post errors oh my!

Discussion in 'ASP General' started by wolfing1@yahoo.com, Jul 12, 2005.

  1. Guest

    I am creating an asp page to collect username/password from the user
    and validate it against the DB.
    Problem is, it's like this:
    - Page initially shows user and pwd inputs with a submit button
    - Page submits to itself using POST method
    - Now armed with user and password, using ADO I verify information
    against database and if it's correct, the main page shows.

    Two problems:
    1) is the password information secure when I use 'post'? can someone
    somehow steal this with sniffers or something?
    2) If there is a problem in the page, like connection or otherwise,
    the browser shows a 'The page cannot be displayed' and down the page it
    shows 'POST Data: ' which includes username and password! this can't be
    good can it?

    What can I do to improve security here?
     
    , Jul 12, 2005
    #1
    1. Advertising

  2. 1. HTTPS? That's what this is for. Are you using SSL?
    2. Where does it show that exactly? On what errors? Are you using custom
    errors?

    Ray at work

    <> wrote in message
    news:...
    > I am creating an asp page to collect username/password from the user
    > and validate it against the DB.
    > Problem is, it's like this:
    > - Page initially shows user and pwd inputs with a submit button
    > - Page submits to itself using POST method
    > - Now armed with user and password, using ADO I verify information
    > against database and if it's correct, the main page shows.
    >
    > Two problems:
    > 1) is the password information secure when I use 'post'? can someone
    > somehow steal this with sniffers or something?
    > 2) If there is a problem in the page, like connection or otherwise,
    > the browser shows a 'The page cannot be displayed' and down the page it
    > shows 'POST Data: ' which includes username and password! this can't be
    > good can it?
    >
    > What can I do to improve security here?
    >
     
    Ray Costanzo [MVP], Jul 12, 2005
    #2
    1. Advertising

  3. Guest

    1) oh, no I haven't learned HTTPS, I'll get some info on the subject.
    2) like let's say I call an unexistent stored procedure in the asp
    code, then if I try to go to the page it shows this:

    The page cannot be displayed
    There is a problem with the page you are trying to reach and it cannot
    be displayed.

    --------------------------------------------------------------------------------

    Please try the following:

    Click the Refresh button, or try again later.

    Open the localhost home page, and then look for links to the
    information you want.
    HTTP 500.100 - Internal Server Error - ASP error
    Internet Information Services

    --------------------------------------------------------------------------------

    Technical Information (for support personnel)

    Error Type:
    Microsoft OLE DB Provider for SQL Server (0x80040E14)
    Could not find stored procedure 'createsession'.
    /applications/includes/login/session.inc, line 27


    Browser Type:
    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322)

    Page:
    POST 37 bytes to /applications/login/login.asp

    POST Data:
    username=test&pwd=test123&smit=Submit

    Time:
    Tuesday, July 12, 2005, 2:12:28 PM


    More information:
    Microsoft Support




    So see there is a section that actually shows the posted fields from
    the form, seems to me that this is dangerous
     
    , Jul 12, 2005
    #3
  4. Hmm, that is an issue. You could also look into custom error pages. It
    actually can be as simple as making a page like so:

    500.asp:

    <html>
    <body>
    An error occurred. Sorry about that.
    </body>
    </html>

    Put that in the root of your site, then set /500.asp to be the URL of your
    error page in IIS for that site. See screen shot of the IIS configuration
    here. http://www.aspfaq.com/show.asp?id=2335

    Ray at work

    <> wrote in message
    news:...
    > 1) oh, no I haven't learned HTTPS, I'll get some info on the subject.
    > 2) like let's say I call an unexistent stored procedure in the asp
    > code, then if I try to go to the page it shows this:
    >
    > The page cannot be displayed
    > There is a problem with the page you are trying to reach and it cannot
    > be displayed.
    >
    > --------------------------------------------------------------------------

    ------
    >
    > Please try the following:
    >
    > Click the Refresh button, or try again later.
    >
    > Open the localhost home page, and then look for links to the
    > information you want.
    > HTTP 500.100 - Internal Server Error - ASP error
    > Internet Information Services
    >
    > --------------------------------------------------------------------------

    ------
    >
    > Technical Information (for support personnel)
    >
    > Error Type:
    > Microsoft OLE DB Provider for SQL Server (0x80040E14)
    > Could not find stored procedure 'createsession'.
    > /applications/includes/login/session.inc, line 27
    >
    >
    > Browser Type:
    > Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    > 1.1.4322)
    >
    > Page:
    > POST 37 bytes to /applications/login/login.asp
    >
    > POST Data:
    > username=test&pwd=test123&smit=Submit
    >
    > Time:
    > Tuesday, July 12, 2005, 2:12:28 PM
    >
    >
    > More information:
    > Microsoft Support
    >
    >
    >
    >
    > So see there is a section that actually shows the posted fields from
    > the form, seems to me that this is dangerous
    >
     
    Ray Costanzo [MVP], Jul 12, 2005
    #4
  5. wrote:
    > Two problems:
    > 1) is the password information secure when I use 'post'?


    No. The form contents are sent in the request headers, but they are not
    encrypted.



    > can someone somehow steal this with sniffers or something?


    Absolutely.



    > 2) If there is a problem in the page, like connection or otherwise,
    > the browser shows a 'The page cannot be displayed' and down the page
    > it shows 'POST Data: ' which includes username and password! this
    > can't be good can it?


    The user already knows what he typed. So this is not really any worse than
    the unencrypted POST.



    > What can I do to improve security here?


    Use SSL. And handle your errors:
    http://msdn.microsoft.com/library/en-us/script56/html/js56jsstmtrycatch.asp
    http://msdn.microsoft.com/library/en-us/script56/html/vsstmonerror.asp
    http://msdn.microsoft.com/library/en-us/iissdk/html/552c38f4-7531-4c3e-a620-e94986fbf889.asp


    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms. Please do not contact
    me directly or ask me to contact you directly for assistance. If your
    question is worth asking, it's worth posting.
     
    Dave Anderson, Jul 12, 2005
    #5
  6. Guest

    Thanks for all the replies, very informational.
    I've been trying to find some info on how to add HTTPS to my pages, but
    haven't found a good place yet... know of a good explanatory site
    (tersely explained, because I'm dumb) of how to incorporate HTTPS in
    your ASP files and your server?
    Thanks
     
    , Jul 12, 2005
    #6
  7. Guest

    yikes! I found some info on this and says I have to pay some 3rd party
    place to use HTTPS? like $300/year ouch!!!!
     
    , Jul 12, 2005
    #7
  8. wrote:
    > yikes! I found some info on this and says I have to pay some 3rd
    > party place to use HTTPS? like $300/year ouch!!!!


    You could act as your own certificate authority and generate your own certs.
    The $300 buys you acceptance, not security.



    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms. Please do not contact
    me directly or ask me to contact you directly for assistance. If your
    question is worth asking, it's worth posting.
     
    Dave Anderson, Jul 12, 2005
    #8
  9. Mark Schupp Guest

    Add error handling to the page so that you control the error message.

    for vbscript see "on error resume next" and "err.number"

    for jscript see "try" and "catch"

    --
    --Mark Schupp


    <> wrote in message
    news:...
    > 1) oh, no I haven't learned HTTPS, I'll get some info on the subject.
    > 2) like let's say I call an unexistent stored procedure in the asp
    > code, then if I try to go to the page it shows this:
    >
    > The page cannot be displayed
    > There is a problem with the page you are trying to reach and it cannot
    > be displayed.
    >
    > --------------------------------------------------------------------------------
    >
    > Please try the following:
    >
    > Click the Refresh button, or try again later.
    >
    > Open the localhost home page, and then look for links to the
    > information you want.
    > HTTP 500.100 - Internal Server Error - ASP error
    > Internet Information Services
    >
    > --------------------------------------------------------------------------------
    >
    > Technical Information (for support personnel)
    >
    > Error Type:
    > Microsoft OLE DB Provider for SQL Server (0x80040E14)
    > Could not find stored procedure 'createsession'.
    > /applications/includes/login/session.inc, line 27
    >
    >
    > Browser Type:
    > Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    > 1.1.4322)
    >
    > Page:
    > POST 37 bytes to /applications/login/login.asp
    >
    > POST Data:
    > username=test&pwd=test123&smit=Submit
    >
    > Time:
    > Tuesday, July 12, 2005, 2:12:28 PM
    >
    >
    > More information:
    > Microsoft Support
    >
    >
    >
    >
    > So see there is a section that actually shows the posted fields from
    > the form, seems to me that this is dangerous
    >
     
    Mark Schupp, Jul 12, 2005
    #9
  10. Joe Iano Guest

    > 2) If there is a problem in the page, like connection or otherwise,
    > the browser shows a 'The page cannot be displayed' and down the page it
    > shows 'POST Data: ' which includes username and password! this can't be
    > good can it?


    If you trap the error, then it won't be reported back to the browser.
     
    Joe Iano, Jul 13, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark Goldin

    Errors, errors, errors

    Mark Goldin, Jan 17, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    1,009
    Mark Goldin
    Jan 17, 2004
  2. SenthilVel
    Replies:
    0
    Views:
    968
    SenthilVel
    Jun 7, 2006
  3. George1776

    Out-of-memory errors and caching errors.

    George1776, Aug 28, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    1,345
    George1776
    Sep 14, 2006
  4. Lance Wynn
    Replies:
    1
    Views:
    1,897
    Lance Wynn
    Feb 3, 2008
  5. yawnmoth
    Replies:
    97
    Views:
    4,784
    Bent C Dalager
    Feb 27, 2009
Loading...

Share This Page