I am creating an asp page to collect username/password from the user
and validate it against the DB.
Problem is, it's like this:
- Page initially shows user and pwd inputs with a submit button
- Page submits to itself using POST method
- Now armed with user and password, using ADO I verify information
against database and if it's correct, the main page shows.
Two problems:
1) is the password information secure when I use 'post'? can someone
somehow steal this with sniffers or something?
2) If there is a problem in the page, like connection or otherwise,
the browser shows a 'The page cannot be displayed' and down the page it
shows 'POST Data: ' which includes username and password! this can't be
good can it?
What can I do to improve security here?
10  1523 
1. HTTPS? That's what this is for. Are you using SSL?
2. Where does it show that exactly? On what errors? Are you using custom
errors?
Ray at work
<wo******@yahoo.com> wrote in message
news:11*********************@g14g2000cwa.googlegro ups.com... I am creating an asp page to collect username/password from the user
and validate it against the DB.
Problem is, it's like this:
- Page initially shows user and pwd inputs with a submit button
- Page submits to itself using POST method
- Now armed with user and password, using ADO I verify information
against database and if it's correct, the main page shows.
Two problems:
1) is the password information secure when I use 'post'? can someone
somehow steal this with sniffers or something?
2) If there is a problem in the page, like connection or otherwise,
the browser shows a 'The page cannot be displayed' and down the page it
shows 'POST Data: ' which includes username and password! this can't be
good can it?
What can I do to improve security here?
1) oh, no I haven't learned HTTPS, I'll get some info on the subject.
2) like let's say I call an unexistent stored procedure in the asp
code, then if I try to go to the page it shows this:
The page cannot be displayed
There is a problem with the page you are trying to reach and it cannot
be displayed.
--------------------------------------------------------------------------------
Please try the following:
Click the Refresh button, or try again later.
Open the localhost home page, and then look for links to the
information you want.
HTTP 500.100 - Internal Server Error - ASP error
Internet Information Services
--------------------------------------------------------------------------------
Technical Information (for support personnel)
Error Type:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Could not find stored procedure 'createsession'.
/applications/includes/login/session.inc, line 27
Browser Type:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)
Page:
POST 37 bytes to /applications/login/login.asp
POST Data:
username=test&pwd=test123&smit=Submit
Time:
Tuesday, July 12, 2005, 2:12:28 PM
More information:
Microsoft Support
So see there is a section that actually shows the posted fields from
the form, seems to me that this is dangerous
Hmm, that is an issue. You could also look into custom error pages. It
actually can be as simple as making a page like so:
500.asp:
<html>
<body>
An error occurred. Sorry about that.
</body>
</html>
Put that in the root of your site, then set /500.asp to be the URL of your
error page in IIS for that site. See screen shot of the IIS configuration
here. http://www.aspfaq.com/show.asp?id=2335
Ray at work
<wo******@yahoo.com> wrote in message
news:11**********************@g14g2000cwa.googlegr oups.com... 1) oh, no I haven't learned HTTPS, I'll get some info on the subject.
2) like let's say I call an unexistent stored procedure in the asp
code, then if I try to go to the page it shows this:
The page cannot be displayed
There is a problem with the page you are trying to reach and it cannot
be displayed.
--------------------------------------------------------------------------
------
Please try the following:
Click the Refresh button, or try again later.
Open the localhost home page, and then look for links to the
information you want.
HTTP 500.100 - Internal Server Error - ASP error
Internet Information Services
--------------------------------------------------------------------------
------
Technical Information (for support personnel)
Error Type:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Could not find stored procedure 'createsession'.
/applications/includes/login/session.inc, line 27
Browser Type:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)
Page:
POST 37 bytes to /applications/login/login.asp
POST Data:
username=test&pwd=test123&smit=Submit
Time:
Tuesday, July 12, 2005, 2:12:28 PM
More information:
Microsoft Support
So see there is a section that actually shows the posted fields from
the form, seems to me that this is dangerous wo******@yahoo.com wrote: Two problems:
1) is the password information secure when I use 'post'?
No. The form contents are sent in the request headers, but they are not
encrypted.
can someone somehow steal this with sniffers or something?
Absolutely.
2) If there is a problem in the page, like connection or otherwise,
the browser shows a 'The page cannot be displayed' and down the page
it shows 'POST Data: ' which includes username and password! this
can't be good can it?
The user already knows what he typed. So this is not really any worse than
the unencrypted POST.
What can I do to improve security here?
Use SSL. And handle your errors: http://msdn.microsoft.com/library/en...tmtrycatch.asp http://msdn.microsoft.com/library/en...stmonerror.asp http://msdn.microsoft.com/library/en...4986fbf889.asp
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Thanks for all the replies, very informational.
I've been trying to find some info on how to add HTTPS to my pages, but
haven't found a good place yet... know of a good explanatory site
(tersely explained, because I'm dumb) of how to incorporate HTTPS in
your ASP files and your server?
Thanks
yikes! I found some info on this and says I have to pay some 3rd party
place to use HTTPS? like $300/year ouch!!!!
wo******@yahoo.com wrote: yikes! I found some info on this and says I have to pay some 3rd
party place to use HTTPS? like $300/year ouch!!!!
You could act as your own certificate authority and generate your own certs.
The $300 buys you acceptance, not security.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Add error handling to the page so that you control the error message.
for vbscript see "on error resume next" and "err.number"
for jscript see "try" and "catch"
--
--Mark Schupp
<wo******@yahoo.com> wrote in message
news:11**********************@g14g2000cwa.googlegr oups.com... 1) oh, no I haven't learned HTTPS, I'll get some info on the subject.
2) like let's say I call an unexistent stored procedure in the asp
code, then if I try to go to the page it shows this:
The page cannot be displayed
There is a problem with the page you are trying to reach and it cannot
be displayed.
--------------------------------------------------------------------------------
Please try the following:
Click the Refresh button, or try again later.
Open the localhost home page, and then look for links to the
information you want.
HTTP 500.100 - Internal Server Error - ASP error
Internet Information Services
--------------------------------------------------------------------------------
Technical Information (for support personnel)
Error Type:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Could not find stored procedure 'createsession'.
/applications/includes/login/session.inc, line 27
Browser Type:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)
Page:
POST 37 bytes to /applications/login/login.asp
POST Data:
username=test&pwd=test123&smit=Submit
Time:
Tuesday, July 12, 2005, 2:12:28 PM
More information:
Microsoft Support
So see there is a section that actually shows the posted fields from
the form, seems to me that this is dangerous
Dave Anderson wrote: wo******@yahoo.com wrote:
yikes! I found some info on this and says I have to pay some 3rd
party place to use HTTPS? like $300/year ouch!!!!
You could act as your own certificate authority and generate your own certs.
The $300 buys you acceptance, not security.
As Dave said, you can self certify. But if you want to buy a certificate
from a recognised authority for less than $100 then visit www.enom.com
> 2) If there is a problem in the page, like connection or otherwise, the browser shows a 'The page cannot be displayed' and down the page it
shows 'POST Data: ' which includes username and password! this can't be
good can it?
If you trap the error, then it won't be reported back to the browser. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Phil Powell |
last post by:
<?
class ErrorMsgCollection {
var $name;
var $mandatory;
var $emptyErr;
var $maxLength;
var $maxLengthErr;
var $minLength;
var $minLenghtErr;
|
by: TG |
last post by:
Dear PHP Group,
I have two forms that are used to collect user information. The first one
takes user inputted values such as fullname, city, address etc. I want these
values to display in the...
|
by: Aliandro |
last post by:
Hi I am really stuck and need some expertise help please.
I have an XML file:
<XML>
<USER_INFO>
<USERNAME>username</USERNAME>
<PASSWORD>password%</PASSWORD>
</USER_INFO>
<SITE_INFO>...
|
by: David Tilman |
last post by:
I'm new to ASP .NET and have run into a problem. I have a child page open in
a web application that the user adds information to and then clicks the save
button. The information is added to a...
|
by: lawrence k |
last post by:
I've a file upload script on my site. I just now used it to upload a
small text document (10k). Everything worked fine.
Then I tried to upload a 5.3 meg Quicktime video.
Didn't work.
I've...
|
by: Bill |
last post by:
I'm using the POST method to submit a simple form html page with yes/no
and checkbox fields to an asp response page which stores the values in
a new dim string, then uses it to build a new table...
|
by: Muchach |
last post by:
Hello,
Ok so what I've got going on is a form that is populated by pulling
info from database then using php do{} to create elements in form. I
have a text box in each table row for the user to...
|
by: BiT |
last post by:
Hello,
I'm working right now on project in vb.net 2005 for my company, i need the
project to download file from the company web site.
In order to get the file i have to give the site address...
|
by: chennaibala |
last post by:
can any one send me mutiple image upload program and save the file name with extension in mysql table.we must cheak uploaded file type like bmp or any image file while uploading.
i develop...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
