1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
  • Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Forms authentication security - Advise needed.

Collapse
X
1 to 4 of 4 Previous template Next
Collapse
Reply to Thread
  •  
  • Filter
  • Time
  • Show
Clear All
new posts
1 to 4 of 4 Previous template Next
    #1

    Forms authentication security - Advise needed.

    Client co want to put in a forms driven authentication system for web access to an SQL database. I'm not coding it but have been asked for direction in terms of security measures to be taken into account. For various reasons this is the way they want to do it. This is a little outside my area of technical expertise but what I've got so far in term of security considerations for the devs is:
    • Constrain input to valid ranges.
    • Encode unsafe output.
    • Use command parameters or stored procedures for SQL queries.
    • Do not return ASP errors.
    • Use HTTP Request Validation
    • Use HTML Encoding
    • Use ViewStateUserkey with the SessionID.


    Any one see anything I've missed?
    "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.
    Tags: None
    #2
    Originally posted by DaveB View Post
    Client co want to put in a forms driven authentication system for web access to an SQL database. I'm not coding it but have been asked for direction in terms of security measures to be taken into account. For various reasons this is the way they want to do it. This is a little outside my area of technical expertise but what I've got so far in term of security considerations for the devs is:
    • Constrain input to valid ranges.
    • Encode unsafe output.
    • Use command parameters or stored procedures for SQL queries.
    • Do not return ASP errors.
    • Use HTTP Request Validation
    • Use HTML Encoding
    • Use ViewStateUserkey with the SessionID.


    Any one see anything I've missed?
    Bind variables to avoid SQL injection
    Best Forum Advisor 2014
    Work in the public sector? You can read my FAQ here
    Click here to get 15% off your first year's IPSE membership

    Comment

      #3
      Based on the tulip penetration results we got a while back

      don't use an identity key or sequence for identifying users. You should use a guid of some form.

      ensure that all cookies are sent with secure and httpOnly flags. Of course the secure flag is only useful if the entire site uses HTTPS.

      Have a single consistent error message for all login failure errors.

      Check session variables against the ip address of the request.

      and my favourite one.

      Session ids are consistent during the entirety of the user's visit. Can you do something about it? We ignored this one.
      merely at clientco for the entertainment

      Comment

        #4
        Ensure SQL server account used by the app has just enough access to do what you want.

        Audit OS account policy on the web / DB servers.

        Avoid plain text DB passwords in configuration files. Encrypt / embed or both. Ensure that a casual browser does not have read access to any config files you do have.

        Try to hide anything which gives away the operating system/web server/platform you are using to the user.

        Ensure you are fully patched up. OS / DB / Web server etc. If using a secure transport protocol, ensure it is the latest version and disable lesser versions.

        Look at login and password policies. Enforce strong passwords, consider using memorable word fragments, lock out accounts not used in a specified time frame, consider lockout policy, record login events etc.

        Remove any timestamp information from responses. Could be used to work out pseudo random number generation schemes.

        Comment

        Reply to Thread
        1 to 4 of 4 Previous template Next

        Advertisers

        1. Contracting
          1. General
            1. Brexit
          2. Business / Contracts
            1. Coronavirus Assistance
          3. Accounting / Legal
            1. Umbrella Companies
            2. HMRC Scheme Enquiries
            3. The Future of Contracting
            4. IR35 Reform
          4. Technical
          5. Welcome / FAQs
        2. Social
          1. Light Relief
          2. Social / Events
        Working...
        X