OT - How Web Apps Do/Should Detect Authentication

je**********@gmail.com wrote:

Can someone tell me how a web application knows whether a user is
logged in?

Somehow, web applications can detect whether someone has already
logged in.

I know all about ASP Membership; that's not what I'm asking.

I want to know what gets sent to the web server so it can verify the
user. Is it some kind of cookie? a HTTP header? taco meat?

Any links or books where I can read all about it would be muchly
appreciated.

Traditionally there are two ways:
* a cookie with session id
* URL rewriting that put the session id in the URL

Cookie is the standard.

Arne

On Nov 14, 6:48*pm, Arne Vajhøj <a...@vajhoej.dkwrote:

jehugalea...@gmail.com wrote:

Can someone tell me how a web application knows whether a user is
logged in?

Somehow, web applications can detect whether someone has already
logged in.

I know all about ASP Membership; that's not what I'm asking.

I want to know what gets sent to the web server so it can verify the
user. Is it some kind of cookie? a HTTP header? taco meat?

Any links or books where I can read all about it would be muchly
appreciated.

Traditionally there are two ways:
* a cookie with session id
* URL rewriting that put the session id in the URL

Cookie is the standard.

Arne

Thanks.

Can I ask another question then?

We purchased an off-the-shelf product. The company who made it claims
that we can send an HTTP header to their product and it would
automatically let us access their web site. They call this their 3rd
party authentication method. My question is, how can this be secure if
all someone has to do is generate the right header? Couldn't anyone
generate the header?

I think the company's representative has lost her mind. Even if she
knows what she is talking about, I can't see how her suggestion could
be secure... does this mean anything to anyone?

je**********@gmail.com wrote:

On Nov 14, 6:48 pm, Arne Vajhøj <a...@vajhoej.dkwrote:

>jehugalea...@gmail.com wrote:

>>Can someone tell me how a web application knows whether a user is
logged in?
Somehow, web applications can detect whether someone has already
logged in.
I know all about ASP Membership; that's not what I'm asking.
I want to know what gets sent to the web server so it can verify the
user. Is it some kind of cookie? a HTTP header? taco meat?
Any links or books where I can read all about it would be muchly
appreciated.

Traditionally there are two ways:
* a cookie with session id
* URL rewriting that put the session id in the URL

Cookie is the standard.

Can I ask another question then?

We purchased an off-the-shelf product. The company who made it claims
that we can send an HTTP header to their product and it would
automatically let us access their web site. They call this their 3rd
party authentication method. My question is, how can this be secure if
all someone has to do is generate the right header? Couldn't anyone
generate the header?

The cookie and URL sessions id's are usually a 128 or 160 bit
number in hex form.

The chance of guessing one of the maybe 100 valid session id's from
the 2^128 or 2^160 possible is very small.

If the HTTP header contains something similar hard to guess, then
it may be secure.

Arne

On Nov 14, 7:11*pm, Arne Vajhøj <a...@vajhoej.dkwrote:

jehugalea...@gmail.com wrote:

On Nov 14, 6:48 pm, Arne Vajhøj <a...@vajhoej.dkwrote:

jehugalea...@gmail.com wrote:
Can someone tell me how a web application knows whether a user is
logged in?
Somehow, web applications can detect whether someone has already
logged in.
I know all about ASP Membership; that's not what I'm asking.
I want to know what gets sent to the web server so it can verify the
user. Is it some kind of cookie? a HTTP header? taco meat?
Any links or books where I can read all about it would be muchly
appreciated.
Traditionally there are two ways:
* a cookie with session id
* URL rewriting that put the session id in the URL

Cookie is the standard.

Can I ask another question then?

We purchased an off-the-shelf product. The company who made it claims
that we can send an HTTP header to their product and it would
automatically let us access their web site. They call this their 3rd
party authentication method. My question is, how can this be secure if
all someone has to do is generate the right header? Couldn't anyone
generate the header?

The cookie and URL sessions id's are usually a 128 or 160 bit
number in hex form.

The chance of guessing one of the maybe 100 valid session id's from
the 2^128 or 2^160 possible is very small.

If the HTTP header contains something similar hard to guess, then
it may be secure.

Arne- Hide quoted text -

- Show quoted text -

I see your point. This is all good information. I will pass that
along. Thanks for your answers.

je**********@gmail.com wrote:

On Nov 14, 7:11 pm, Arne Vajhøj <a...@vajhoej.dkwrote:

>jehugalea...@gmail.com wrote:

>>On Nov 14, 6:48 pm, Arne Vajhøj <a...@vajhoej.dkwrote:
jehugalea...@gmail.com wrote:
Can someone tell me how a web application knows whether a user is
logged in?
Somehow, web applications can detect whether someone has already
logged in.
I know all about ASP Membership; that's not what I'm asking.
I want to know what gets sent to the web server so it can verify the
user. Is it some kind of cookie? a HTTP header? taco meat?
Any links or books where I can read all about it would be muchly
appreciated.
Traditionally there are two ways:
* a cookie with session id
* URL rewriting that put the session id in the URL
Cookie is the standard.
Can I ask another question then?
We purchased an off-the-shelf product. The company who made it claims
that we can send an HTTP header to their product and it would
automatically let us access their web site. They call this their 3rd
party authentication method. My question is, how can this be secure if
all someone has to do is generate the right header? Couldn't anyone
generate the header?

The cookie and URL sessions id's are usually a 128 or 160 bit
number in hex form.

The chance of guessing one of the maybe 100 valid session id's from
the 2^128 or 2^160 possible is very small.

If the HTTP header contains something similar hard to guess, then
it may be secure.

I see your point. This is all good information. I will pass that
along. Thanks for your answers.

Note that traditionally it is the server that assigns a random
session id to you.

If your OTS product is the same, then it is all fine. But if
it is a hardcoded value for your company, then there are additional
security issues, because that key can leak.

Arne