stackoom
  简体   繁体   中英

How to securely set up cookie-based authentication in classic ASP?

 原文  2011-08-04 02:12:34       authentication/ cookies/ asp-classic

Question

What would be the most secure method of using cookies to authenticate users in a classic ASP website?

I don't want to use the ASP Session object as the session cookie times out after a while, and I'd like the user to be able to keep their login to the website active between separate browser runnings.

However, I don't want to just create a cookie containing their user ID as that could be easily forged - so what are my options here? I guess some sort of encryption but I don't really know what the standard methods of doing this is.

3 answers

solution1
 0  2011-08-04 04:43:02

Your options here are pretty much limited.

Get your users to log back in again; best security approach.

solution2
 0  2011-08-06 12:53:57

This obviously applies much wider than just ASP.

The best way would be to hash the password... you should be doing this in any case where you store it in database.

The hash is a cryptographic function - when you run a string through it (eg password) you get out a long code. If the input is the same, the output is always the same.

But (this is the important bit) its mathematically virtually impossible to reverse the process - to start with the hashed value and work out the password, other than brute force (someone hashes dictionary, or random strings and looks for output that matches the hash they have).

So when the user sets up account, they put in their desired password, but you hash this, and store that. Similarly in the cookie, after they login you store the hash, not the password, and this has is compared with the hash in the db.

The downside is you can't send a password reminder since you don't know the password - to you'd have to send a password reset link and have a system to do that.

If you're really paranoid you might double hash, eg when they login the password is hashed once and stored in cookie. Its then hashed again and compared with the password in db (which is also double-hashed).

solution3
 0  2011-11-17 15:56:18

Don't Do It

Maintaining a user login quote "...between separate browser runnings" is not secure. IMHO, when you close the browser a previous login should be gone. Suppose your visitor was using a community pc at a coffee shop.

If you maintain this login the potential for the next community user to open the browser, navigate to your website and "poof" they are automatically logged in as the previous user.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to use cookie-based authentication with SignalR? Vue cookie-based authentication in Laravel Cookie-based Forms Authentication Across MVC 5 and ASP.NET Core applications .NET cookie-based authentication without forms authentication Cookie-based authentication works on desktop browsers but not on mobile ones Using token-based together with cookie-based authentication without email Can not retrieve cookie-based TempData after Google authentication with account selection ASP.NET Core 2.0 Preview 1: How to set up Cookie Authentication with custom login path How to set up cookie based authentication with NancyFx and IdentityServer3 (non-API website) How to Set Up CORS enabled domain authentication cookie .Net Core?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM