ASP.Net 1.1 cookieless session security issue?

Discussion in 'ASP .Net Security' started by Stefan Hoffmann, Sep 28, 2005.

  1. Hello everyone!

    We are developing a webshop in asp.net. We did not want to use cookies
    for session management, so we tried cookieless sessions.


    This changes the URL requested to something like


    http://.../WebApplication3/(xwa4n4a3cr45h2idog25v355)/WebForm1.aspx


    Well, this -> (xwa4n4a3cr45h2idog25v355) is the session id. Someone
    sniffing on the net can easily obtain this request and use it from
    another computer. As long as the session still exists this someone will
    have full access to all the users information at this moment. I thought
    at least it should be bound to a IP to prevent such attacks from other
    networks than the one the user is using at the moment.


    Another not really nice behaviour of the cookieless session management
    is, that you can reuse(or maybe better:inject?) session ids. When the
    session has already expired and you use a link with a session id,
    asp.net will create a new session - but use the old id.
    Now - you can imagine what happens if someone posts such link into a
    forum or something (to e.g. show all his friends that there is a
    wonderful cheap and extremly useful article in the webshop). They will
    be shopping in a group (hey - nice feature :/)...
    Additionally I don't have a clue how to prevent these ids from being
    bookmarked. I don't really want every user in the shop have his or her
    own private session id.


    Any proposals how to circumvent these problems?
    Maybe i just configured something really wrong?


    Thanks in advance,
    Stefan Hoffmann
    PS: If you don't understand my english, ask and i will try to explain.
     
    Stefan Hoffmann, Sep 28, 2005
    #1
    1. Advertising

  2. In article <>, s.hoffmann@d-s-a-
    g.de says...
    > Hello everyone!
    >
    > We are developing a webshop in asp.net. We did not want to use cookies
    > for session management, so we tried cookieless sessions.
    >
    >

    This is a well-known shortcoming. At the last PDC in Los Angeles this
    was demonstrated by Microsoft Employees themselves. It's very easy for
    someone to fake a session-id and suddenly find himself in someone elses
    session. That's not what we want!

    There is a good article on this at
    http://www.developer.com/net/vb/article.php/2216431 where you can find
    more information about this and how to prevent this from happening. It's
    a good article so I won't try to replicate it here. Just read it :) (No,
    I am not the author of that article nor do I get payed for advertising
    it)

    Good luck!
     
    Dennis Vroegop, Sep 28, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Carpe Diem
    Replies:
    3
    Views:
    7,220
    Carpe Diem
    Feb 23, 2004
  2. Anthony Williams
    Replies:
    9
    Views:
    3,631
  3. Nick
    Replies:
    4
    Views:
    3,518
    teck nickal
    Nov 26, 2004
  4. Hope Paka
    Replies:
    0
    Views:
    586
    Hope Paka
    Jun 7, 2005
  5. Replies:
    2
    Views:
    3,283
    Ravi Singh (UCSD)
    May 10, 2006
Loading...

Share This Page