Re: OT - How Web Apps Do/Should Detect Authentication

jehugaleahsa@xxxxxxxxx wrote:
On Nov 14, 7:11 pm, Arne Vajhøj <a...@xxxxxxxxxx> wrote:
jehugalea...@xxxxxxxxx wrote:
On Nov 14, 6:48 pm, Arne Vajhøj <a...@xxxxxxxxxx> wrote:
jehugalea...@xxxxxxxxx wrote:
Can someone tell me how a web application knows whether a user is
logged in?
Somehow, web applications can detect whether someone has already
logged in.
I know all about ASP Membership; that's not what I'm asking.
I want to know what gets sent to the web server so it can verify the
user. Is it some kind of cookie? a HTTP header? taco meat?
Any links or books where I can read all about it would be muchly
appreciated.
Traditionally there are two ways:
* a cookie with session id
* URL rewriting that put the session id in the URL
Cookie is the standard.
Can I ask another question then?
We purchased an off-the-shelf product. The company who made it claims
that we can send an HTTP header to their product and it would
automatically let us access their web site. They call this their 3rd
party authentication method. My question is, how can this be secure if
all someone has to do is generate the right header? Couldn't anyone
generate the header?
The cookie and URL sessions id's are usually a 128 or 160 bit
number in hex form.

The chance of guessing one of the maybe 100 valid session id's from
the 2^128 or 2^160 possible is very small.

If the HTTP header contains something similar hard to guess, then
it may be secure.

I see your point. This is all good information. I will pass that
along. Thanks for your answers.

Note that traditionally it is the server that assigns a random
session id to you.

If your OTS product is the same, then it is all fine. But if
it is a hardcoded value for your company, then there are additional
security issues, because that key can leak.

Arne
.

Relevant Pages

  • Re: OT - How Web Apps Do/Should Detect Authentication
    ... Is it some kind of cookie? ... URL rewriting that put the session id in the URL ... that we can send an HTTP header to their product and it would ... it may be secure. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: post and php (newbie question)
    ... to manipulate and requires validation over and over again on every page ... You don't seem to understand tat all a session is, ... passed to *ONE* GET POST or cookie. ... A simple DB is as secure as a flat file. ...
    (comp.lang.php)
  • Re: OT - How Web Apps Do/Should Detect Authentication
    ... Is it some kind of cookie? ... URL rewriting that put the session id in the URL ... that we can send an HTTP header to their product and it would ... it may be secure. ...
    (microsoft.public.dotnet.languages.csharp)
  • Secure ASP.Net Sessions
    ... The current implementation has used 2 ASP.Net applications one secure and ... one insecure, to avoid the insecure session ID being hijacked ... In an ideal world I want the application to also handle the cookie less ... There should be 2 session IDs, one for insecure sessions and one for secure ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: OT - How Web Apps Do/Should Detect Authentication
    ... Is it some kind of cookie? ... URL rewriting that put the session id in the URL ... that we can send an HTTP header to their product and it would ... how can this be secure if ...
    (microsoft.public.dotnet.languages.csharp)
Loading