ASP Form Variables

Question

I am looking for a secure way to do accept a username and password in a form, and after they successfully log in, I want to use a piece of that information for a subsequent query.

<form METHOD="POST" action="2.asp">
  <blockquote>
    <table>

      <tr>
    <th ALIGN="right" nowrap><em><font size="2">User ID:</font></em></th>
    <td><input NAME="UID" VALUE=<% if Session("UserId") = empty then
Response.Write(chr(34) & " " & chr(34) )
else
Response.Write(Session("UserId"))
end if
%> SIZE="20" MAXLENGTH="25" tabindex="4"></td>
  </tr>
        <tr>
   <tr>
    <th ALIGN="right" nowrap><em><font size="2">First Name:</font></em></th>
    <td><input NAME="FN" SIZE="20" tabindex="10"></td>
  </tr>
  <tr>
    <th ALIGN="right" nowrap><em><font size="2">Last Name:</font></em></th>
    <td><input NAME="LN" SIZE="20" tabindex="11"></td>
  </tr>

    <th ALIGN="right" nowrap><em><font size="2">Password:</font></em></th>
    <td><input NAME="PW" SIZE="20" tabindex="6"></td>
  </tr>
  </table>
  </blockquote>
  <p><input TYPE="SUBMIT" VALUE="Return UserInfo" name="cmdExec"> </p>
</form>

2.asp Code Snippet:

<%@language=vbscript%>
<!--#INCLUDE FILE ="i_common.asp" -->
<%
  Response.Expires=0
 Response.Buffer=true
 Response.Clear
%>
<html>

<head>
<title>Transaction 10</title>
</head>

<body bgcolor="#FFFFCC">
<%
 Dim trans0009
Set trans0009 = server.CreateObject("webcom.Trans0009")
trans0009.DebugFlag= True
trans0009.AspPage= Request.ServerVariables("SCRIPT_NAME")
    if(Request.Form("PW") <> empty) then
trans0009.Password= Request.Form("PW")
end if
if(Request.Form("email") <> empty) then
trans0009.Lname=Request.Form("LN")
end if
 %>
<p align="center"><b><font size="5" bgcolor="#FFFFFF" color="#000080">Return       
 Values</font></b></p>
<hr>
<p align="left">Welcome <% Response.Write(trans0009.GetValue("Fname",0)) %><%     
 Response.Write(trans0009.GetValue("Lname",0)) %><br />
<p>

I want to have a Post done with the LName information without it taking three queries. Is there any way I can do that without exposing the information being used in the query?

Answer 1

If you're sending parameters "in the clear" via HTTP, then anyone who can sniff your packets is going to be able to read what you've sent. This means that all the person has to do is intercept the text sent by a user, then craft their own POST to your server to impersonate them.

You could set up a challenge-response type of system, but there'd still be a bit of back-and-forth (since that's how challenge-response works).

The best way to do this (that I'm aware of) is via HTTPS via TSL (SSL).

As for the subsequent query, ONLY send information server-side. Any time you pass secret information back to the client (when not encrypted), it's in the clear again, and easily read by others.

Answer 2

The only way to do this in a secure manner is to use HTTPS to keep the password encrypted on its way to the server.

If you have control over the webcom component and HTTPS is out of the question for some reason then you will need to modify the component to issue a challange instead of accepting a password.

There are js implementations of SHA1 hashing available that you could use client-side to respond to the challange.