post errors oh my!

[wolfing1]

I am creating an asp page to collect username/password from the user
and validate it against the DB.
Problem is, it's like this:
- Page initially shows user and pwd inputs with a submit button
- Page submits to itself using POST method
- Now armed with user and password, using ADO I verify information
against database and if it's correct, the main page shows.

Two problems:
1) is the password information secure when I use 'post'? can someone
somehow steal this with sniffers or something?
2) If there is a problem in the page, like connection or otherwise,
the browser shows a 'The page cannot be displayed' and down the page it
shows 'POST Data: ' which includes username and password! this can't be
good can it?

What can I do to improve security here?

 

[Ray Costanzo [MVP]]

1. HTTPS? That's what this is for. Are you using SSL?
2. Where does it show that exactly? On what errors? Are you using custom
errors?

Ray at work

 

[wolfing1]

1) oh, no I haven't learned HTTPS, I'll get some info on the subject.
2) like let's say I call an unexistent stored procedure in the asp
code, then if I try to go to the page it shows this:

The page cannot be displayed
There is a problem with the page you are trying to reach and it cannot
be displayed.

--------------------------------------------------------------------------------

Please try the following:

Click the Refresh button, or try again later.

Open the localhost home page, and then look for links to the
information you want.
HTTP 500.100 - Internal Server Error - ASP error
Internet Information Services

--------------------------------------------------------------------------------

Technical Information (for support personnel)

Error Type:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Could not find stored procedure 'createsession'.
/applications/includes/login/session.inc, line 27


Browser Type:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)

Page:
POST 37 bytes to /applications/login/login.asp

POST Data:
username=test&pwd=test123&smit=Submit

Time:
Tuesday, July 12, 2005, 2:12:28 PM


More information:
Microsoft Support




So see there is a section that actually shows the posted fields from
the form, seems to me that this is dangerous

 

[Ray Costanzo [MVP]]

Hmm, that is an issue. You could also look into custom error pages. It
actually can be as simple as making a page like so:

500.asp:

<html>
<body>
An error occurred. Sorry about that.
</body>
</html>

Put that in the root of your site, then set /500.asp to be the URL of your
error page in IIS for that site. See screen shot of the IIS configuration
here. http://www.aspfaq.com/show.asp?id=2335

Ray at work

 

[Dave Anderson]

Two problems:
1) is the password information secure when I use 'post'?

No. The form contents are sent in the request headers, but they are not
encrypted.

can someone somehow steal this with sniffers or something?
Absolutely.



2) If there is a problem in the page, like connection or otherwise,
the browser shows a 'The page cannot be displayed' and down the page
it shows 'POST Data: ' which includes username and password! this
can't be good can it?

The user already knows what he typed. So this is not really any worse than
the unencrypted POST.

What can I do to improve security here?

Use SSL. And handle your errors:
http://msdn.microsoft.com/library/en-us/script56/html/js56jsstmtrycatch.asp
http://msdn.microsoft.com/library/en-us/script56/html/vsstmonerror.asp
http://msdn.microsoft.com/library/en-us/iissdk/html/552c38f4-7531-4c3e-a620-e94986fbf889.asp


--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

 

[wolfing1]

Thanks for all the replies, very informational.
I've been trying to find some info on how to add HTTPS to my pages, but
haven't found a good place yet... know of a good explanatory site
(tersely explained, because I'm dumb) of how to incorporate HTTPS in
your ASP files and your server?
Thanks

 

[wolfing1]

yikes! I found some info on this and says I have to pay some 3rd party
place to use HTTPS? like $300/year ouch!!!!

 

[Dave Anderson]

yikes! I found some info on this and says I have to pay some 3rd
party place to use HTTPS? like $300/year ouch!!!!

You could act as your own certificate authority and generate your own certs.
The $300 buys you acceptance, not security.



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

 

[Mark Schupp]

Add error handling to the page so that you control the error message.

for vbscript see "on error resume next" and "err.number"

for jscript see "try" and "catch"

 

[Joe Iano]

2) If there is a problem in the page, like connection or otherwise,

the browser shows a 'The page cannot be displayed' and down the page it
shows 'POST Data: ' which includes username and password! this can't be
good can it?

If you trap the error, then it won't be reported back to the browser.