JCrowe
|
Posted: 05/27/2003, 10:58 AM |
|
Hi All,
I am practicing with the Authentication Builder. It seems to work great and
I am able to validate username/password and effectively return the page it
is supposed to. Here is my learning curve problem.:
Once the page is authenticated the URL is exposed thus allowing anyone to
copy the URL and return later simply by pasting URL into the browser.
Understanding (I think/hope) this is a problem with the page being
authenticated and returned, what can I do to insure the page returned is
only allowed access once it has been authenticated by the Login form ?
Hope this makes sense, Thanks,
JCrowe
|
|
|
DonB
|
Posted: 05/27/2003, 1:47 PM |
|
The authentication info is kept in server-side session variables. Once the
session is terminated, the user will have to go through the login page (if
you selected "restricted" page properties). I hope your server does not
have an infinite session timeout interval specified.
You should ensure that your queries invoke the session variable for the
userid (or other values) rather than simply passing parameters in the
querystring. This prevents someone from assembling a URL and parameters
that would point them to data they should not have access to view/change.
In one app, I actually stored the session ID in the before_unloadpage of my
login page (back into the "user" record), then secured the pages further by
passing the sessionID to my Database, and adding to the WHERE clause of the
datasource such that it used the current sessionID and required it to match
the sessionID stored in the "user" table (where the userid and password are
kept). Probably overkill, but I was confident then, that the user querying
the data base the same one that logged in (I know that sessionIDs eventually
wraparound and repeat, but that's a several-million to one chance). I feel
it is virtually impossible to "spoof" a user using this technique.
DonB
"JCrowe" <jcrowe@home.net> wrote in message
news:bb090p$b0v$1@news.codecharge.com...
> Hi All,
> I am practicing with the Authentication Builder. It seems to work great
and
> I am able to validate username/password and effectively return the page it
> is supposed to. Here is my learning curve problem.:
>
> Once the page is authenticated the URL is exposed thus allowing anyone to
> copy the URL and return later simply by pasting URL into the browser.
> Understanding (I think/hope) this is a problem with the page being
> authenticated and returned, what can I do to insure the page returned is
> only allowed access once it has been authenticated by the Login form ?
>
> Hope this makes sense, Thanks,
> JCrowe
>
>
>
|
|
|
|