f



How secure is the security from my security form?

Hey, I have a question about how secure the following will be....

I want to have a login form that posts to itself, so when it loads it checks
if there is a username and password on the query list.

If there is not, it asks for one.

If there is, it checks to see if the information is valid.

If it is not valid, it deletes the attributes and calls itself again.

If it is valid it sets a particular session variable to be some value and
redirects to the next page.

Every page from there on in will check to see if the session variable is set
and if not will redirect back to the login page.

Are there any security risks/holes that I should know about?

Thanks in advance,
Aaron

PS I do have access to Tomcat, but have been unable to figure out how to set
it up (this is my first time setting up security for a site) - so if anyone
has any tips/links that information would be most appreciated.  Thanks
again.


0
someone15 (472)
7/28/2003 1:25:29 AM
comp.lang.java.programmer 52714 articles. 1 followers. Post Follow

1 Replies
1543 Views

Similar Articles

[PageSpeed] 30

Aaron wrote:
> Hey, I have a question about how secure the following will be....
> 
> I want to have a login form that posts to itself, so when it loads it checks
> if there is a username and password on the query list.
> 
> If there is not, it asks for one.
> 
> If there is, it checks to see if the information is valid.
> 
> If it is not valid, it deletes the attributes and calls itself again.
> 
> If it is valid it sets a particular session variable to be some value and
> redirects to the next page.
> 
> Every page from there on in will check to see if the session variable is set
> and if not will redirect back to the login page.

This is a fairly common kind of setup.  You may find that you want the 
session attribute to be more meaningful or functional than a simple 
flag, but the basic idea is the same.

> Are there any security risks/holes that I should know about?

Standard HTTP messages are not encrypted, so it is possible for them to 
be intercepted and user credentials stolen.  If you want to worry about 
this then one solution to to use SSL for the login form.

Once you have established an authenticated session, it is possible for 
the session cookie or session id parameter to be intercepted and the 
session hijacked.  SSL can address this problem as well, if you care to 
worry about it.

In general, you need to encrypt HTTP traffic for strong security.

There are also number of common types of webapp vulnerabilities to worry 
about on every page, most of which have to do with unexpected data being 
passed to the server.  SQL injection attacks are one variant.  Google 
for "webapp security".  These are mostly orthogonal to the issue of data 
interception, and therefore are not addressed by encryption.

Finally, make sure to secure the server(s) on which the application is 
running.  It doesn't matter how secure the application is if someone can 
bypass it to get to the data.


John Bollinger
jobollin@indiana.edu

0
jobollin (1557)
8/4/2003 6:16:41 PM
Reply: