Applied Login Security
page 2 of 6
by Tim Musschoot
Feedback
Average Rating: 
Views (Total / Last 10 Days): 30772/ 96

Security Implementations

Everybody who has some experience in the software business, knows there is no absolute security.  The most secured computer is the one that is in a bunker, about 500m below earth surface, without any connection to the outside world.   However, this is not a practical solution for a computer that needs to run a webbased application.

 

So does this mean you cannot prevent unauthorized access?  Yes and no.  You cannot prevent it 100%, but you can really decourage people from trying.

 

Basic security : Login screen

 

In order to secure you webapplication, you will need to provide a way to control who has access to the site and who has not.  Simply telling people they are not allowed to do so, does not work !  Controlling the access is done by form of identification of the user.  Once you know who the user is, you can tell him if he has access or not.  In practice, this is done through a login.  The user needs a login name, that uniquely identifies the user, and a password only he can know, to prove his is really the user he claims he is.  If you apply a login, and a mechanism that makes this login the only access point to your application, you are half way.

 

User management

 

Once you have a login screen, and an application to secure, you will need a way to tell who has access or not.  In practice, the most common technique it to tell who has access.  Everyone else does not.  Unless you want to create a list containing everybody in the world who does not have access…  But feel free to try, you would surely have a scoop with your system !

There are a lot of ways to maintain a list with authorized users.  The most common techniques are user databases and Windows based authentication (using the authorized user list of a Windows host).  Because Windows based authentication depends on the Windows user administration, this option will not be discussed in this paper.

 

In the next paragraphs, managing users through a database will be reviewed.

 

Database based login mechanisms

 

A login system based on a user database is very easy to create.  You need a database containing a list of user names and passwords, and a login screen.  When the user entered his credentials, you have to validate if the user is in the database.  If he is, he can access the system, otherwise, he cannot.  Because of it’s simplicity, it is the most common used login system.

 

When you look around on the internet, you can find a lot of sites providing a login system.  Most sites will indeed manage their users through a database.  However, a lot of (I’d say 70%-80%) sites are not created by security professionals.  The people who create the login might well know how to create it, but they are unaware of the methods used to ‘hack’ these systems.  And as always, people that want to avoid certain restrictions are always one step ahead of people installing these restrictions.

 


View Entire Article

User Comments

Title: webbased login security   
Name: nikunj patel
Date: 2009-08-16 11:29:27 AM
Comment:
can u put the full information about the WEBBASED LOGIN SECURITY.....caz i want to really know abt all this tofic
Title: great   
Name: Shiv Kumar
Date: 2008-08-11 4:34:18 AM
Comment:
Really helpfull......
Title: help me   
Name: noha
Date: 2006-03-09 5:02:47 AM
Comment:
hi, i programmed and designed pages with ASP and used session for security but i have problem , the session disappear .
when send the session for multi pages the session become null.
Title: Excellent   
Name: Amit
Date: 2005-12-10 2:43:27 AM
Comment:
Another good one keep them coming
Title: good   
Name: john
Date: 2005-09-19 9:23:06 PM
Comment:
very helpful to the benginner
Title: Good Stuff   
Name: Nicholas
Date: 2005-06-27 3:20:55 AM
Comment:
Great Article! Keep writing
Title: security topics   
Name: srinivas
Date: 2005-05-01 1:53:45 AM
Comment:
Very good
Title: impressed   
Name: rudra
Date: 2004-06-18 4:02:13 PM
Comment:
hi tim,

i love your article, its great these u cannot find it in books . i am highly impressed with your article.
thanks keep writing these type of article. can u suggest a book on asp.net security.you can mail me at this address rudra_mah@rediffmail.com.
bye






Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2019 ASPAlliance.com  |  Page Processed at 2019-09-21 1:35:54 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search