Re: How do I protect my login page from prying eyes (forms authentication)?
- From: "Damien" <Damien_The_Unbeliever@xxxxxxxxxxx>
- Date: 3 Jan 2006 11:31:42 -0800
Alan Silver wrote:
> >Sounds a bit like chicken and egg. The forms authentication needs to
> >know which page is the login page, otherwise it cannot provide access
> >to that page and bypass the authentication for it.
>
> Guess so. I suppose I could have the login page in the main site (ie not
> in the secured bit), so there wouldn't be any problem getting at it when
> not logged in.
>
> <snip>
> >At the end of the day though, you're just practicing security through
> >obscurity. Sure, do this if you want to, but I'd rather devote time and
> >energy to making my site secure even if someone discovers the
> >"protected" site. And this page will only stay hidden for so long. Once
> >it's out in the open (and if it's believed the contents are high
> >valued, and people suspect that you've hidden the login page as a
> >security measure), you may be *more* likely to be attacked.
>
> OK, maybe I didn't make myself quite clear enough. The problem I have is
> that one of the pages in the secured folder generates a printable
> invoice. This means that when the site owner prints an invoice, the URL
> of this page will be shown in the footer. This is basically an
> invitation to try loading the page. If an unauthorised user tries to
> load the page, they get sent to the login page, which is an invitation
> to try gaining access.
>
> So, without any security measures, the simple act of sending out
> invoices encourages ordinary people to try and hack the site.
>
> My intention is to use URL rewriting so that the URL shown at the bottom
> of the page is something like http://domain/order23.aspx, which is a
> non-existent page. If they try to load it, they get a 404, which will
> discourage 99.999% of people. That's a very good start.
>
> Obviously there will always be determined hackers. This approach is not
> expected to stop them, it is intended to keep the vast majority of
> curious customers away from the protected part of the site. The issue of
> securing the protected part from serious hackers is a separate one.
>
Have the secure website generate invoices in the non-secure site,
redirect to there, prompt for printing (and have a service that deletes
these temp files after (5, 30, 2400)) minutes, depending on your
security requirements. Or generate the invoices as rtf files (which
should download locally before printing).
Either way, accept the fact that people will attempt to hack your site.
There's nowt you can do to affect that.
Damien
.
- Follow-Ups:
- References:
- Prev by Date: Re: StringBuilder to Text
- Next by Date: getting two urls to point to same page..
- Previous by thread: Re: How do I protect my login page from prying eyes (forms authentication)?
- Next by thread: Re: How do I protect my login page from prying eyes (forms authentication)?
- Index(es):
Relevant Pages
|
Loading
