Major Security Issue

A

Amir Ghezelbash

Hi every one

I have a major MAJOR MAJOR problem
Ok I have been using cookies for my site for a while and now I have been
trying to use session less cookies because I find them much faster
Any way now the problem
With session less cookies since ID is embedded within URL every time
someone signs into their account and then logout if they send their link
to someone else, that other person can login into their account without
needing to know their user name and pass ok let me show you what I mean
by example
Here is my site go to my site

http://www.riseofkingdoms.org/rok

Now if you login using: UserName:d1 and password:dzl786
You be taking to your page now if you go in menu and go to Palac and
sign-out but before doing that copy the link in your browser, now
sign-out close your browser and paste your link and you be taking back
to your profile without needing to sign in
Even if you send your link to someone else they will be able to sign in
without needing to log in here is the link when I signed in you can just
go to that account using this link you don’t need to sign in

http://www.riseofkingdoms.org/rok/(c4ehh345kyxu122m0xz2ij45)/ROKGame/Ris
e_Of_Kingdoms/Home.aspx

This cannot be good
I am sure there is a way around this I mean I hope, why is it doing
this?
I expire sessions when sign-out has been clicked, Session.
Remove("UserName");

Any suggestions
 
S

Scott M.

You are storing the user and password data in the cookie? There is your
security problem right there. Cookies are only as secure as the data you
put in them.

You should be storing the user names and passwords in a database and
authenticating users against that database. Also, since cookies can be
"turned off" at the client level, you should never build any functionality
into them that you aren't willing to lose.
 
A

Amir Ghezelbash

?
did you even read my question?
no i am not using cookies, passwords are saved into database

i am using cookieless sessions here
 
K

Ken Schaefer

How are you expiring the session?

Cheers
Ken


: ?
: did you even read my question?
: no i am not using cookies, passwords are saved into database
:
: i am using cookieless sessions here
:
: ---
: Best Regards
: Amir
:
:
: Don't just participate in USENET...get rewarded for it!
 
A

Arthur Nesterovsky

Hi Amir,
This cannot be good
I am sure there is a way around this I mean I hope, why is it doing
this?
I expire sessions when sign-out has been clicked, Session.
Remove("UserName");
Click to expand...

Do you check the existence of "UserName" in Session object in every method
of your code? The real session will expire not early than 20 min or whatever
you had specified for your application.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Just finished my first major project! 3
Mutability issue 1
How to store data from a sign up form on a website into an sql databse 1
Measuring a string of text 1
Problem in getting dashboard page from login page in python pycharm using POST command 0
major performance issue 4
Need assistance finetuning HTML, CSS, Javascript - sticky header issue 3
Issue with passing fetched data to POST form. How can I? 0

Members online

No members online now.
Total: 36 (members: 0, guests: 36)
Robots: 183

Forum statistics

Threads
473,766
Messages
2,569,569
Members
45,043
Latest member
CannalabsCBDReview

Latest Threads

Top