开发者

How to securely set up cookie-based authentication in classic ASP?

What would be the most secure method of using cookies to authenticate users in a classic ASP website?

I don't want to use the ASP Session object as the session c开发者_如何学Goookie times out after a while, and I'd like the user to be able to keep their login to the website active between separate browser runnings.

However, I don't want to just create a cookie containing their user ID as that could be easily forged - so what are my options here? I guess some sort of encryption but I don't really know what the standard methods of doing this is.


Your options here are pretty much limited.

Get your users to log back in again; best security approach.


This obviously applies much wider than just ASP.

The best way would be to hash the password... you should be doing this in any case where you store it in database.

The hash is a cryptographic function - when you run a string through it (eg password) you get out a long code. If the input is the same, the output is always the same.

But (this is the important bit) its mathematically virtually impossible to reverse the process - to start with the hashed value and work out the password, other than brute force (someone hashes dictionary, or random strings and looks for output that matches the hash they have).

So when the user sets up account, they put in their desired password, but you hash this, and store that. Similarly in the cookie, after they login you store the hash, not the password, and this has is compared with the hash in the db.

The downside is you can't send a password reminder since you don't know the password - to you'd have to send a password reset link and have a system to do that.

If you're really paranoid you might double hash, eg when they login the password is hashed once and stored in cookie. Its then hashed again and compared with the password in db (which is also double-hashed).


Don't Do It

Maintaining a user login quote "...between separate browser runnings" is not secure. IMHO, when you close the browser a previous login should be gone. Suppose your visitor was using a community pc at a coffee shop.

If you maintain this login the potential for the next community user to open the browser, navigate to your website and "poof" they are automatically logged in as the previous user.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜