Protecting POST from an action
-
Hi, I have a question about security and user access: If I protected a GET action with access only for logged users or for some type of user, should I also protect the POST action? In ASP 3.0 I used to do that because one could clon the form and set the "action=myformpost.asp", Thanks
-
Hi, I have a question about security and user access: If I protected a GET action with access only for logged users or for some type of user, should I also protect the POST action? In ASP 3.0 I used to do that because one could clon the form and set the "action=myformpost.asp", Thanks
I think you must authenticate each request. When user logs in to your system generate a sessionid and put a session value for the current user. Now for every request check for the session value is created or not. Dont send this session id to the client, store it in the server session variable. If the user is creating a clone, he can create the request object just like your one but the session id which he would have been connecting would not match with any valid session, so request would be rejected. Hope you got the point. :) :) :)
Abhishek Sur **Don't forget to click "Good Answer" if you like this Solution.
My Latest Articles-->** Microsoft Bing MAP using Javascript
CLR objects in SQL Server 2005
Uncommon C# Keywords/xml> -
I think you must authenticate each request. When user logs in to your system generate a sessionid and put a session value for the current user. Now for every request check for the session value is created or not. Dont send this session id to the client, store it in the server session variable. If the user is creating a clone, he can create the request object just like your one but the session id which he would have been connecting would not match with any valid session, so request would be rejected. Hope you got the point. :) :) :)
Abhishek Sur **Don't forget to click "Good Answer" if you like this Solution.
My Latest Articles-->** Microsoft Bing MAP using Javascript
CLR objects in SQL Server 2005
Uncommon C# Keywords/xml>What if I'm just using cookies? For example: Action /SomeForm/ (GET) 1. I check if the user has some cookie. If he does, 2. I show the form to him. Action /SomeForm/ (POST) 1. Should I check if the user has that cookie or not? 2. Process inputs, etc.
-
What if I'm just using cookies? For example: Action /SomeForm/ (GET) 1. I check if the user has some cookie. If he does, 2. I show the form to him. Action /SomeForm/ (POST) 1. Should I check if the user has that cookie or not? 2. Process inputs, etc.
No. I dont recommend cookies.. because it is not safe and stored in the client side. Also anyone can delete cookies at any time. Use session.. Its a better approach.. No one can tamper data in session :)
Abhishek Sur **Don't forget to click "Good Answer" if you like this Solution.
My Latest Articles-->** Microsoft Bing MAP using Javascript
CLR objects in SQL Server 2005
Uncommon C# Keywords/xml> -
No. I dont recommend cookies.. because it is not safe and stored in the client side. Also anyone can delete cookies at any time. Use session.. Its a better approach.. No one can tamper data in session :)
Abhishek Sur **Don't forget to click "Good Answer" if you like this Solution.
My Latest Articles-->** Microsoft Bing MAP using Javascript
CLR objects in SQL Server 2005
Uncommon C# Keywords/xml>Uhm.. 1. Ok lets assume i'm not going to stop using cookies.. Should I check for the cookie in the POST? Yes or no? 2. In asp 3.0 I used to use Sessions, but in ASP.NET (MVC) I don't know how, the usage is similar to cookies? Do you have some link with Session's usage? Also, arent sessions based on cookies though? (Also, I definetly dont wanna use the filters that come with MVC.. like [Auth] and others)
-
Uhm.. 1. Ok lets assume i'm not going to stop using cookies.. Should I check for the cookie in the POST? Yes or no? 2. In asp 3.0 I used to use Sessions, but in ASP.NET (MVC) I don't know how, the usage is similar to cookies? Do you have some link with Session's usage? Also, arent sessions based on cookies though? (Also, I definetly dont wanna use the filters that come with MVC.. like [Auth] and others)
Quake2Player wrote:
Also, arent sessions based on cookies though?
No, they are not. They are stored on the server. The session id MAY be based on cookies, I am not sure, but all a user could do, if that were true, is delete a cookie and abandon their session. A cookie contains data on the client, which means the client can edit it, if they wanted to.
Christian Graus Driven to the arms of OSX by Vista. Read my blog to find out how I've worked around bugs in Microsoft tools and frameworks.
-
Quake2Player wrote:
Also, arent sessions based on cookies though?
No, they are not. They are stored on the server. The session id MAY be based on cookies, I am not sure, but all a user could do, if that were true, is delete a cookie and abandon their session. A cookie contains data on the client, which means the client can edit it, if they wanted to.
Christian Graus Driven to the arms of OSX by Vista. Read my blog to find out how I've worked around bugs in Microsoft tools and frameworks.
Ok so I'm using sessions now instead of cookies, Can you answer my question now, which is analogue to the previous question: Should I check for the session at the beggining of the POST? Or I dont have to care about someone cloning the form with action=myformpost
-
Ok so I'm using sessions now instead of cookies, Can you answer my question now, which is analogue to the previous question: Should I check for the session at the beggining of the POST? Or I dont have to care about someone cloning the form with action=myformpost
I am not aware of any way of hijacking a session id. They would need to know what it was first, and I don't see any way to find out what someone else's random session id is. I suspect if someone had a way of doing that, they'd be hitting internet banking sites, and not yours.
Christian Graus Driven to the arms of OSX by Vista. Read my blog to find out how I've worked around bugs in Microsoft tools and frameworks.
-
Ok so I'm using sessions now instead of cookies, Can you answer my question now, which is analogue to the previous question: Should I check for the session at the beggining of the POST? Or I dont have to care about someone cloning the form with action=myformpost
Of course you have to check the value in session. As Christian suggested, Session is accessible only from the server. Client can only send request and after than server have to do the rest. When user logs in to the server, the server needs to create a session object and which will remain until session timeout occurs. Until this timespan, if any request from the same client is made, the session id will exist in the server and you can easily check the session value if he is logged in or not like during login :
if(login== success)
Session["Auth"] = true;For every request check :
if(Convert.ToBoolean(Session["Auth"]) != true)
{Response.Clear()
Response.Write("Invalid");
Response.Close();
return;
}Means you are removing the response sent to the client.
Quake2Player wrote:
Should I check for the session at the beggining of the POST?
yes . of course .. It should be checked as soon as the control comes to the server. You might use
Page_Loador even if the action is posted to the HttpHandler you can do it in its processrequest section. Hope its clear now. :)Abhishek Sur **Don't forget to click "Good Answer" if you like this Solution.
My Latest Articles-->** Microsoft Bing MAP using Javascript
CLR objects in SQL Server 2005
Uncommon C# Keywords/xml> -
I am not aware of any way of hijacking a session id. They would need to know what it was first, and I don't see any way to find out what someone else's random session id is. I suspect if someone had a way of doing that, they'd be hitting internet banking sites, and not yours.
Christian Graus Driven to the arms of OSX by Vista. Read my blog to find out how I've worked around bugs in Microsoft tools and frameworks.
yes you are right chris, one dont have to bother about hacking stuffs. Session id will be generated only for a small amount of time based on timeout value. So its hard to guess... :) No one can use it, if the site doesnt allow to manipulate this easily. . :-D
Abhishek Sur **Don't forget to click "Good Answer" if you like this Solution.
My Latest Articles-->** Microsoft Bing MAP using Javascript
CLR objects in SQL Server 2005
Uncommon C# Keywords/xml>