Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Login security issue

 
Jhakda Velu
Ranch Hand
Posts: 167
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All
This may be a known issue. I have to code a login page and i validate the user name and password. I connect to the server through a XMLhttp request, the user name and password being sent as 2 parameters. I extract these 2 params in the servlet and pass it to the DAO to validate against the ones stored in the user table.
I do no encryption.
What is the best way to avoid spooking?
My login page is a excel form(VBA),not a JSP and my servlet is on JBoss.

Jhakda

[ July 16, 2008: Message edited by: Jhakda Velu ]
[ July 16, 2008: Message edited by: Jhakda Velu ]
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What do you mean by "spooking"? Spoofing? What exactly are you trying to protect against?
[ July 16, 2008: Message edited by: Ulf Dittmer ]
 
Jhakda Velu
Ranch Hand
Posts: 167
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi
By spooking is meant bad guys trying to get the password.
I was looking at other threads,most of them suggested using https as an option. I'm trying to find what all cchanges i need to do to enable it. I am heading in the right direction? Some also talked about using keys and some about encryption.

Jhakda
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I really think you mean "spoofing".

If you're concerned about someone eavesdropping on the connection, then using HTTPS is a good start. Certainly better than using your own encryption on top of HTTP, and much easier to implement.

Of course, network eavesdropping is only one way in which passwords can be compromised. Social engineering, written-down passwords and weak passwords are others. The latter you can do something about technologically, but that might increase the chance of the password being written down.

More fundamentally, passwords are not tied to a person (they can become "un-tied" by the ways mentioned above). If you're REALLY serious about authentication, consider two-factor or three-factor authentication.
 
Jhakda Velu
Ranch Hand
Posts: 167
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ulf
Many thanks for your help.
All i'm concerned about is network eavesdropping.
I'll go about with the https implementation,now looking at ways to do it with minimal changes.
I'm connecting to JBoss using a XMLHTTP object,where in i have to specify the url string. Right now, i'm using http, so my connection url reads something like this
<blockquote><font size="1" face="Verdana, Arial">code:</font><hr><pre name="code" class="core"><font size="2">
http://jbossIP/context/servletName?Param1=user_name &Param2=password
</font></pre><hr></blockquote>
This is for the entire application,so should i go about having a https for the login only and http for other requests?
How much is using https an over kill for gettings things which may not require very high security concerns?
Our application will be deployed on company intranet,so is my concern about evesdropping valid?
And the way my login page works,the password does appear to be tied to a user. So am i adopting the wrong way to do a user's validation? I believe i have to send teh user name along with the password. Or is it that i should be sending the user name in 1 request and the password in another with some code to identify the 2 requests and then carry on with the validation? Writing that piece of code to tie 2 requests together seems a headache,though.

Awaiting your expert comments.

Jhakda
[ July 16, 2008: Message edited by: Jhakda Velu ]
 
Jhakda Velu
Ranch Hand
Posts: 167
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All
I'm a bit confused. I'm trying to use https, but gettigna feeling that we need browser to use it. I'm not using a browser in my application,so is there way out?

Thanks

Jhakda
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is for the entire application,so should i go about having a https for the login only and http for other requests? How much is using https an over kill for gettings things which may not require very high security concerns?

My approach is that either everything is worth protecting by HTTPS, or nothing is. Mixing HTTP and HTTPS in a same web app creates certain problems, and it may just be easier not to bother with it. My rule of thumb is that for a web app that's used by dozens of people, the HTTPS overhead is negligible, while for a web app that's used by thousand of people you need to think about scalability anyway, and HTTPS certainly plays a role in that. In between, run realistic tests to see how noticeable the impact is.

Our application will be deployed on company intranet,so is my concern about evesdropping valid?

That depends on whether you a) trust the other employees of the company not to try to compromise security, and b) whether you trust the sysadmins to run a secure network. Generally I wouldn't be concerned about eavesdropping in an intranet, but only you can answer that with regard to your company.

Or is it that i should be sending the user name in 1 request and the password in another with some code to identify the 2 requests and then carry on with the validation?

Submitting them both together is fine.

I'm trying to use https, but getting a feeling that we need browser to use it. I'm not using a browser in my application,so is there way out?

Not really. E.g., HTTPS can be used by a Java client. Not sure about VBA, though.
[ July 16, 2008: Message edited by: Ulf Dittmer ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic