asp.net cookie security

Discussion in 'ASP .Net' started by smurph, Nov 1, 2006.

  1. smurph

    smurph Guest

    In ASP, when we authenticate a user we insert a record in a table
    containing data such as the client ip address and session id, the
    session id representing this record in the database is appended to the
    query string for each request. When a request is processed the session
    data in the database is compared to the clients session id and ip
    address and if it does not match then its access denied. This approach
    prevents cookies being stolen or sessions hijacked from another
    computer.

    This solution seems to be implemented in many classic ASP sites, but I
    have not seen a single asp.net site that has some kind of sessionID
    appended in the query string for all requests. Does asp.net have some
    extra security that makes this idea obsolete?
    smurph, Nov 1, 2006
    #1
    1. Advertising

  2. You can use the coookieless sessions, which will append SessionID to the
    URL, but that does not sound like what you are talking about.

    As far as the second question goes, ASP.NET is more secure than ASP., but
    there is nothing to stop hijacked session cookies. It is a rare hack,
    however, as there are far too many houses that have the doors wide open.
    Instituting SSL will eliminate the need, as well, as the session cookie is
    part of an encrypted stream.

    --
    Gregory A. Beamer
    MVP; MCP: +I, SE, SD, DBA
    http://gregorybeamer.spaces.live.com

    *************************************************
    Think outside of the box!
    *************************************************
    "smurph" <> wrote in message
    news:...
    > In ASP, when we authenticate a user we insert a record in a table
    > containing data such as the client ip address and session id, the
    > session id representing this record in the database is appended to the
    > query string for each request. When a request is processed the session
    > data in the database is compared to the clients session id and ip
    > address and if it does not match then its access denied. This approach
    > prevents cookies being stolen or sessions hijacked from another
    > computer.
    >
    > This solution seems to be implemented in many classic ASP sites, but I
    > have not seen a single asp.net site that has some kind of sessionID
    > appended in the query string for all requests. Does asp.net have some
    > extra security that makes this idea obsolete?
    >
    Cowboy \(Gregory A. Beamer\), Nov 1, 2006
    #2
    1. Advertising

  3. also storing the client ipaddress only works on local lans with no
    proxy/firewalls. with proxy servers (and nat translation), several users
    will have the same ipaddress, or the clients ipaddress may change on
    different requests.

    -- bruce (sqlwork.com)


    "Cowboy (Gregory A. Beamer)" <> wrote in
    message news:OaawSsc$...
    > You can use the coookieless sessions, which will append SessionID to the
    > URL, but that does not sound like what you are talking about.
    >
    > As far as the second question goes, ASP.NET is more secure than ASP., but
    > there is nothing to stop hijacked session cookies. It is a rare hack,
    > however, as there are far too many houses that have the doors wide open.
    > Instituting SSL will eliminate the need, as well, as the session cookie is
    > part of an encrypted stream.
    >
    > --
    > Gregory A. Beamer
    > MVP; MCP: +I, SE, SD, DBA
    > http://gregorybeamer.spaces.live.com
    >
    > *************************************************
    > Think outside of the box!
    > *************************************************
    > "smurph" <> wrote in message
    > news:...
    >> In ASP, when we authenticate a user we insert a record in a table
    >> containing data such as the client ip address and session id, the
    >> session id representing this record in the database is appended to the
    >> query string for each request. When a request is processed the session
    >> data in the database is compared to the clients session id and ip
    >> address and if it does not match then its access denied. This approach
    >> prevents cookies being stolen or sessions hijacked from another
    >> computer.
    >>
    >> This solution seems to be implemented in many classic ASP sites, but I
    >> have not seen a single asp.net site that has some kind of sessionID
    >> appended in the query string for all requests. Does asp.net have some
    >> extra security that makes this idea obsolete?
    >>

    >
    >
    bruce barker \(sqlwork.com\), Nov 1, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ben
    Replies:
    3
    Views:
    1,103
  2. =?Utf-8?B?TnVubw==?=

    Convert a PHP cookie to an ASP.NET cookie

    =?Utf-8?B?TnVubw==?=, Jan 31, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    428
    =?Utf-8?B?UGV0ZXIgQnJvbWJlcmcgW0MjIE1WUF0=?=
    Jan 31, 2006
  3. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    125
    Dinis Cruz
    Oct 11, 2003
  4. Michael Randrup
    Replies:
    3
    Views:
    283
    Henning Krause [MVP]
    Mar 27, 2006
  5. william

    System.Net.Cookie vs System.Web.Cookie

    william, Apr 11, 2008, in forum: ASP .Net Security
    Replies:
    4
    Views:
    1,229
    Dominick Baier
    Apr 14, 2008
Loading...

Share This Page