Session after login and the possible of hacking

2019-08-11 22:51发布

问题:

I want to know once and for all

in classic ASP!

if i have a form like this

<form action="login.asp" method="post">
<input type="text" name="username" value="" />
<input type="password" name="password" value="" />
</form>

and in the login.asp page i check if the username and password are correct i give a session("loggedin") a value

then in everypage i check for that session and for that value

my question - is that the right, most common secure thing to do??? or i miss something?

回答1:

I am finally moving to .Net (Good and bad...I loved Classic ASP), but how I handled it in classic ASP to make it manageable is:

Create an include file, like this:

if (nz(session("users.userid"))=0) then
    'PUT YOUR LOGIN CODE HERE
    session("users.userid") = userId
else
    'CODE TO DISPLAY LOGIN FORM
    response.end
end if

Include this at the top of every page that should be secure. If they haven't logged in, it will throw the login form. Obviously you can make this more useful than this, but this is as clearly as I could explain it.



回答2:

That is pretty standard, you can use SSL in conjunction with that for better security. Also you could have another session value/cookie that is a hash of the user's IP address and some other secret value and check the IP addresses each request.