D
darrel
We have a home grown CMS in our organization that I decided to update at 5pm
only to find a gigantic security bug in it.
Here's the deal:
The original programmer created the security for the CMS. When a person logs
in, they're authenticated against the DB and then pertinent info regarding
their permission levels is saved into a cookie on their machine.
We then have a class/usercontrol that loads on every page of the CMS that
reads this data from the cookie to establish their security credentials.
Here's how it was originally written:
------------------------------------
Public Class SecureUsers
Public Shared su_strUser As String
Public Shared su_strEmail As String
Public Shared su_intDistrict As Integer
Public Shared su_intAdminLevel As Integer
Public Shared su_categories As String
Public Shared su_strDistrict As String
Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Init
InitializeComponent()
If Not Request.Cookies("CMSUser") Is Nothing Then
su_strUser = Server.HtmlEncode(Request.Cookies("CMSUser")("su_strUser"))
su_strDistrict =
Server.HtmlEncode(Request.Cookies("CMSUser")("su_strDistrict"))
su_intDistrict =
Server.HtmlEncode(Request.Cookies("CMSUser")("su_intDistrict"))
su_strEmail = Server.HtmlEncode(Request.Cookies("CMSUser")("su_strEmail"))
su_categories =
Server.HtmlEncode(Request.Cookies("CMSUser")("su_categories"))
su_intAdminLevel =
Server.HtmlEncode(Request.Cookies("CMSUser")("su_intAdminLevel"))
End If
End Sub
End Class
------------------------------------
Then, on every page of the CMS that loads the above control, we grab the
variables as needed such as:
username = secureusers.su_strUser
Now, you can probably see what is wrong with the above. The variabls were
all set to public SHARED--which means the variables were shared at the class
level rather than the instance of the class. As such, the data was being
cross-written from thread to thread. One person would log in, start editing,
another would log in, and then when the first person saved, the other
person's credentials were saved instead.
Since I'm not really an OOP expert, it took me a bit and then I realized I
needed to get rid of the SHARED modifier.
So, I did that, and now I'm trying to get the data by creating an instance
first:
Dim theSecureUser As New SecureUsers
username = theSecureUser.su_strUser
Now...THE PROBLEM: This just returns null values. No error, just no value.
WHY!?
Bigger question:
For now, I'm just trying to duct-tape the above for the weekend so that I
can go home. But come Monday, I'm going to have to start rewriting this.
What's the better way to handle it? Obviously, writing the credentials in
the cookie, itself, is dumb. Is it better to use session state? Another
method?
-Darrel
only to find a gigantic security bug in it.
Here's the deal:
The original programmer created the security for the CMS. When a person logs
in, they're authenticated against the DB and then pertinent info regarding
their permission levels is saved into a cookie on their machine.
We then have a class/usercontrol that loads on every page of the CMS that
reads this data from the cookie to establish their security credentials.
Here's how it was originally written:
------------------------------------
Public Class SecureUsers
Public Shared su_strUser As String
Public Shared su_strEmail As String
Public Shared su_intDistrict As Integer
Public Shared su_intAdminLevel As Integer
Public Shared su_categories As String
Public Shared su_strDistrict As String
Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Init
InitializeComponent()
If Not Request.Cookies("CMSUser") Is Nothing Then
su_strUser = Server.HtmlEncode(Request.Cookies("CMSUser")("su_strUser"))
su_strDistrict =
Server.HtmlEncode(Request.Cookies("CMSUser")("su_strDistrict"))
su_intDistrict =
Server.HtmlEncode(Request.Cookies("CMSUser")("su_intDistrict"))
su_strEmail = Server.HtmlEncode(Request.Cookies("CMSUser")("su_strEmail"))
su_categories =
Server.HtmlEncode(Request.Cookies("CMSUser")("su_categories"))
su_intAdminLevel =
Server.HtmlEncode(Request.Cookies("CMSUser")("su_intAdminLevel"))
End If
End Sub
End Class
------------------------------------
Then, on every page of the CMS that loads the above control, we grab the
variables as needed such as:
username = secureusers.su_strUser
Now, you can probably see what is wrong with the above. The variabls were
all set to public SHARED--which means the variables were shared at the class
level rather than the instance of the class. As such, the data was being
cross-written from thread to thread. One person would log in, start editing,
another would log in, and then when the first person saved, the other
person's credentials were saved instead.
Since I'm not really an OOP expert, it took me a bit and then I realized I
needed to get rid of the SHARED modifier.
So, I did that, and now I'm trying to get the data by creating an instance
first:
Dim theSecureUser As New SecureUsers
username = theSecureUser.su_strUser
Now...THE PROBLEM: This just returns null values. No error, just no value.
WHY!?
Bigger question:
For now, I'm just trying to duct-tape the above for the weekend so that I
can go home. But come Monday, I'm going to have to start rewriting this.
What's the better way to handle it? Obviously, writing the credentials in
the cookie, itself, is dumb. Is it better to use session state? Another
method?
-Darrel