Major ASP.Net Security Issue?

Discussion in 'ASP .Net Security' started by Keith, Feb 1, 2004.

  1. Keith

    Keith Guest

    I have found what I believe to be a serious security
    issue in ASP.Net. If you have:

    1. Your website configured for anonymous access
    2. Elect under web.config to set the sessionstate
    attribute of cookieless to true

    Anyone from any IP address or across another browser can
    copy the URL and work within the session. My question
    is "Why doesn't ASP.Net provide an option around ensuring
    all requests for a user session originate from the same
    IP address and/or same useragent?" I know that some
    people sit behind firewalls, proxies and layer 4 devices
    that could load balance and affect HTTP traffic, but it
    honestly escapes me why I can access my web application
    on any machine inside or outside of my network with just
    the sessionid in the URL from even different browsers.
    There must be a way to control this in the
    configuration. Am I alone in find this troubling?
     
    Keith, Feb 1, 2004
    #1
    1. Advertising

  2. Keith

    Ray at Guest

    It seems to me that this would be listed as a predictable downside to using
    cookieless sessions. Verifying IPs and/or user agents wouldn't be any real
    way to avoid this, so it makes sense to me that this wouldn't be the default
    behavior for asp.net to check that. And if it were to check it, where would
    it store this info? In session variables? Hmmph.

    --

    Ray at home
    Microsoft ASP MVP

    "Keith" <> wrote in message
    news:77b601c3e87d$1c5144f0$...
    > I have found what I believe to be a serious security
    > issue in ASP.Net. If you have:
    >
    > 1. Your website configured for anonymous access
    > 2. Elect under web.config to set the sessionstate
    > attribute of cookieless to true
    >
    > Anyone from any IP address or across another browser can
    > copy the URL and work within the session. My question
    > is "Why doesn't ASP.Net provide an option around ensuring
    > all requests for a user session originate from the same
    > IP address and/or same useragent?" I know that some
    > people sit behind firewalls, proxies and layer 4 devices
    > that could load balance and affect HTTP traffic, but it
    > honestly escapes me why I can access my web application
    > on any machine inside or outside of my network with just
    > the sessionid in the URL from even different browsers.
    > There must be a way to control this in the
    > configuration. Am I alone in find this troubling?
     
    Ray at, Feb 1, 2004
    #2
    1. Advertising

  3. Keith

    Paul Glavich Guest

    We have used cookieless sessions and what you say is true, but we used SSL
    to encrypt traffic, which as you know requires a connection to the same
    client/server (ie. if connection broken, then the SSL session is invalid) so
    this IP verification approach could still work but it assumes SSL, which of
    course is really outside of ASP.NET's domain.

    Further to this you could use client certs to verify integrity which
    strictly doesn't stop people from hjacking a session (simply minimises it),
    but there are just som many ways to approach this, each with positives and
    negatives, that if the ASP.NET team adopted one approach, it would be
    implicitly be advocating this one approach which may very well be flawed
    under a number of different situations.

    My 2 cents.

    --
    - Paul Glavich


    "Keith" <> wrote in message
    news:77b601c3e87d$1c5144f0$...
    > I have found what I believe to be a serious security
    > issue in ASP.Net. If you have:
    >
    > 1. Your website configured for anonymous access
    > 2. Elect under web.config to set the sessionstate
    > attribute of cookieless to true
    >
    > Anyone from any IP address or across another browser can
    > copy the URL and work within the session. My question
    > is "Why doesn't ASP.Net provide an option around ensuring
    > all requests for a user session originate from the same
    > IP address and/or same useragent?" I know that some
    > people sit behind firewalls, proxies and layer 4 devices
    > that could load balance and affect HTTP traffic, but it
    > honestly escapes me why I can access my web application
    > on any machine inside or outside of my network with just
    > the sessionid in the URL from even different browsers.
    > There must be a way to control this in the
    > configuration. Am I alone in find this troubling?
     
    Paul Glavich, Feb 1, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. kokwooi

    Major Major Problem With ASP.NET

    kokwooi, Sep 18, 2003, in forum: ASP .Net
    Replies:
    6
    Views:
    686
    NuTcAsE
    Sep 19, 2003
  2. Keith

    Major security issue?

    Keith, Feb 1, 2004, in forum: ASP .Net
    Replies:
    5
    Views:
    387
  3. Amir Ghezelbash

    Major Security Issue

    Amir Ghezelbash, Apr 22, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    333
    Arthur Nesterovsky
    Apr 23, 2004
  4. Jef Driesen
    Replies:
    2
    Views:
    1,744
    Jef Driesen
    Jan 12, 2006
  5. ara howard
    Replies:
    0
    Views:
    242
    ara howard
    Oct 28, 2003
Loading...

Share This Page