> You do have an issue, though, if they don't have the cookie (deleted it, > another PC, etc.). You'd have to get their email address and look up > their username. Or search for their PIN in the Users/Contacts > table...but that'd depend on each of them having a unique PIN which is > pretty unlikely (unless there's only 10 or so contacts, I guess).
Wow that sounds like a really bad idea (the searching of the pin). Let's try attacking it, I delete my cookie go to the site and enter a pin (either I get in or I don't :)) Let's assume a small user base of 1000 users ... still a 10% chance per try (those add up quick :)) Cheers, Greg On Jan 3, 2008 1:10 PM, Mark Brackett <[EMAIL PROTECTED]> wrote: > Since you have an email address, you can do the whole send an email, > click a link in the email and create your pin. You'd use the pin as > their password, and generate them a username. Set a persistent cookie > with their username (encrypted would be good). > > Upon returning to the login page, you'd see that they had the cookie and > show them only the password textbox (calling it PIN entry or something). > When they filled that out, you'd verify their username (from cookie) and > password (PIN) manually via the FormsAuthentication class. > > You do have an issue, though, if they don't have the cookie (deleted it, > another PC, etc.). You'd have to get their email address and look up > their username. Or search for their PIN in the Users/Contacts > table...but that'd depend on each of them having a unique PIN which is > pretty unlikely (unless there's only 10 or so contacts, I guess). > > --MB > > > > -----Original Message----- > > From: Discussion of advanced .NET topics. [mailto:ADVANCED- > > [EMAIL PROTECTED] On Behalf Of Paul Cowan > > Sent: Thursday, January 03, 2008 10:54 AM > > To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM > > Subject: [ADVANCED-DOTNET] non authenticated security > > > > Hi all,I am migrating an ASP app. to an ASP.NET and have spotted a > > potential security hole. > > Most of the app. I am securing with Forms authentication but as stands > > they have another requirement where by users who are just contacts who > > exist in the system without a username or password can access certain > > parts of the site which are sensitive. They have been entered in the > > system by importing an excel or SAP feed. They have not been created > > via the system and as such do not have usernames or passwords. > > The way things stand at the minute, the user gets redirected to a page > > where they create a 4 digit pin number which allows them to access the > > system via another page. > > This seems terrible to me. > > Can anyone think of a better way of handling this situation? > > Cheers > > [EMAIL PROTECTED] > > _________________________________________________________________ > > Telly addicts unite! > > http://www.searchgamesbox.com/tvtown.shtml > > =================================== > > This list is hosted by DevelopMentor(r) http://www.develop.com > > > > > View archives and manage your subscription(s) at > > http://discuss.develop.com > > =================================== > This list is hosted by DevelopMentor(R) http://www.develop.com > > View archives and manage your subscription(s) at http://discuss.develop.com > -- Studying for the Turing test =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
