K
Keith
I have found what I believe to be a serious security
issue in ASP.Net. If you have:
1. Your website configured for anonymous access
2. Elect under web.config to set the sessionstate
attribute of cookieless to true
Anyone from any IP address or across another browser can
copy the URL and work within the session. My question
is "Why doesn't ASP.Net provide an option around ensuring
all requests for a user session originate from the same
IP address and/or same useragent?" I know that some
people sit behind firewalls, proxies and layer 4 devices
that could load balance and affect HTTP traffic, but it
honestly escapes me why I can access my web application
on any machine inside or outside of my network with just
the sessionid in the URL from even different browsers.
There must be a way to control this in the
configuration. Am I alone in find this troubling?
issue in ASP.Net. If you have:
1. Your website configured for anonymous access
2. Elect under web.config to set the sessionstate
attribute of cookieless to true
Anyone from any IP address or across another browser can
copy the URL and work within the session. My question
is "Why doesn't ASP.Net provide an option around ensuring
all requests for a user session originate from the same
IP address and/or same useragent?" I know that some
people sit behind firewalls, proxies and layer 4 devices
that could load balance and affect HTTP traffic, but it
honestly escapes me why I can access my web application
on any machine inside or outside of my network with just
the sessionid in the URL from even different browsers.
There must be a way to control this in the
configuration. Am I alone in find this troubling?