how to prevent security violation when users share URL with cookielesssession id?

Discussion in 'ASP .Net Security' started by Liam, Mar 10, 2006.

  1. Liam

    Liam Guest

    We are using cookieless sessions with the session id automatically
    embedded in the URL, e.g.
    http://ourdomain.com(ixbradnm5qmdfwikrt1mcfi3)/somepage.aspx.

    This is an internet application and we're using the anonymous built-in
    ASP.NET system account.

    When an internet user comes to our main page, they provide a username
    and password. We authenticate the username and password by reading a
    record in our SQL Server registration database, and if there's a match,
    we let the user in the door, so to speak. We assign a session variable
    with the person's registrationid from our database, and we also retrieve
    some facts about the user (their employer, their interests, other
    demographic data they've supplied when registering) which allow us to
    dynamically configure content for them. Thus, we want each user's
    session to be unique to that user and not "shareable".

    However, sometimes a user, when they find something of interest on our
    site, will email the URL containing the embedded cookieless session id
    to their colleagues. If their session hasn't timed out and their
    colleagues click on the link, the colleagues end up piggybacking on the
    first user's session, so to speak.

    Is is possible to programmatically identify this scenario so the session
    could be terminated when another user is piggybacking on an existing
    session?

    Is there some built-in authentication appropriate to an app that uses
    the anonymous ASP.NET account, which we could use in addition to the
    validation we perform against our registration database? Something that
    would tie the session id to the first user's browser, so that the same
    session id would simply not work in another browser?

    Thanks
    Liam
     
    Liam, Mar 10, 2006
    #1
    1. Advertising

  2. Re: how to prevent security violation when users share URL with cookieless session id?

    Hi,

    there is really no watertight way of preventing that - well - besides using
    cookie based sessions. I recently even saw a web page with a cookieless session
    indexed on google :)

    You could add some logic to tie the sessions ID to the IP address - that
    may work for intranet scenarios - but as soon as some NAT device/Proxy/LoadBalancer
    is between the client and the server - you might get wrong results...

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > We are using cookieless sessions with the session id automatically
    > embedded in the URL, e.g.
    > http://ourdomain.com(ixbradnm5qmdfwikrt1mcfi3)/somepage.aspx.
    >
    > This is an internet application and we're using the anonymous built-in
    > ASP.NET system account.
    >
    > When an internet user comes to our main page, they provide a username
    > and password. We authenticate the username and password by reading a
    > record in our SQL Server registration database, and if there's a
    > match, we let the user in the door, so to speak. We assign a session
    > variable with the person's registrationid from our database, and we
    > also retrieve some facts about the user (their employer, their
    > interests, other demographic data they've supplied when registering)
    > which allow us to dynamically configure content for them. Thus, we
    > want each user's session to be unique to that user and not
    > "shareable".
    >
    > However, sometimes a user, when they find something of interest on our
    > site, will email the URL containing the embedded cookieless session id
    > to their colleagues. If their session hasn't timed out and their
    > colleagues click on the link, the colleagues end up piggybacking on
    > the first user's session, so to speak.
    >
    > Is is possible to programmatically identify this scenario so the
    > session could be terminated when another user is piggybacking on an
    > existing session?
    >
    > Is there some built-in authentication appropriate to an app that uses
    > the anonymous ASP.NET account, which we could use in addition to the
    > validation we perform against our registration database? Something
    > that would tie the session id to the first user's browser, so that the
    > same session id would simply not work in another browser?
    >
    > Thanks
    > Liam
     
    Dominick Baier [DevelopMentor], Mar 10, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. swbaz
    Replies:
    2
    Views:
    644
    Jordan Marton
    Aug 13, 2003
  2. mars
    Replies:
    6
    Views:
    366
    Laurent Pointal
    Feb 7, 2007
  3. Saraswati lakki
    Replies:
    0
    Views:
    1,374
    Saraswati lakki
    Jan 6, 2012
  4. Jack
    Replies:
    2
    Views:
    227
  5. Eric Wong
    Replies:
    0
    Views:
    213
    Eric Wong
    Feb 13, 2010
Loading...

Share This Page