Login script

M

m

Matt said:
I've put together a forum (without the forum bit!) that requires
registration and login. Could someone have a quick look and see what they
think in terms of password security or any other issues?
http://d168790.u33.dc-servers.com/forum/forum.asp


I'm surprised you're mixing this:

<LINK rel="stylesheet" type="text/css" href="">

with this:

<BODY bgcolor="#ffffff" leftmargin="10"
topmargin="10" marginwidth="0" marginheight="0">
<TABLE width="100%" border="0" cellspacing="0"
cellpadding="0" bgcolor="#ffffff">
<BR><BR>

....and don't have a doctype definition.

I can't see the actual login.asp script.
 
A

Augustus

Matt said:
I've put together a forum (without the forum bit!) that requires
registration and login. Could someone have a quick look and see what they
think in terms of password security or any other issues?
http://d168790.u33.dc-servers.com/forum/forum.asp

You don't really have much there... honestly it looks like you put no
thought into it at all

A couple of things:

1) You dont' give any error messages
2) If I type in something and leave another field blank and hit SUBMIT on
the signup form, what I typed in should be filled in on the form (and then
an error message below or around the items that I didn't fill out telling me
that I didn't fill them out)
3) For "password" you should have the user type it in twice and then check
that the two match... if they do then the password is ok, if it doesn't then
tell the user the 2 passwords don't match. What if somebody has a crappy
keyboard where a key doesn't work sometimes, or they type so fast and
sometimes typos are made?
4) You should line things up
5) You don't need the same size input boxes for everything. For password
you have SIZE=10 MAXLENGTH=40... why are you giving me so much room if I can
only enter 10 characters?
6) For email I entered "test" and it accepted it... didn't check for any of
the basic elements that make up an email address
7) For security, you shouldn't let people's username be the same as password
8) You should include a "REMEMBER ME" option... if I select this you should
write a cookie with my userID so that I don't have to log in next time I
come back

Ok, thats more than a couple... it'll give you something to start with
though...

Clint
 
M

Matt

Augustus said:
You don't really have much there... honestly it looks like you put no
thought into it at all

A couple of things:

1) You dont' give any error messages
2) If I type in something and leave another field blank and hit SUBMIT on
the signup form, what I typed in should be filled in on the form (and then
an error message below or around the items that I didn't fill out telling me
that I didn't fill them out)
3) For "password" you should have the user type it in twice and then check
that the two match... if they do then the password is ok, if it doesn't then
tell the user the 2 passwords don't match. What if somebody has a crappy
keyboard where a key doesn't work sometimes, or they type so fast and
sometimes typos are made?
4) You should line things up
5) You don't need the same size input boxes for everything. For password
you have SIZE=10 MAXLENGTH=40... why are you giving me so much room if I can
only enter 10 characters?
6) For email I entered "test" and it accepted it... didn't check for any of
the basic elements that make up an email address
7) For security, you shouldn't let people's username be the same as password
8) You should include a "REMEMBER ME" option... if I select this you should
write a cookie with my userID so that I don't have to log in next time I
come back

Ok, thats more than a couple... it'll give you something to start with
though...

Clint

Ok, forget about layout, validation etc. I did knock it up in a few
minutes. Can anyone see any security issues with password and personal
details? It just uses a MS Access db to store registererd users, could this
present problems?

Matt
 
M

Matt

Toby A Inkster said:
Well it's difficult to see without the source.

Well the point is, the user can't see the source. Does that mean the
database cannot be hacked (and is therefore secure)?
 
A

Augustus

Matt said:
Well the point is, the user can't see the source. Does that mean the
database cannot be hacked (and is therefore secure)?

No, the user can't see the source of the page, because it is run on the
server and then the compiled results are sent as html and text...

That doesn't mean it is secure nor can it be hacked... you are using Access
as your database... if its stored on the server in the website with a simple
name, somebody might be able to find it..

ie: if its: www.mysite.com/database.mdb then I can just type that url in
and download your database

Also, you are most likely using include files (if not you should be) and you
don't end them in .asp (a few years ago alot of asp books suggested using
..inc to denote an include file) then they could possibly be found and opened

IE: if you are using includes files like mydsn.inc then enter the path
to the file with the name into your browser like
www.mysite.com/includes/mydsn.inc and see what happens... your asp
sourcecode isnt' compiled on the server and therefore sent as HTML/text
(because it doesn't end in the .asp extension the server doesn't know it
should be compiled on the server)
 
T

Toby A Inkster

Matt said:
Well the point is, the user can't see the source. Does that mean the
database cannot be hacked (and is therefore secure)?

No, it just means that it's a little more difficult to hack.

No-one (outside Microsoft) can see the source to Windows. Can it be hacked?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top