Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 12 of 12
  1. #1
    New Coder
    Join Date
    Aug 2002
    Posts
    89
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Security Breach using history.

    I need some advice in the area of security. I am a new developer for a website that has been up for 4 years with no security problems. We use session variables that are timed out after 5 minutes and session abondon when the user loges out.

    The problem is that last tuesday an user loged in and viewed his medical claims and then apparently walked away from the PC. The next day he went back through history and was able to view another customers claims. The other customers name wasn't in the header, but is was actually claims.

    Does anyone have an idea where I should start to look for the problem.

    Thanks,
    Ray

  • #2
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    First off: there is no bulletproof way to prevent clientside caching, since not all browsers honor caching-instructions in your header.
    It's clear that you should do your work to prevent clientside caching (by sending a pragma header for instance) but security is not only a matter of the developper, but also of the user.

    In the specific case you describe, it was probably a shared computer that cached the pages. I wouldn't know what you can do against that, except telling your clients that they create a securityrisk by using shared computers and caching the pages.

    info on preventing caching (or attempting to prevent it) http://www.15seconds.com/issue/970920.htm
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #3
    New Coder
    Join Date
    Aug 2002
    Posts
    89
    Thanks
    0
    Thanked 0 Times in 0 Posts

    More...

    Thanks raf.

    I was able to recreate the issue. The claims.asp page is inside a frame, but, when you view claims, the claims.asp full url is recorded into history. It looks like this:
    http://www.company.name/memberservic...de=1&Member=10

    When I click on that url in history, it brings a different members claims back. This brings 2 new questions to me. 1, how is the url that is inside a frame being recorded in history and 2, how can I prevent that from happenning?

  • #4
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by elcaro2k
    I was able to recreate the issue. The claims.asp page is inside a frame, but, when you view claims, the claims.asp full url is recorded into history. It looks like this:
    http://www.company.name/memberservic...de=1&Member=10

    When I click on that url in history, it brings a different members claims back. This brings 2 new questions to me. 1, how is the url that is inside a frame being recorded in history and 2, how can I prevent that from happenning?
    If that is true (which i find verry hard to believe) then you must have an error in your application.
    If they hit the item in the history, then it should either get the page from the cache (so then it is a page that was requested earlier by 'member 10') or request if from your server, but then your applications should return the page for 'member 10'. Well, in this second case, the user should be redirected to the loginscreen, because you should check at the top of each page if the user is currently logged in.

    But if memeber10 browses through his history, it should never happen that he would get a page from 'member 11' by hitting a link from his history.
    Only possible exception : if both user 10 and 11 use the same machine and if the pages are cached clientsided, or if you don't perform a logincheck on the top of each page.
    If the first situation is the case, then there is no bulletproof method to prevent this (see above) but you should non the less do what is possible (sending te right headers + letting the pges expire immedeately).

    The second situation is perfectly controlable, by checking on each page if the client is logged in. It's virtualy impossible that two people are on a shared computer at the same time, so if they use the exitlink, then their history allone doesn't create a securityrisk.


    About preventing that a page is included in the history: you can clean out a clients history, but i find that unacceptable behaviour. The clientside cache, history and the clients browsersettings are his own responsabilitys.

    By the way, passing the memberID through the querystring, now that is a real securityrisk. Everyone can just manipulate the querystring and request other memebers pages. You should store the member-value in a sessionvalue and grab it from there.
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #5
    New Coder
    Join Date
    Aug 2002
    Posts
    89
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Actually member=10 just refers to which family member it is. The actually subscriber id is in a session var. Husband = 10, wife = 20, dependent 1 = 30 etc. That is why this is so confusing. This is not a shared pc and the data that is shown when nobody is loged in is a mystery. I am going to do the immediate expire and the pragama header and check at the top of each page to ensure that the user is logged in. I think this will do it for now.

    Thanks,
    ray

  • #6
    New Coder
    Join Date
    Aug 2002
    Posts
    89
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Checking login status.

    What is the proper method to use to see if a user is logged in?

  • #7
    Senior Coder
    Join Date
    Jun 2002
    Location
    Wichita
    Posts
    3,880
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by elcaro2k
    What is the proper method to use to see if a user is logged in?
    Code:
    if Len(Request.ServerVariables("LOGON_USER")) < 1 then
    ...  no user is logged on
    end if
    Check out the Forum Search. It's the short path to getting great results from this forum.

  • #8
    New Coder
    Join Date
    Aug 2002
    Posts
    89
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Didn't work? I did a
    Response.Write "val="&Request.ServerVariables("LOGON_USER")
    and it is empty or null when I know I am signed in? Is this something that I have to set after login?

  • #9
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    If you are dealing with information that is pretty personal to someone, you probably should be using SSL for their benefit; this will also usually mean the browser won't cache the pages at all, if I remember correctly.
    OracleGuy

  • #10
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by elcaro2k
    What is the proper method to use to see if a user is logged in?
    after processing the login, set a sessionvariable.
    Then on top of each page, you check if that sessionvariable is set. (store the check in a seperate file and include it in each page. More elaborate explanation
    How to secure the pages after login?
    Oracleguy
    If you are dealing with information that is pretty personal to someone, you probably should be using SSL for their benefit; this will also usually mean the browser won't cache the pages at all, if I remember correctly.
    Not sure about that. But i would expect that SSL woul cache an encoded version of the page, and since the encoding-key is sessionspecific, it wouldn't be decodable after the session is closed. But i never realy looked into that. (I just think it wouldn't make sense to cache an un-encoded version of the page.)
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #11
    Senior Coder
    Join Date
    Jun 2002
    Location
    Wichita
    Posts
    3,880
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by elcaro2k
    Didn't work? I did a
    Response.Write "val="&Request.ServerVariables("LOGON_USER")
    and it is empty or null when I know I am signed in? Is this something that I have to set after login?
    That would be a network logon, if your users are logging on using a custom system then how you'd tell would be dependant on that custom system.
    Check out the Forum Search. It's the short path to getting great results from this forum.

  • #12
    New Coder
    Join Date
    Aug 2002
    Posts
    89
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks everyone. I seem to have my problem solved by setting a session var at login and logout and testing the value on each page. I also added
    Response.Expires = -1500
    on each page as well.

    I do have one question remaining. How does server side caching come into play re; these security issues?


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •