Major Security Issue

Discussion in 'ASP .Net' started by Amir Ghezelbash, Apr 22, 2004.

  1. Hi every one

    I have a major MAJOR MAJOR problem
    Ok I have been using cookies for my site for a while and now I have been
    trying to use session less cookies because I find them much faster
    Any way now the problem
    With session less cookies since ID is embedded within URL every time
    someone signs into their account and then logout if they send their link
    to someone else, that other person can login into their account without
    needing to know their user name and pass ok let me show you what I mean
    by example
    Here is my site go to my site

    http://www.riseofkingdoms.org/rok

    Now if you login using: UserName:d1 and password:dzl786
    You be taking to your page now if you go in menu and go to Palac and
    sign-out but before doing that copy the link in your browser, now
    sign-out close your browser and paste your link and you be taking back
    to your profile without needing to sign in
    Even if you send your link to someone else they will be able to sign in
    without needing to log in here is the link when I signed in you can just
    go to that account using this link you don’t need to sign in

    http://www.riseofkingdoms.org/rok/(c4ehh345kyxu122m0xz2ij45)/ROKGame/Ris
    e_Of_Kingdoms/Home.aspx

    This cannot be good
    I am sure there is a way around this I mean I hope, why is it doing
    this?
    I expire sessions when sign-out has been clicked, Session.
    Remove("UserName");

    Any suggestions




    ---
    Best Regards
    Amir

    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    Amir Ghezelbash, Apr 22, 2004
    #1
    1. Advertising

  2. Amir Ghezelbash

    Scott M. Guest

    You are storing the user and password data in the cookie? There is your
    security problem right there. Cookies are only as secure as the data you
    put in them.

    You should be storing the user names and passwords in a database and
    authenticating users against that database. Also, since cookies can be
    "turned off" at the client level, you should never build any functionality
    into them that you aren't willing to lose.


    "Amir Ghezelbash" <> wrote in message
    news:...
    > Hi every one
    >
    > I have a major MAJOR MAJOR problem
    > Ok I have been using cookies for my site for a while and now I have been
    > trying to use session less cookies because I find them much faster
    > Any way now the problem
    > With session less cookies since ID is embedded within URL every time
    > someone signs into their account and then logout if they send their link
    > to someone else, that other person can login into their account without
    > needing to know their user name and pass ok let me show you what I mean
    > by example
    > Here is my site go to my site
    >
    > http://www.riseofkingdoms.org/rok
    >
    > Now if you login using: UserName:d1 and password:dzl786
    > You be taking to your page now if you go in menu and go to Palac and
    > sign-out but before doing that copy the link in your browser, now
    > sign-out close your browser and paste your link and you be taking back
    > to your profile without needing to sign in
    > Even if you send your link to someone else they will be able to sign in
    > without needing to log in here is the link when I signed in you can just
    > go to that account using this link you don't need to sign in
    >
    > http://www.riseofkingdoms.org/rok/(c4ehh345kyxu122m0xz2ij45)/ROKGame/Ris
    > e_Of_Kingdoms/Home.aspx
    >
    > This cannot be good
    > I am sure there is a way around this I mean I hope, why is it doing
    > this?
    > I expire sessions when sign-out has been clicked, Session.
    > Remove("UserName");
    >
    > Any suggestions
    >
    >
    >
    >
    > ---
    > Best Regards
    > Amir
    >
    > *** Sent via Developersdex http://www.developersdex.com ***
    > Don't just participate in USENET...get rewarded for it!
     
    Scott M., Apr 22, 2004
    #2
    1. Advertising

  3. ?
    did you even read my question?
    no i am not using cookies, passwords are saved into database

    i am using cookieless sessions here

    ---
    Best Regards
    Amir

    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    Amir Ghezelbash, Apr 23, 2004
    #3
  4. Amir Ghezelbash

    Ken Schaefer Guest

    How are you expiring the session?

    Cheers
    Ken


    "Amir Ghezelbash" <> wrote in message
    news:...
    : ?
    : did you even read my question?
    : no i am not using cookies, passwords are saved into database
    :
    : i am using cookieless sessions here
    :
    : ---
    : Best Regards
    : Amir
    :
    : *** Sent via Developersdex http://www.developersdex.com ***
    : Don't just participate in USENET...get rewarded for it!
     
    Ken Schaefer, Apr 23, 2004
    #4
  5. Hi Amir,

    > This cannot be good
    > I am sure there is a way around this I mean I hope, why is it doing
    > this?
    > I expire sessions when sign-out has been clicked, Session.
    > Remove("UserName");


    Do you check the existence of "UserName" in Session object in every method
    of your code? The real session will expire not early than 20 min or whatever
    you had specified for your application.

    --
    ______________________________
    With best wishes, Arthur Nesterovsky
    Visit, please, my home page:
    http://www.nesterovsky-bros.com
     
    Arthur Nesterovsky, Apr 23, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. kokwooi

    Major Major Problem With ASP.NET

    kokwooi, Sep 18, 2003, in forum: ASP .Net
    Replies:
    6
    Views:
    693
    NuTcAsE
    Sep 19, 2003
  2. Keith

    Major security issue?

    Keith, Feb 1, 2004, in forum: ASP .Net
    Replies:
    5
    Views:
    390
  3. Jef Driesen
    Replies:
    2
    Views:
    1,770
    Jef Driesen
    Jan 12, 2006
  4. Keith

    Major ASP.Net Security Issue?

    Keith, Feb 1, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    149
    Paul Glavich
    Feb 1, 2004
  5. ara howard
    Replies:
    0
    Views:
    256
    ara howard
    Oct 28, 2003
Loading...

Share This Page