OWAS Security

Hello all,

We are developing a secure site with sensitive information using OWAS. One thing we have noticed is that if we implement security by passing username/password as a parameter to each procedure, another person can view the source code of the HTML page to see what parameters are passed and the values of these parameters if they get access to the user's machine.

I remember reading somewhere that now in OWAS 3.0 it is possible to disallow any access to certain pages directly. So, the only way to access these pages is through previous pages, this way making sure that each user first visits the login page. Anybody knows how to implement this?

Another possible solution is ,I guess, to assign a encrypted unique sessionid to each session based on the IP address and the login time. Then at each page, check to see if the sessionid matches the IP address and the login time of the user. Of course, using a proxy, the IP address can also be faked and the time difference could be taken care of also. An additional level of security would be using cookies. I guess with all these implemented, it would be pretty hard to break into the site.

I would like to hear from anybody with ideas/experiences on this issue..

Thanks..

Tansel Received on Wed Nov 25 1998 - 12:12:36 CST