How secure is the security from my security form?

[Aaron]

Hey, I have a question about how secure the following will be....

I want to have a login form that posts to itself, so when it loads it checks
if there is a username and password on the query list.

If there is not, it asks for one.

If there is, it checks to see if the information is valid.

If it is not valid, it deletes the attributes and calls itself again.

If it is valid it sets a particular session variable to be some value and
redirects to the next page.

Every page from there on in will check to see if the session variable is set
and if not will redirect back to the login page.

Are there any security risks/holes that I should know about?

Thanks in advance,
Aaron

PS I do have access to Tomcat, but have been unable to figure out how to set
it up (this is my first time setting up security for a site) - so if anyone
has any tips/links that information would be most appreciated. Thanks
again.

 

[John C. Bollinger]

Hey, I have a question about how secure the following will be....

I want to have a login form that posts to itself, so when it loads it checks
if there is a username and password on the query list.

If there is not, it asks for one.

If there is, it checks to see if the information is valid.

If it is not valid, it deletes the attributes and calls itself again.

If it is valid it sets a particular session variable to be some value and
redirects to the next page.

Every page from there on in will check to see if the session variable is set
and if not will redirect back to the login page.

This is a fairly common kind of setup. You may find that you want the
session attribute to be more meaningful or functional than a simple
flag, but the basic idea is the same.

Are there any security risks/holes that I should know about?

Standard HTTP messages are not encrypted, so it is possible for them to
be intercepted and user credentials stolen. If you want to worry about
this then one solution to to use SSL for the login form.

Once you have established an authenticated session, it is possible for
the session cookie or session id parameter to be intercepted and the
session hijacked. SSL can address this problem as well, if you care to
worry about it.

In general, you need to encrypt HTTP traffic for strong security.

There are also number of common types of webapp vulnerabilities to worry
about on every page, most of which have to do with unexpected data being
passed to the server. SQL injection attacks are one variant. Google
for "webapp security". These are mostly orthogonal to the issue of data
interception, and therefore are not addressed by encryption.

Finally, make sure to secure the server(s) on which the application is
running. It doesn't matter how secure the application is if someone can
bypass it to get to the data.


John Bollinger
(e-mail address removed)