http://www.developer.com/

Back to article

Simple Security with ASP


November 30, 2001

Simple Security with ASP


 

With the outbreak of some of the nastiest computer viruses ever to be unleashed, not to mention recent events in New York, Washington D.C., Pennsylvania and Florida, many people have become much more focused on security than ever before. As web developers, we too must be aware of security concerns. While our efforts will probably never lead us to securing a government website or involve us is something as important as national security, we will often run into occasions where we will need to secure sections of a website or protect credit card transactions.



This series of articles will explore simple but effective methods of securing your websites. You will find that a great deal of the work is already done for you. This is what we will be discussing:

  • Understanding the level of security.

  • Using a Session variable to track login status.

  • Creating a simple login page.

  • Securing your pages.

  • Using cookies for automated login.

  • Using SSL for your payments page.

  • Tie it together with your database.

  • Updating your login page

  • Storing User ID's

  • Storing passwords.

  • Storing accessibility information.



Understanding the level of security


 

Before beginning to add any security to a site you first need to determine not only what you want to secure but how secure it needs to be. First examine your security needs. Are you securing your entire site or just portions of it? Is the information that you are securing of a sensitive nature, like credit card numbers, social security numbers, etc? Will you be needing multiple levels of security (i.e. User A gets access to 3 secured sections of your site but User B should only be able to access 1 part of your site)?

 

Are you securing your entire site or just portions of it?

 

Obviously, securing an entire site is much simpler than securing portions. However, securing portions of a site like a subscriber based section of your site or a section that is available only to registered customers who have purchased a particular software package will probably be the situation that you run in to most often. Rarely will you run in to an occasion where you want to limit public view to an entire website. After all, one of the web's best benefits is that it is a 24 hour on demand advertising platform. For the purposes of our examples we will be creating a site has a subscriber section that we want to have secured.

 

Is the information that you are securing of a sensitive nature, like credit card numbers, social security numbers, etc?

 

Does this really matter? Why don't I just encrypt everything?

 

One simple reason, it slows the whole process down. In order to encrypt your pages, the server and the client go through a very complex series of transmissions back and forth to one another in order to encrypt and decrypt every packet. Here is a basic explanation of the encryption process:

 

First: A client requests a SSL (Secured Socket Layer) connection with the server

Second: The server sends a Certificate (I'll explain the certificate in a second)

Third: The client validates the Certificate, creates a session key and encrypts the Certificate with the key

Fourth: The server decrypts the session key and establishes the encrypted connection


That's not so bad, however, you have yet to send any "real" information. All you have right now is an established connection. Now it gets interesting. The Certificate that the server sent out is what makes this whole process work. A Certificate is obtained from a Certificate Authority, which is sort of like a notary public that verifies the Certificate's authenticity, hence the name. The Certificate contains the common name of the server, making it impossible to use on other servers. It also uses keys, a public and private key, to create and verify a secured connection. The keys are an important part of the verification process.


While cryptography is a fascinating science, it is well beyond the scope and space limitations of this article. I hope this satisfies your general curiosities. For more information check out Microsoft's web site at http://msdn.microsoft.com.


Once the connection is established each packet must be encrypted on the server and decrypted by the client once it is received and vice versa. This includes anything and everything on the page that you are sending like images, animations, etc. This is why it is very important to consider whether the information that you are displaying or sending is of a sensitive nature.


In our example, I will be securing some pages that are only available to subscribers. The pages contain simple tutorials and do not contain any company secrets or sensitive information, therefore, I will not be using SSL to secure those pages. I will also be securing a page that allows clients to pay for their subscriptions with a credit card. This page will obviously contain sensitive information and I will be using SSL to secure this page.


Will you be needing multiple levels of security?


This adds a level of complexity to your security. If each individual user has a different set of rights and privileges you will obviously be looking at a database driven solution. If you are simply securing each section with a single password then a straight forward hard coded solution should suffice.

 


Use a Session Variable to Track Login Status



Now that you have determined what kind of security that you are going to add, you can move on to the next step, tracking the user's status. There are a few ways that you can approach tracking login status.


The first is passing the user's login status via the URL and using Request.QueryString to retrieve it on each page. While this is a simple solution, it is not very secure since anyone can view your "status code" in the URL and simply bypass any security that you have added by recreating the URL. While the average user may not understand how this is happening, simply forwarding the URL to a friend or saving the page in their favorites will allow them to bypass any login procedures that you have put in place.


Another approach would be to use a session variable for tracking. Session variables are an ideal solution for your security. Using a session variable allows you to keep in secret a user's login status and imposes an "automatic" time limit on its use. You can set the time limit by using the Session.TimeOut method. Typically the TimeOut Method defaults to 20 minutes of idle time before ending the user's session.


"But I have heard that using session variables are inefficient and a bad idea." While it is true that session variables do create a strain on your server when overused, they also serve a very useful purpose in some instances like, say, for tracking a user's login status.


There is one important consideration to using session variables, they don't work unless the client has cookies turned on. While it is true that almost every user that goes to your site will have cookies turned on, you must take into consideration that it is not a given. The average user probably does not understand what a cookie is, let alone how to turn them off and virtually all browsers commonly in use now support cookies and turn them on by default. Still, it may be worth posting a note on your login page that tells the user that they must have cookies "turned on" before they will be able to access the secure areas of your site. You could also conduct a simple test to verify that cookies are enabled. I will give you an example of a simple test for cookies below.

 


Creating a Simple Login Page



Now that you have determined what you need secure and how you are going to track your users, you will need a login page for the user. The login page below will verify the User Name and Password, display an error message when an incorrect entry in made, and redirect the user to your content page when a correct entry is given.


<% 
' ************************************************************************
' Check for enabled cookies by creating a test session variable and
' recalling the login page. If the session variable retains its value
' then your test is successful
' ************************************************************************
If Session("Access_Status") = "" _
AND Request.QueryString("test") <> 1 then

Session("Access_Status") = "Test"
Response.Redirect "login.asp?test=1"

ElseIf Session("Access_Status") = "" _
AND Request.QueryString("test") = 1 then

Response.Redirect "cookie_error.asp"

End If 


' ************************************************************************
' Verify User Name and Password. If correct set Session variable = Granted
' to check against on secure pages. Redirect User to the secured content.
' ************************************************************************
If LCase(Trim(Request("User_Name"))) = "user" _
AND Request("Password") = "password" then

Session("Access_Status") = "Granted"
Response.Redirect "Content.asp"

' ************************************************************************
' If not correct User Name and Password and user attempted to enter
' something, change status to Denied. Use this value to know when
' to display an error message.
' ************************************************************************
ElseIf Request("User_Name") <> "" _
OR Request("Password") <> "" then

Session("Access_Status") = "Denied"

' ************************************************************************
' Must be an initial view or the User entered nothing. Make sure the
' Access_Status = "" so the page will display without an error message
' ************************************************************************
Else

Session("Access_Status") = "Test"

End If 
%> 


<html>

<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Login Page</title>
</head>

<body>

<p style="margin-top: 2; margin-bottom: 2"><font face="Arial Black" size="5">Welcome
to Security-R-Us.com . . .</font></p>
<p style="margin-top: 2; margin-bottom: 2"><font face="Arial Narrow" size="3">Securtiy-R-Us.com,
only where we want you to be.</font></p>
<hr align="left" width="80%" color="#000000">
<p style="margin-top: 2; margin-bottom: 2">&nbsp;</p>
<div align="center">
<center>
<table border="0" cellpadding="4" cellspacing="0" width="60%" style="background-color: #C0C0C0; color: #000000; border: 4 ridge #000000; margin-top: 2; margin-bottom: 2">
<tr>
<td width="100%">
<p style="margin-top: 2; margin-bottom: 2"><font size="4" face="Arial"><b>Please
Login below:</b></font></p>

<% ' ************************************************************************ %>
<% ' Display error message when an incorrect User Name or Password is entered %>
<% ' ************************************************************************ %>
<% If Session("Access_Status") = "Denied" then %>

<p style="margin-top: 2; margin-bottom: 2" align="center"><font size="2" face="Arial" color="#FF0000">***
The User Name and/or Password you entered were incorrect. Try Again. ***</font></p>
<% End If %>

<form method="POST" action="login.asp">
<p style="margin-top: 2; margin-bottom: 2"><font face="Arial">User
Name: <input type="text" name="User_Name" size="20"></font></p>
<p style="margin-top: 2; margin-bottom: 2"><font face="Arial">Password:
<input type="password" name="Password" size="20"></font></p>
<p style="margin-top: 2; margin-bottom: 2">&nbsp;</p>
<p style="margin-top: 2; margin-bottom: 2" align="center"><input type="submit" value="Login" name="Login" style="background-color: #FFFFFF; font-family: Arial Black; font-size: 12pt; color: #000000" tabindex="3">&nbsp;&nbsp;&nbsp;&nbsp;
<input type="reset" value="Reset" name="Reset" style="background-color: #FFFFFF; color: #000000; font-family: Arial Black; font-size: 12pt" tabindex="4"></p>
</form>
</td>
</tr>
</table>
</center>
</div>

</body>

</html>


The very first block of code executes a simple test to determine if cookies are enabled in the user's browser. The logic is very straight forward. First, I check to see if our Session variable "Access_Status" is null and if our QueryString variable "test" is null. If both are null it is assumed that this is the first time the user has visited this page. I then set the Session variable "Access Status" = "Test" and call the login page with the QueryString "test" set equal to 1. This way I know that the first phase of the test has been completed. On the next trip to the page the QueryString will be equal to 1. If the Session variable we used is still null then I redirect the user to a new page called cookie_error.asp which lets them know that they must use a browser that supports cookies and cookies must be enabled. If the QueryString test is equal to 1 and the Session variable is not null then I move on to the user name and password verification.


The page continues with a simple if .. then statement. I use Trim to get rid of any extra spaces and Lcase to make a case insensitive comparison. I want the Password to be exact, so I leave the comparison case sensitive and I do not get rid of any extra spaces. If the user has entered the correct User Name and Password, I set the "Access_Status" equal to "Granted" to check against on secured pages and then I redirect the user to the content that they want to view.


If failing to make a correct match I move to make sure that they made an attempt at entering the correct User Name and Password by checking to see if the User_Name and Passowrd fields contain anything. If there was attempt made I then set the session variable "Access_Status" equal to "Denied". I will then use this to display an error message when the page reloads.


If both of the previous criteria fail then there were either no entries made or this is the first time the page is being viewed. Either way, we just need to display the basic form, so we reset the "Access_Status" equal to "Test" to make sure the error message does not display and to skip the cookie verification.


Now you have a simple login page. I will add more features and flexibility to this page in future part of the series.

 


Securing your pages



Now that your login page has been created it's easy to secure your pages. Simply add the following code to the top of any secured content page making sure that the page has the .asp extension.



<% Option Explicit %>

<%
' ***************************************************
' Check to see if user has access to this page
' ***************************************************
If Session("Access_Status") <> "Granted" then

Response.Redirect "login.asp"

End If

%>


What could be simpler than that? If they don't have access then send them to the login page. You have now added basic security to you website.

 

# # #

Sitemap | Contact Us

Thanks for your registration, follow us on our social networks to keep up-to-date