Are there drawbacks to Cookieless Sessions

Discussion in 'ASP .Net' started by Logician, Sep 18, 2005.

  1. Logician

    Logician Guest

    I am working with cookieless sessions and I cant see any disadvantages
    especially if HTTP cookies are also used if the browser can support
    them.

    Several sites, eg groups.google.com require HTTP cookies and I am
    unsure why that is.

    Can anyone throw any light on this?
    Logician, Sep 18, 2005
    #1
    1. Advertising

  2. They can be a security risk particularly if you allow posting
    of links on your web site. If someone were to click one
    of those links, that web site could retrieve the session id
    from the HTTP_REFERER and use it to "take over"
    an active session.

    I have tested this myself and it is incredibly easy
    to duplicate successfully.

    --
    Robbe Morris - 2004/2005 Microsoft MVP C#
    Free Source Code for ADO.NET Object Mapper To DataBase Tables And Stored
    Procedures
    http://www.eggheadcafe.com/articles/adonet_source_code_generator.asp




    "Logician" <> wrote in message
    news:...
    >I am working with cookieless sessions and I cant see any disadvantages
    > especially if HTTP cookies are also used if the browser can support
    > them.
    >
    > Several sites, eg groups.google.com require HTTP cookies and I am
    > unsure why that is.
    >
    > Can anyone throw any light on this?
    >
    Robbe Morris [C# MVP], Sep 18, 2005
    #2
    1. Advertising

  3. Logician

    WJ Guest

    "Robbe Morris [C# MVP]" <> wrote in message
    news:...
    >
    > I have tested this myself and it is incredibly easy to duplicate
    > successfully.
    >


    You may be able to avoid this so called "session hijack" by allowing only
    one (1) location per sessionID (whoever gets on 1st will be considered
    legit).

    John
    WJ, Sep 18, 2005
    #3
  4. John,

    But what identifies a single location? So many people are behind proxy
    servers that one user may easily look like another. At work their are over
    one thousand of us and to a website it looks like we're all at the exact
    same address...

    --
    Sincerely,

    S. Justin Gengo, MCP
    Web Developer / Programmer

    www.aboutfortunate.com

    "Out of chaos comes order."
    Nietzsche
    "WJ" <> wrote in message
    news:...
    >
    > "Robbe Morris [C# MVP]" <> wrote in message
    > news:...
    >>
    >> I have tested this myself and it is incredibly easy to duplicate
    >> successfully.
    >>

    >
    > You may be able to avoid this so called "session hijack" by allowing only
    > one (1) location per sessionID (whoever gets on 1st will be considered
    > legit).
    >
    > John
    >
    >
    S. Justin Gengo, Sep 19, 2005
    #4
  5. Logician

    WJ Guest

    "S. Justin Gengo" <sjgengo@[no_spam_please]aboutfortunate.com> wrote in
    message news:...
    > John,
    >
    > But what identifies a single location? So many people are behind proxy
    > servers that one user may easily look like another. At work their are over
    > one thousand of us and to a website it looks like we're all at the exact
    > same address...
    >


    I did say "may be" in the previous reply. In your case, it may not be
    possible because your company my have NAT (?) or something similar to fake
    or disguise the client IP. However, in my case, I know each client is
    assigned a unique IP address by DHCP. In summary, as long as you can find a
    unique identifier to identify who your clients are, it is not impossible to
    implement.

    John
    WJ, Sep 19, 2005
    #5
  6. Logician

    Logician Guest

    Robbe Morris [C# MVP] wrote:
    > They can be a security risk particularly if you allow posting
    > of links on your web site. If someone were to click one
    > of those links, that web site could retrieve the session id
    > from the HTTP_REFERER and use it to "take over"
    > an active session.
    >
    > I have tested this myself and it is incredibly easy
    > to duplicate successfully.
    >


    I have read that Microsoft solutions are littered with security issues,
    and maybe this is an example.

    I do get a lot of complaints from my customers regarding my CPI link
    (payment link to Barclaycard requiring Javascript at the EDPQ site),
    and they complain it wont work due to firewalls.

    The figure for me is about 10-20% of customers. I contacted Barclaycard
    and I was told:"If you dont like it, write your own software - this is
    the MPI service also offered."

    I see a lot of websites making strong assumptions about client systems,
    which are not valid in many cases. I find it incredible that large
    companies will ignore so many Web visitors by coding for only certain
    client systems.

    I was trying to find a solution to handle all clients.
    Logician, Sep 19, 2005
    #6
  7. John,

    Ok, I agree, if the situation warrants it that may be a solution. I wasn't
    trying to say you're idea was a bad one. I just wanted logician to know the
    possible ramifications if the site being worked on is public...

    --
    Sincerely,

    S. Justin Gengo, MCP
    Web Developer / Programmer

    www.aboutfortunate.com

    "Out of chaos comes order."
    Nietzsche
    "WJ" <> wrote in message
    news:OX$...
    > "S. Justin Gengo" <sjgengo@[no_spam_please]aboutfortunate.com> wrote in
    > message news:...
    >> John,
    >>
    >> But what identifies a single location? So many people are behind proxy
    >> servers that one user may easily look like another. At work their are
    >> over one thousand of us and to a website it looks like we're all at the
    >> exact same address...
    >>

    >
    > I did say "may be" in the previous reply. In your case, it may not be
    > possible because your company my have NAT (?) or something similar to fake
    > or disguise the client IP. However, in my case, I know each client is
    > assigned a unique IP address by DHCP. In summary, as long as you can find
    > a unique identifier to identify who your clients are, it is not impossible
    > to implement.
    >
    > John
    >
    >
    S. Justin Gengo, Sep 19, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JV

    Cookieless Sessions...

    JV, Jul 23, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    476
    levous
    Aug 4, 2003
  2. Leigh

    Cookieless sessions

    Leigh, Dec 1, 2003, in forum: ASP .Net
    Replies:
    4
    Views:
    344
    Guest
    Dec 8, 2003
  3. Steve Franks
    Replies:
    2
    Views:
    1,251
    Steve Franks
    Jun 10, 2004
  4. Replies:
    2
    Views:
    3,267
    Ravi Singh (UCSD)
    May 10, 2006
  5. scottymo
    Replies:
    3
    Views:
    694
    Dominick Baier
    Sep 30, 2006
Loading...

Share This Page