A
Astra
Hi All
I've been creating a number of admin systems now for my classic ASP sites
and although they seem to keep the wolves from the door, I just wanted to
ask if you have any additional security pointers that I should watch out
for.
For your ref, the ones that I have already been told are:
a) Always have a login/password section in place and use session vars to
allow access into the protected pages. If the browser won't work with
session vars then they can't get in and the end user will have to sort it
out to get session vars to work. NOTE: my ISP charges for HTAccess
functionality so I don't use this.
b) Put login and protected pages in an obscurely named sub-directory.
c) When on the live site, make sure the pages are set to On Error Resume
Next so that no unwanted database error messages are shown to the user.
Any more?
Should I expire the pages so that web logs can't log the referrer (ie the
end user goes from the admin system to somebody's else site) and don't
appear in a web site's history? Is this actually possible?
Many thanks for any pointers you can give.
Regards
Robbie
I've been creating a number of admin systems now for my classic ASP sites
and although they seem to keep the wolves from the door, I just wanted to
ask if you have any additional security pointers that I should watch out
for.
For your ref, the ones that I have already been told are:
a) Always have a login/password section in place and use session vars to
allow access into the protected pages. If the browser won't work with
session vars then they can't get in and the end user will have to sort it
out to get session vars to work. NOTE: my ISP charges for HTAccess
functionality so I don't use this.
b) Put login and protected pages in an obscurely named sub-directory.
c) When on the live site, make sure the pages are set to On Error Resume
Next so that no unwanted database error messages are shown to the user.
Any more?
Should I expire the pages so that web logs can't log the referrer (ie the
end user goes from the admin system to somebody's else site) and don't
appear in a web site's history? Is this actually possible?
Many thanks for any pointers you can give.
Regards
Robbie