Secured ASP web site

[Ed Jaffe]

All:

1) Could any one show me any website which is using asp, ssl, sql server?
2) Is ASP/IIS technology good enough to create a commerical secured internet
web application?
3) People said most of the secured internet web application (e.g.
banking...) is using java, is that true?

Simon

 

[Ray at]

All:

1) Could any one show me any website which is using asp, ssl, sql server?
http://www.microsoft.com/sql/evaluation/casestudies/solutions.asp

2) Is ASP/IIS technology good enough to create a commerical secured internet
web application?

Sure, as long as long as everyone involved in developing and maintaining the
site, the server, and all else involved remains security-conscious.

3) People said most of the secured internet web application (e.g.
banking...) is using java, is that true?

I'm a programmer at a bank. Our website has no Java anything anywhere. Our
online applications are normal ASP pages in https.

As far as our Web banking system, we did not develop it ourselves. But it
is hosted in NT machines and uses Cold Fusion. The database is DB/2 on an
AS/400.

Ray at home

 

[Ed Jaffe]

server?

Sure, as long as long as everyone involved in developing and maintaining the
site, the server, and all else involved remains security-conscious.


I'm a programmer at a bank. Our website has no Java anything anywhere. Our
online applications are normal ASP pages in https.

As far as our Web banking system, we did not develop it ourselves. But it
is hosted in NT machines and uses Cold Fusion. The database is DB/2 on an
AS/400.

 

[Ray at]

Tru dat. ;]

How? I think that 99% of the sites out there use login credentials that are
stored in a database. This is normal. Like everything, you have to balance
security with functionality. Like, if you think that someone is going to
sit there on your login page all day trying to get lucky entering usernames
and passwords, you can add something to your site to track the number of
invalid logins by IP and then deny access to the page from that IP. You can
also mandate password complexity from your users.

For me, as an end user, all I need is a username and password to get into
web banking. From there, I can transfer money, send money to other people
via checks, close accounts, whatever. The only thing protecting me is my
password. This is normal though.

Just don't do anything foolish like use an Access database and put it in
your website where people can download it. And don't let people use blank
passwords. And make people change their passwords. And physical security
of the server is also important.

Ray at work

 

[Ed Jaffe]

Ray, one last question I want to clarify regarding the "credentials that are
stored in a database"
statement. Will you take advantage of the Users, Roles and Rules features in
SQL Servers "or"
use a plain table have fields to store the user name, password (encrypted)
and associated info
(for diff. security levels). The reason why I ask because when you first
make the "connection"
to your DBMS through the "ADODB.Connection" object within the ASP page, you
have
to pass the "User ID" and "Password" info. Are you going to use a "global"
user
account, e.g. sa, to do the connection and then query/validate the user
based on the passed
UserID and Password against the plain table? Or each user has their "own"
UserID/Password
when you do the ADODB.Connection. I am new to this area hope someone can
give me
more detail on this particular topic.

Thank you for your valuable help anyway.

Ed.

ASP/IIS
technology.

Tru dat. ;]

only
the anonymous

How? I think that 99% of the sites out there use login credentials that are
stored in a database. This is normal. Like everything, you have to balance
security with functionality. Like, if you think that someone is going to
sit there on your login page all day trying to get lucky entering usernames
and passwords, you can add something to your site to track the number of
invalid logins by IP and then deny access to the page from that IP. You can
also mandate password complexity from your users.

For me, as an end user, all I need is a username and password to get into
web banking. From there, I can transfer money, send money to other people
via checks, close accounts, whatever. The only thing protecting me is my
password. This is normal though.

Just don't do anything foolish like use an Access database and put it in
your website where people can download it. And don't let people use blank
passwords. And make people change their passwords. And physical security
of the server is also important.

Ray at work

 

[Ray at]

I personally would use the same sql login for all connections. The user
logins would just be data in a table as you suggested with the passwords in
the table. And as far as permissions in the application, that would be data
stored in the db too. I believe this is the norm. A table may look
something like this:


Userid smallint
Username varchar(20)
Password varchar(20) ''or longer if you encrypt with many characters
AuthorityLevel tinyint
PasswordLastChange datetime
'etc.

Ray at work