/    Sign up×
Community /Pin to ProfileBookmark

Security Breach to Member’s Only Page

Copy linkTweet thisAlerts:
Jul 19.2006

I have discovered a security breach on my website.

Normally to gain access to my member’s only page one has to first login with a userid & password. This process work fine and the login script also creates a cookie that expires in 1 hour.

I have found that if one types in the URL to the member’s only page directly, for example: ([url]http://www.domain.org/members.html)[/url], this bypasses the login page, and they get in instantly.

I was told that to secure the members only page, I need to place a validation check on each of my web pages that has access to the members only area, to check if the user is logged in. If user not logged in, then they’re redirected to the login page.

Does anyone have a coding example of a validation check? It seems like it should check for the presence of this cookie. I’m not sure how to do that. Or if there’s a different solution, I would welcome that too.
Thanks!

to post a comment
HTML

9 Comments(s)

Copy linkTweet thisAlerts:
@ray326Jul 20.2006 — To be done right this has to be done by the server. You absolutely cannot use Javascript to secure a page or a portion of your site.
Copy linkTweet thisAlerts:
@bigzebraauthorJul 21.2006 — Can you give me an example?
Copy linkTweet thisAlerts:
@the_treeJul 21.2006 — Not really, it kind of all depends on the server. What type of server it is (Apache, IIS, something else) and what technologies it makes avaliable (PHP, ASP, ColdFusion et cetera).
Copy linkTweet thisAlerts:
@skilled1Jul 21.2006 — needs to be a https page, you can't just have a javascript blocked page, if you want you can have a script that looks for the cookie, and does not display the content in a <div> but fact of the matter is the only safe way to do it is with https.
Copy linkTweet thisAlerts:
@ray326Jul 21.2006 — needs to be a https page[/QUOTE]No, all it needs to be is protected by Basic Authentication.
Copy linkTweet thisAlerts:
@the_treeJul 21.2006 — HTTPS is for the rare occasions where security matters up to the point where experts might actually put in the time to attack your system. Simple Authentication which is stupendously easy to do with the right privelleges on common servers should suffice for any connection where financial details, or those comprimising your physical security aren't being transmitted.

If you are on an Apache server, then you should read up on how to use [i].htaccess[/i] which will make the whole process ever so easy although perhaps you might want to involve some sever-side scripting such as PHP for more complex systems.

I'm not sure what the IIS equilivent is but it is probably well documented as soon as you can get back to us with what your host is providing you with, we'll sure be able to find someway of doing this, and it wont be difficult.
Copy linkTweet thisAlerts:
@bigzebraauthorJul 22.2006 — Thanks for your post.

Here's a link to my server info. I have the Advanced Plan: [URL=http://www.webhost4life.com/hosting.asp]link to server info[/URL].

IIS 6.0
Copy linkTweet thisAlerts:
@ray326Jul 22.2006 — Password protected directories and files are configurable through that control panel. They'll be using Basic Authentication.
Copy linkTweet thisAlerts:
@pacerierAug 05.2006 — you could create a validation file and include that at the top of every page you want to barr access to. try not to check for cookies cause that you can manipulated with softwares.
×

Success!

Help @bigzebra spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.6,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...