OT - How Web Apps Do/Should Detect Authentication

  • Thread starter Thread starter jehugaleahsa
  • Start date Start date
J

jehugaleahsa

Hello:

Can someone tell me how a web application knows whether a user is
logged in?

Somehow, web applications can detect whether someone has already
logged in.

I know all about ASP Membership; that's not what I'm asking.

I want to know what gets sent to the web server so it can verify the
user. Is it some kind of cookie? a HTTP header? taco meat?

Any links or books where I can read all about it would be muchly
appreciated.

Thanks for any insight!

~Travis
 
Can someone tell me how a web application knows whether a user is
logged in?

Somehow, web applications can detect whether someone has already
logged in.

I know all about ASP Membership; that's not what I'm asking.

I want to know what gets sent to the web server so it can verify the
user. Is it some kind of cookie? a HTTP header? taco meat?

Any links or books where I can read all about it would be muchly
appreciated.
Click to expand...

Traditionally there are two ways:
* a cookie with session id
* URL rewriting that put the session id in the URL

Cookie is the standard.

Arne
 
Traditionally there are two ways:
* a cookie with session id
* URL rewriting that put the session id in the URL

Cookie is the standard.

Arne
Click to expand...

Thanks.

Can I ask another question then?

We purchased an off-the-shelf product. The company who made it claims
that we can send an HTTP header to their product and it would
automatically let us access their web site. They call this their 3rd
party authentication method. My question is, how can this be secure if
all someone has to do is generate the right header? Couldn't anyone
generate the header?

I think the company's representative has lost her mind. Even if she
knows what she is talking about, I can't see how her suggestion could
be secure... does this mean anything to anyone?
 
Can I ask another question then?

We purchased an off-the-shelf product. The company who made it claims
that we can send an HTTP header to their product and it would
automatically let us access their web site. They call this their 3rd
party authentication method. My question is, how can this be secure if
all someone has to do is generate the right header? Couldn't anyone
generate the header?
Click to expand...

The cookie and URL sessions id's are usually a 128 or 160 bit
number in hex form.

The chance of guessing one of the maybe 100 valid session id's from
the 2^128 or 2^160 possible is very small.

If the HTTP header contains something similar hard to guess, then
it may be secure.

Arne
 
The cookie and URL sessions id's are usually a 128 or 160 bit
number in hex form.

The chance of guessing one of the maybe 100 valid session id's from
the 2^128 or 2^160 possible is very small.

If the HTTP header contains something similar hard to guess, then
it may be secure.

Arne- Hide quoted text -

- Show quoted text -
Click to expand...

I see your point. This is all good information. I will pass that
along. Thanks for your answers.
 
I see your point. This is all good information. I will pass that
along. Thanks for your answers.
Click to expand...

Note that traditionally it is the server that assigns a random
session id to you.

If your OTS product is the same, then it is all fine. But if
it is a hardcoded value for your company, then there are additional
security issues, because that key can leak.

Arne
 
Back
Top