secure enough login???
Results 1 to 7 of 7

Thread: secure enough login???

  1. #1
    Senior Member
    Join Date
    Sep 2001
    Posts
    121

    Post secure enough login???

    I am planning on using the below code for a login sequence and I want to know if it's secure enough. I'm new to programming and scripting (this is pretty much all premanufactured) and I want to make sure it's in good working order. Please help me correct any mistakes in my code with explinations, thanks.... oh yeah this is going to be run in conjunction with an asp page to make it harder to view the source... in case you wondered.

    <HTML>
    <HEAD>


    <script language="JavaScript">

    <!--
    // No rightclick script.
    // Find more great scripts and applets at the JavaFile!
    // http://www.javafile.com
    // Do not delete this header!

    var message="NO!"; // Put your message for the alert box between the quotes.

    // Don't edit below!

    function click(e) {
    if (document.all) {
    if (event.button == 2) {
    alert(message);
    return false;
    }
    }
    if (document.layers) {
    if (e.which == 3) {
    alert(message);
    return false;
    }
    }
    }
    if (document.layers) {
    document.captureEvents(Event.MOUSEDOWN);
    }
    document.onmousedown=click;
    // -->

    </script>


    <TITLE>yoursitetitle</TITLE></HEAD>
    <BODY>

    // HTML for top of page

    <SCRIPT LANGUAGE=javascript>
    // Courtesy of SimplytheBest.net (http://simplythebest.net/info/dhtml_scripts.html)
    <!--
    if(navigator.appName.indexOf('Microsoft')>=0)
    {
    document.write('Add to My Favorites');
    }
    // -->
    </SCRIPT>




    <center><font size="2" font color="#cc0033" face="Arial">Please login below</font>
    <DIV ALIGN="center"><CENTER>
    <FONT SIZE="-1" COLOR="#FF0000">
    </FONT>


    </P>

    <FORM METHOD="POST" ACTION="http://www.yoursitename.com/cgi-bin/auth/wwwauth.pl">
    Enter Your Username:

    <INPUT TYPE="text" SIZE="10" NAME="uid">

    Enter Your Password:

    <INPUT TYPE="password" SIZE="10" NAME="passwd">
    <INPUT TYPE="hidden" NAME="session" VALUE="8cxP5OIdB2bR">


    <INPUT TYPE="submit" VALUE="Log In!">


    </P>
    </CENTER>
    </DIV>
    <center><font size="2" font color="#cc0033" face="Arial">Forgot your password? Click Here</font>




    </center>
    <center><font size="2" font color="#cc0033" face="Arial">If you are having problems logging in:

    Make sure your cookies and java scripts are enabled.

    Be sure you got to this page from www.yoursitename.com.

    Try shutting down your browser completely (that will

    clear the current cookie), restart it and try again.</FONT>





    <center><font size="2" font color="#cc0033" face="Arial">If you need more assistance, Click Here</font>


    </CENTER></DIV></FORM></BODY></HTML>

    </BODY>
    </HTML>

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    It depends entirely what the wwwauth.pl script does - the HTML code for the form doesn't affect the security and I'm not going to comment on it.

    If you post wwwauth.pl, I could give you more help.

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    121
    that is the wwwauth.pl

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    Erm - No.

    The html you quote is a HTML form that POSTs it's data to a script located at:
    http://www.yoursitename.com/cgi-bin/auth/wwwauth.pl

    The values passed to this url are: uid,passwd and session. Thats what the following actually means:

    Code:
    <FORM METHOD="POST" ACTION="http://www.yoursitename.com/cgi-bin/auth/wwwauth.pl"> 
    Enter Your Username:
     
    <INPUT TYPE="text" SIZE="10" NAME="uid">
     
    Enter Your Password:
     
    <INPUT TYPE="password" SIZE="10" NAME="passwd"> 
    <INPUT TYPE="hidden" NAME="session" VALUE="8cxP5OIdB2bR">
    You talk about asp - so what you'd probably want to do is change http://www.yoursitename.com/cgi-bin/auth/wwwauth.pl to http://www.yoursitename.com/yourloginscript.asp

    This asp script would probably look something like:

    Code:
    'An example yourloginscript.asp
    
    <%
    Set cn = server.CreateObject("adodb.connection")
    cn.Open "PROVIDER=;DATA_SOURCE=;UID=;PWD=;DATABASE="
    
    username = request("uid")
    password = request("passwd")
    
    
    sqlq = "select count(userid) from users where username='"& username & " & _
               "' and password=" & password
    
    set rs = cn.execute(sqlq)
    
    if cint(rs.fields(0)) > 0 then 'User/Pass combination found
          'Login Ok
          'Do actions
    else
          'Login Fail
          'Do some other actions
    end if
    
    set rs = nothing
    cn.close
    
    %>
    What slarty was saying is that we'd need to see your "yourloginscript.asp" file to tell you if it was secure on not.
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    121
    I dont have one... I guess that would mean its not secure huh? lol, well I'll get something worked out and then I'll post it on here later (might be a few days I'm pretty busy) thanks though I'll get this thing figured out.

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    A) This discussion is better for the web design forum.
    B) Using anti-rightclick stuff is just lame and won't work properly at all.
    C) You really do need to post the contents of your script that processes the commands.
    D) For a PHP script or something, you could always ask for help from some of us in IRC. A PHP-based login script that reads a text file would not be difficult at all.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    ntsa that ASP page you have posted is extremely unsecure and can easily be exploited to both gain unauthorised access to the web app and run arbritary SQL commands.

    You have neither checked nor escaped the strings "username" and "password" before thowing them at the database. Depending what the database is, all sorts of nasty things might be able to be done by embedding quotes in the username and/or password (MS Access is the worst because you can use the vertical bar interpolation to run shell commands!)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •