{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 迷人小祖宗 的问题《Session after login and the possible of hacking》','https://www.manongdao.com/q-984974.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I want to know once and for all
in classic ASP!
if i have a form like this
<form action="login.asp" method="post">
<input type="text" name="username" value="" />
<input type="password" name="password" value="" />
</form>
and in the login.asp page i check if the username and password are correct i give a session("loggedin") a value
then in everypage i check for that session and for that value
my question - is that the right, most common secure thing to do??? or i miss something?
That is pretty standard, you can use SSL in conjunction with that for better security. Also you could have another session value/cookie that is a hash of the user's IP address and some other secret value and check the IP addresses each request.
I am finally moving to .Net (Good and bad...I loved Classic ASP), but how I handled it in classic ASP to make it manageable is:
Create an include file, like this:
Include this at the top of every page that should be secure. If they haven't logged in, it will throw the login form. Obviously you can make this more useful than this, but this is as clearly as I could explain it.