Website Security Issues
Question
This is more of a general question rather than a specific problem.
I'm coding an asp.NET with C# Website with user login and admin controls etc and I obviously want the website to be as secure as possible because if someone accessed the admin side they could potentially drop all sql tables etc.
Therefore im asking for a bit of guidance in terms of how to make sure my website is secure. I've found a few posts on google and stuff but not really found anything worth reading. If anyone can redirect me to a decent post. Or just warn me of any measures I have not taken into consideration.
What I've done so far is:
When a user/admin enters their login details. It is authenticated using sql connections to retieve usernames and passwords from the database, if they exist, a session is created using the users uniqueID using Session["_userID"] = id;
This is the ONLY place in the entire website where a session is created.
On ALL the pages that have any type of Restriction, On the page load, the first piece of code that runs checks if the Session["_userID"] Exists. If it exists, it loads the page as usual, if not, it Purely redirects to the login page.
if (Session["_userID"] == null)
{
Response.Redirect("login.aspx");
}
// rest of page loads
If not sure if this is easily hackable or even secure.
The only time a session id destroyed is when it either runs out, or the user logs out. using:
Session.Abandon();
these are pretty much the only security measures in place.
Is This Enough?
My Website Needs to be HACK PROOF
Thanks for reading!
Alex
2 answers
solution1
3 ACCPTED 2011-07-21 03:03:59
Firstly, make sure there is no ability whatsoever for anyone - website admin or not - to drop tables from your database via a web UI. Have a look at the section about "Applying the principle of least privilege" in here .
Secondly, stop writing your own authentication and authorisation schemes, all the hard work has been done for you already and it's just a few clicks away in the membership provider. This will do everything you're asking for any many things you haven't mentioned but probably should have such as proper salting and hashing of passwords. Have a look at "Using the ASP.NET membership provider" in this post .
Finally, you're not "hack proofing" your website, you're simply increasing the level of difficulty to the point where it becomes highly unlikely. If you're serious about security, I suggest reading through this series about The OWASP Top 10 for .NET developers . Good luck!
solution2
2 2011-07-20 12:41:19
Making your site "HACK PROOF" is probably impossible. At best you can make it very difficult to hack, definitely script kiddie proof, but not to a determined and experienced hacker.
You need to decide how much risk you are willing to take, as there are numerous things you need to take into account. How much time and effort are you willing to put in and for what return on minimizing what risk.
I suggest you head over to the OWASP site and start reading.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.