Cookieless Sessions (Sessions Without Cookies) and Security

Discussion in 'ASP .Net Security' started by scottymo, Sep 29, 2006.

  1. scottymo

    scottymo Guest

    My research to this point indicates that cookieless sessions have two
    main drawbacks:
    1.) Absolute paths cannot be used without a workaround for the session
    id storage in the URL.

    2.) A security hole is opened due to the visibility of the session id
    in the URL.

    Are there any other draw backs?

    Number 2 is my main concern. To overcome the security risk with
    cookieless sessions, couldn't I simply track the initial IP of the
    client, and verify that against all requests? That way, if someone on
    another box tried to spoof the session, I would be able to kick them
    out due to the IP difference.

    Thoughts? Other possible solutions to the security risk with cookieless
    sessions?
     
    scottymo, Sep 29, 2006
    #1
    1. Advertising

  2. IP tracking is not reliable - proxies and routers can change the source IP
    - even while working with the application.

    You have to live with that problem.

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > My research to this point indicates that cookieless sessions have two
    > main drawbacks:
    > 1.) Absolute paths cannot be used without a workaround for the session
    > id storage in the URL.
    > 2.) A security hole is opened due to the visibility of the session id
    > in the URL.
    >
    > Are there any other draw backs?
    >
    > Number 2 is my main concern. To overcome the security risk with
    > cookieless sessions, couldn't I simply track the initial IP of the
    > client, and verify that against all requests? That way, if someone on
    > another box tried to spoof the session, I would be able to kick them
    > out due to the IP difference.
    >
    > Thoughts? Other possible solutions to the security risk with
    > cookieless sessions?
    >
     
    Dominick Baier, Sep 29, 2006
    #2
    1. Advertising

  3. scottymo

    scottymo Guest

    Thanks for the quick reply.

    Some suggest that SSL is the cure all for cookieless sessions. I did
    not want to due this initially, but if will allow the secure use of
    cookieless sessions, it may be the only option. What are your thoughts?
    Does SSL close the security gaps opened by cookieless sessions, or at
    least make them as secure as sessions with cookies?

    Here is another thought: are sessions with cookies really that much
    more secure than cookieless sessions? If someone knows how to obtain
    your URL from a remote location, that same person can probably spoof
    your cookie.
     
    scottymo, Sep 29, 2006
    #3
  4. You always have to use SSL if you care about the data on the wire!

    If someone can sniff your connection (no SSL) - there is no difference between
    cookies and cookieless security-wise.

    Cookie-less have different (additional) problems:

    - session fixation (someone sends you a link with a pre-generated session)
    - user copy&paste session URL and send them e.g. via mail
    - id is visible in browser (screenshots etc.)

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > Thanks for the quick reply.
    >
    > Some suggest that SSL is the cure all for cookieless sessions. I did
    > not want to due this initially, but if will allow the secure use of
    > cookieless sessions, it may be the only option. What are your
    > thoughts? Does SSL close the security gaps opened by cookieless
    > sessions, or at least make them as secure as sessions with cookies?
    >
    > Here is another thought: are sessions with cookies really that much
    > more secure than cookieless sessions? If someone knows how to obtain
    > your URL from a remote location, that same person can probably spoof
    > your cookie.
    >
     
    Dominick Baier, Sep 30, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    438
  2. Paul W
    Replies:
    4
    Views:
    7,874
    Nick Gilbert
    Jun 2, 2005
  3. Chris Gill

    Cookieless Sessions and Absolute Paths

    Chris Gill, Jun 27, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    442
    Chris Gill
    Jun 27, 2005
  4. Replies:
    2
    Views:
    3,306
    Ravi Singh (UCSD)
    May 10, 2006
  5. _Who
    Replies:
    7
    Views:
    2,774
Loading...

Share This Page