Help - Can I reuse existing session ID from email link?

Discussion in 'ASP .Net Security' started by Nanker, Sep 26, 2006.

  1. Nanker

    Nanker Guest

    Our existing ASP.NET web application does store a session ID in the
    cookies (ASP.Net_SessionID) for a logged in user. A new requirement has
    been stated that we need to be able to send a customer an email with a
    link to a specific page in the application, and if the user clicks on
    the email link while they are logged in to the application, they will
    be taken to that page in the application without having to log in.
    Given this:

    - Is this possible to read the session ID from the cookie for the
    active login and reuse it for this other request?
    - Is it possible to do this within the specific browser with which they
    are already logged in or will a separate browser have to be created?

    I've been trying to read up on the best overall approach to this
    problem, and I thought that asking here would provide good feedback.
    Your response is appreciated.

    Thanks in advance
     
    Nanker, Sep 26, 2006
    #1
    1. Advertising

  2. Nanker

    sloan Guest

    I don't think you can do that.
    Or at best, its more drama then its worth.


    My approach would be:

    generate a guid (System.Guid.NewGuid().ToString() )

    Keep a table that maps this guid to a user.

    Have a special page that handles these guid inputs.

    www.myapp.com/EntryPoint/GuidTaker.aspx

    When sending them a URL, do this
    www.myapp.com/EntryPoint/GuidTaker.aspx?loginuuid=aaabbbcccdddeeeaaabbbcccdd
    deee

    Read the database, find the user, set their credentails, redirect them.

    You might even have:
    www.myapp.com/EntryPoint/GuidTaker.aspx?page=aboutus&loginuuid=aaabbbcccddde
    eeaaabbbcccdddeee

    Where you have a few pages (like "aboutus" and it takes you to
    "aboutus.aspx" or something like that).

    Between the crossbrowser issue. And the fact that SessionID (I think) are
    abandoned.....I don't think your approach is a good one.


    You can add some logic to GuidTaker.aspx to track subsequent tries, if
    they're trying an attack.

    If security is an issue, then you can use 2 guids.
    www.myapp.com/EntryPoint/GuidTaker.aspx?loginuuid=aaabbbcccdddeeeaaabbbcccdd
    deee&checkuuid=eeefffeeeaaadddeeeecccdddeeebbbaaa&page=aboutus

    The liklihood of guessing 2 guid's has to be out the roof.

    You'll have to cleanup the table where you store the guid's and the userid
    once in a while.

    But this way, you can give the same user different entry points




    "Nanker" <> wrote in message
    news:...
    > Our existing ASP.NET web application does store a session ID in the
    > cookies (ASP.Net_SessionID) for a logged in user. A new requirement has
    > been stated that we need to be able to send a customer an email with a
    > link to a specific page in the application, and if the user clicks on
    > the email link while they are logged in to the application, they will
    > be taken to that page in the application without having to log in.
    > Given this:
    >
    > - Is this possible to read the session ID from the cookie for the
    > active login and reuse it for this other request?
    > - Is it possible to do this within the specific browser with which they
    > are already logged in or will a separate browser have to be created?
    >
    > I've been trying to read up on the best overall approach to this
    > problem, and I thought that asking here would provide good feedback.
    > Your response is appreciated.
    >
    > Thanks in advance
    >
     
    sloan, Sep 26, 2006
    #2
    1. Advertising

  3. You can read the value of the cookie and use it, for an example to
    compare it to a value previously saved in the database. You can not use
    the value as session id, though, the user will get a new session id as
    it's a new session.

    Nanker wrote:
    > Our existing ASP.NET web application does store a session ID in the
    > cookies (ASP.Net_SessionID) for a logged in user. A new requirement has
    > been stated that we need to be able to send a customer an email with a
    > link to a specific page in the application, and if the user clicks on
    > the email link while they are logged in to the application, they will
    > be taken to that page in the application without having to log in.
    > Given this:
    >
    > - Is this possible to read the session ID from the cookie for the
    > active login and reuse it for this other request?
    > - Is it possible to do this within the specific browser with which they
    > are already logged in or will a separate browser have to be created?
    >
    > I've been trying to read up on the best overall approach to this
    > problem, and I thought that asking here would provide good feedback.
    > Your response is appreciated.
    >
    > Thanks in advance
    >
     
    Göran Andersson, Sep 27, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tshad
    Replies:
    5
    Views:
    540
    Steve C. Orr [MVP, MCSD]
    May 17, 2005
  2. Hylander

    To reuse or not to reuse....

    Hylander, Feb 26, 2004, in forum: Java
    Replies:
    0
    Views:
    425
    Hylander
    Feb 26, 2004
  3. Nanker
    Replies:
    2
    Views:
    588
    =?ISO-8859-1?Q?G=F6ran_Andersson?=
    Sep 27, 2006
  4. code reuse and design reuse

    , Feb 7, 2006, in forum: C Programming
    Replies:
    16
    Views:
    1,032
    Malcolm
    Feb 12, 2006
  5. jacob navia

    To reuse or not to reuse

    jacob navia, Nov 5, 2006, in forum: C Programming
    Replies:
    19
    Views:
    533
    Dave Thompson
    Dec 18, 2006
Loading...

Share This Page