ASP And Access Security

I will soon begin an ASP project which involves the use of an Access Database (simple). My only concern is the security involved.

This system will involve a table of login information which will verify the identity of a user accessing the site.

I am thinking of issuing a cookie system. Should I encrypt my cookie information or just leave it as is?

The security doesn't need to be air tight, just secure enough to prevent the average to savvy user from unauthorized access.

Make sure you encrypt the user's passwords in the database. Then, during a login attempt encrypt the password specified and compare it to the encrypted password in the database. If they match the user has successfully authenticated. Otherwise they have not. Using this method prevents the actual password text from appearing anywhere in writing, including cookies.

Good Luck
-CL

Do you mean to state encrypt the cookies, the database entries, or both?

How would I stop someone from downloading my database? I was thinking about keeping it deeply rooted in a cryptic directory tree to stop someone from guessing it's location and downloading it. Should I set a hidden status on the database as well?

Originally posted by VB_ACK
How would I stop someone from downloading my database?

Place the database in a directory that *is not* a virutal directory on the server.

This way, .asp pages in the server's virtual directories can still access the database but a user can not (even if they knew the name of the mdb file.)

The only directories browseable by the user are those setup as being *virtual*.

What CL is saying is save the password in the DB after you encrypt it.
And when you want to match it to a user logging in, do not
decrypt it, simply encrypt the current loggin and compare the 2
encrypted PWs with each other. Reason? so that the decrypted
version is not intercepted by anyone.

Isn't the password still in the original form in the database?

Read what CL said...

Make sure you encrypt the user's passwords in the database.

Do not stick unencrypted passwords in the database. Do not
rely on Access to hide passwords.

If they're encrypted in the database what am I going to compare them too? An encrypted password in the database is just as good as an unencrypted password if I am not comparing them to it's original form.

CL explained it and I re-explained it. Please read what we said carefuly.

Go ahead and dispute what every e-commerce site out there does. That's fine, but don't ask for help if all you plan on doing is questioning it.

-CL

I am not questioning anyone, I do not understand what you are stating.

This is what I understand from reading all of the replies:





Logins Table (Encrypted) - Passwords are stored in an encrypted form.

Now I compare something like, "mypassword", to "dje8d37d23."

I don't think that's going to work when 'mypassword' is not the same as 'dje8d37d23'.

This is what I could make sense of:

Logins Table (Not Encrypted) - Passwords are stored in original form.

When they log in send their password to a cookie in an encrypted form using some sort of encryption algorithm.

When the cookie information is verified decrypt the password from the cookie and compare it to the logins table data.

This is the model: 'mypassword' becomes 'dje8d37d23' in the cookie. When verified 'dje8d37d23' - Decryption Algorithm - 'mypassword'. I compare 'mypassword' to that in the logins table.


How ever it is likely I am making a fool of myself trying to demonstrate your ideas.

An example, tutorial, or something like that is my best bet.

I am truely a graphical learner, can you demonstrate this with a diagram?

It is very simple. When someone enters a password, you run it
through the same encryption algorithm that you used on the ones
stored in the database. You then compare the encrypted one
just entered to the encrypted one in the database. This way, you
can use a one-way encryption.

Something like this Thinker?

Password ---> Encryption Algorithm ---> Database
Database ---> Cookie ---> Cache
Cookie ---> Database (Comparison)

If you keep passing an encrypted password back and forth in a
cookie, and you only compare what is in the cookie to what is in
the database, you don't have a great deal of security. On the
otherhand, in a stateless connection, the only two alternatives
are to pass something back and forth, or require the person to
enter their password for each page. The later might be a bit more
secure, but would be a big pain. Otherwise you might want to
pass some sort of session identifier back and forth. If the elapsed
time between pages is greater than a timeout value, you make
the session security invalid, and make them enter the password
again.

Can you recommend an encryption algorithm?

I can create Virtual Directories using IIS, but I cannot seeing how I am using a remote server. Are there any FTP clients will allow me to create virtual directories?


If that sounded incredibly idiotic I apologize.

While it doesn't sound idiotic, it also doesn't sound possible. I am
pretty sure you have to be able to get to one of the IIS maintence
/configuration tools, either MMC, or the HTML version. It is unlikely
they would open up the HTML one to you either.


No, I don't know any good encryption algorithms. There is a
Crypt API. If I ever needed something, I might start there.

Originally posted by VB_ACK
Can you recommend an encryption algorithm?

Blowfish! Available for almost every developmental language around -- and it's free.

http://www.counterpane.com/blowfish-download.html