ASP Security

**higginbt** · 12:25 PM

Huy guys.

I'm developing a site that Using ASP vbscript. This site simply pulls information back from a DB.

It uses the request.servervariable.("LOGON_USER") to figure out which user to pull back information in. for example if i log on to my computer and then visit the site it show my info. if you did it it would show your info.

Now these has got to be secure so i cant see yours and you cant see mine.

All the security is controlled by the request.servervariable.("LOGON_USER") how easy it for people to hack into this and pretend to be some one else?

edit: Not asking how if possible its done. Just if it is possible and how to stop people doing it

**chrishirst** · 06-23-2006, 06:52 PM

to use LOGON_USER you have to be using Windows Authentication, which is pretty secure provided you aren't sending clear text passwords.

**higginbt** · 06-26-2006, 12:13 PM

ok thanks. for the info

**XpIndia.Com** · 06-26-2006, 03:27 PM

what is your site link ?

Lemme check the security level and report back

**higginbt** · 06-27-2006, 05:54 AM

reply lol. Luckly its a page on the local intranet so its not open to just anyone

**sandbox** · 06-28-2006, 02:07 PM

Have you thought about protection from sql injection attacks? Something else you need to be aware of.

**higginbt** · 06-30-2006, 11:04 AM

Have i thought about SQL injection attacks!!?

in a word no.

what the hell are they

**higginbt** · 06-30-2006, 11:12 AM

ok. i know what they are now. Bloody hell thats quite scary.
But i dont have any input via users. Its all done via the Logon_user