Web Development

General discussion


Secure Web Development

By Jeremy The IT Guy ·
I need some help on a client access page I have developed. Once someone goes to my website, http://www.myweb.com and they click on client access, they go to an ASP logon page which will authenticate a user and redirect them to the corresponding page. I want these pages to be secure. Here's my problem. Let's say that this is the URL for the end user's page: http://www.myweb.com/clientaccess/company.html. Well, if you were to type this URL into the address box of the browser, you can accessthe page without any type of authentication and this info is highly sensitive. Can someone help me out with this? Is there something I can do in IIS? What can I do? Thanks, Jeremy

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

tracking state

by shelleydoll In reply to Secure Web Development


I'm not an ASP programmer, but I can tell you that in web security, it all comes down to tracking the user's state. During the log in process, you need to create a session or a cookie that sets a variable. Then, on each page they have tobe logged in to see, you need to check to make sure that variable is set to an appropriate value. If not, prompt them to log in.

The other alternative, is to use IIS to protect a web directory. Every folder beneath that directory will also be protected. It does this by creating a server-side cookie that tracks the user's state for you. HOWEVER, If you're having the user log in through a web form, the first time they hit a page in the protected directory, they will have to authenticate again through a pop-up window (once you've configured the server, it should do this automatically - you don't have to code anything). This will be a different login and password, that you will have to sync up with the info in your database. You should probably try to use the first method I mentioned.

Hope this helps!

Collapse -

ASP redirect

by nhanaiu99 In reply to tracking state

During the authentication you can set a variable to cookie or session to 1 for instance as the previous reply. Then on the account page you need to have this code on top of the page.

if Request("variable") = 0 then
Response.Redirect URL_LOGIN_PAGE
end if

Good Luck,

Related Discussions

Related Forums