As I understand it - that's exactly the same security as the original solution provides. Enter any 4-digit PIN that has been assigned, and you're in. I never said it was a Good Idea - but it's at least as workable and secure as the original solution, with the additional benefit of having a username to go with the PIN (if there's PIN collisions, then the username may be incorrect of course...but context would determine how much worse that is than not having a username to begin with).
--MB > -----Original Message----- > From: Discussion of advanced .NET topics. [mailto:ADVANCED- > [EMAIL PROTECTED] On Behalf Of Greg Young > Sent: Thursday, January 03, 2008 4:29 PM > To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM > Subject: Re: [ADVANCED-DOTNET] non authenticated security > > > You do have an issue, though, if they don't have the cookie (deleted > it, > > another PC, etc.). You'd have to get their email address and look up > > their username. Or search for their PIN in the Users/Contacts > > table...but that'd depend on each of them having a unique PIN which > is > > pretty unlikely (unless there's only 10 or so contacts, I guess). > > Wow that sounds like a really bad idea (the searching of the pin). > Let's try attacking it, I delete my cookie go to the site and enter a > pin (either I get in or I don't :)) > > Let's assume a small user base of 1000 users ... still a 10% chance > per try (those add up quick :)) > > > > Cheers, > > Greg > > > > On Jan 3, 2008 1:10 PM, Mark Brackett <[EMAIL PROTECTED]> wrote: > > Since you have an email address, you can do the whole send an email, > > click a link in the email and create your pin. You'd use the pin as > > their password, and generate them a username. Set a persistent cookie > > with their username (encrypted would be good). > > > > Upon returning to the login page, you'd see that they had the cookie > and > > show them only the password textbox (calling it PIN entry or > something). > > When they filled that out, you'd verify their username (from cookie) > and > > password (PIN) manually via the FormsAuthentication class. > > > > You do have an issue, though, if they don't have the cookie (deleted > it, > > another PC, etc.). You'd have to get their email address and look up > > their username. Or search for their PIN in the Users/Contacts > > table...but that'd depend on each of them having a unique PIN which > is > > pretty unlikely (unless there's only 10 or so contacts, I guess). > > > > --MB > > > > > > > -----Original Message----- > > > From: Discussion of advanced .NET topics. [mailto:ADVANCED- > > > [EMAIL PROTECTED] On Behalf Of Paul Cowan > > > Sent: Thursday, January 03, 2008 10:54 AM > > > To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM > > > Subject: [ADVANCED-DOTNET] non authenticated security > > > > > > Hi all,I am migrating an ASP app. to an ASP.NET and have spotted a > > > potential security hole. > > > Most of the app. I am securing with Forms authentication but as > stands > > > they have another requirement where by users who are just contacts > who > > > exist in the system without a username or password can access > certain > > > parts of the site which are sensitive. They have been entered in > the > > > system by importing an excel or SAP feed. They have not been > created > > > via the system and as such do not have usernames or passwords. > > > The way things stand at the minute, the user gets redirected to a > page > > > where they create a 4 digit pin number which allows them to access > the > > > system via another page. > > > This seems terrible to me. > > > Can anyone think of a better way of handling this situation? > > > Cheers > > > [EMAIL PROTECTED] > > > _________________________________________________________________ > > > Telly addicts unite! > > > http://www.searchgamesbox.com/tvtown.shtml > > > =================================== > > > This list is hosted by DevelopMentor(r) http://www.develop.com > > > > > > > > View archives and manage your subscription(s) at > > > http://discuss.develop.com > > > > =================================== > > This list is hosted by DevelopMentor(R) http://www.develop.com > > > > View archives and manage your subscription(s) at > http://discuss.develop.com > > > > > > -- > Studying for the Turing test > > =================================== > This list is hosted by DevelopMentor(r) http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
