How secure is the security from my security form?

Discussion in 'Java' started by Aaron, Jul 28, 2003.

  1. Aaron

    Aaron Guest

    Hey, I have a question about how secure the following will be....

    I want to have a login form that posts to itself, so when it loads it checks
    if there is a username and password on the query list.

    If there is not, it asks for one.

    If there is, it checks to see if the information is valid.

    If it is not valid, it deletes the attributes and calls itself again.

    If it is valid it sets a particular session variable to be some value and
    redirects to the next page.

    Every page from there on in will check to see if the session variable is set
    and if not will redirect back to the login page.

    Are there any security risks/holes that I should know about?

    Thanks in advance,
    Aaron

    PS I do have access to Tomcat, but have been unable to figure out how to set
    it up (this is my first time setting up security for a site) - so if anyone
    has any tips/links that information would be most appreciated. Thanks
    again.
     
    Aaron, Jul 28, 2003
    #1
    1. Advertising

  2. Aaron wrote:
    > Hey, I have a question about how secure the following will be....
    >
    > I want to have a login form that posts to itself, so when it loads it checks
    > if there is a username and password on the query list.
    >
    > If there is not, it asks for one.
    >
    > If there is, it checks to see if the information is valid.
    >
    > If it is not valid, it deletes the attributes and calls itself again.
    >
    > If it is valid it sets a particular session variable to be some value and
    > redirects to the next page.
    >
    > Every page from there on in will check to see if the session variable is set
    > and if not will redirect back to the login page.


    This is a fairly common kind of setup. You may find that you want the
    session attribute to be more meaningful or functional than a simple
    flag, but the basic idea is the same.

    > Are there any security risks/holes that I should know about?


    Standard HTTP messages are not encrypted, so it is possible for them to
    be intercepted and user credentials stolen. If you want to worry about
    this then one solution to to use SSL for the login form.

    Once you have established an authenticated session, it is possible for
    the session cookie or session id parameter to be intercepted and the
    session hijacked. SSL can address this problem as well, if you care to
    worry about it.

    In general, you need to encrypt HTTP traffic for strong security.

    There are also number of common types of webapp vulnerabilities to worry
    about on every page, most of which have to do with unexpected data being
    passed to the server. SQL injection attacks are one variant. Google
    for "webapp security". These are mostly orthogonal to the issue of data
    interception, and therefore are not addressed by encryption.

    Finally, make sure to secure the server(s) on which the application is
    running. It doesn't matter how secure the application is if someone can
    bypass it to get to the data.


    John Bollinger
     
    John C. Bollinger, Aug 4, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. A.M
    Replies:
    5
    Views:
    5,502
    Teemu Keiski
    Jun 8, 2004
  2. Daniel Malcolm
    Replies:
    0
    Views:
    578
    Daniel Malcolm
    Jan 24, 2005
  3. zdrakec
    Replies:
    1
    Views:
    455
    zdrakec
    Jul 25, 2005
  4. Joe
    Replies:
    5
    Views:
    981
    Steven Cheng[MSFT]
    Dec 13, 2005
  5. Replies:
    8
    Views:
    591
    Adrienne Boswell
    Jan 10, 2007
Loading...

Share This Page