users to the various features of the site. (usernames are kept in
a sql table)
I am still developing this and not sure if it will work as intended but so
far so good.
Is this a viable solution, to the ones you have mentioned, to keeping my
website secure? alternatively will it turn out to be a nice way to save
people logging without actually offering real security?
Thank you for your help, love the web site.
Tim
From | Me |
To | Tim Cliff |
Subject | Re: Possible security using javascript and asp combination |
Date | 29 September 2006 12:33 |
Tim,
> Is this a viable solution, to the ones you have mentioned, to keeping my
> website secure?
No. From what you have said so far at least, the connection is not
encrypted. Therefore it is not secure. Any packet sniffing or rewriting will
allow any person to read the pages of another user, or rewrite them to
perform potentially damaging actions.
You say this is "internal" but it is up to how much you trust your users.
Will an unhappy employee decide to break the system?
If you encrypt the connection (and make sure your certification chains work
properly), then you can possibly use it as a secure authentication
technique, subject to the points below:
> alternatively will it turn out to be a nice way to save
> people logging without actually offering real security?
That is more like it. As an authentication technique, it may work, but there
are certain limits. You must be absolutely certain you know which user is
logged in. I do not see how you can know that with a simple Web page HTTP
request, since all that will give you is the IP address of the user.
Perhaps your server has a list of who is logged in at each IP address at any
time, and only one user can log in on one machine at any time. If you just
expect to rely on the username, you will need to make sure you can trust
that the user is actually logged in using that username, and not just
sending you a fake one. Or maybe there is something about your system that I
do not know (I hope there is because otherwise I do not see it working).
That is up to you to know how your own system works, and how reliable that
information is. This part has nothing to do with the Web side of things, so
I cannot help you with it :)
In any case, you will probably be vulnerable to XSRF attacks since your
users cannot log out (either from internal users, or from external users who
know your URL formats), so make sure you protect against them:
http://www.howtocreate.co.uk/crosssite.html
Mark 'Tarquin' Wilton-Jones - author of http://www.howtocreate.co.uk/