Patterns And Practices Security Checklists

Discussion in 'ASP .Net Security' started by A.M, Feb 17, 2004.

  1. A.M

    A.M Guest

    Hi,

    In Architecture and Design Review Security Checklist at following link:

    http://msdn.microsoft.com/library/en-us/dnnetsec/html/CL_ArchDes.asp?frame=true&_r=1

    I don't underestand following two items:

    1) Session state is protected from unauthorized access.
    2) Session identifiers are not passed in query strings.

    How an unauthorized access to session state can happen and why would i pass
    session identifier in query string ?

    Thanks,
    Ali
     
    A.M, Feb 17, 2004
    #1
    1. Advertising

  2. A.M

    bruce barker Guest

    there are only a couple of ways to pass a session key

    1) in a cookie (asp.net)
    2) in the url
    3) hidden field (though a url is often required for bootstrap)

    your worried about how easy it is to hijack someone's session. in all the
    above techinques the session key can be discovered by a network sniffer. so
    now that i have the key, how easy is to use. a sample of a bad session key,
    is an incrementing number, these are easy to hijack.


    -- bruce (sqlwork.com)



    "A.M" <> wrote in message
    news:#...
    > Hi,
    >
    > In Architecture and Design Review Security Checklist at following link:
    >
    >

    http://msdn.microsoft.com/library/en-us/dnnetsec/html/CL_ArchDes.asp?frame=t
    rue&_r=1
    >
    > I don't underestand following two items:
    >
    > 1) Session state is protected from unauthorized access.
    > 2) Session identifiers are not passed in query strings.
    >
    > How an unauthorized access to session state can happen and why would i

    pass
    > session identifier in query string ?
    >
    > Thanks,
    > Ali
    >
    >
     
    bruce barker, Feb 17, 2004
    #2
    1. Advertising

  3. Hello Ali,

    I agreed with Bruce on it. For an example, if a client browser doesn't
    support/allow cookie, we can't store session in cookie then. Under this
    situation, some web sites will transfer session ID through URL. If somebody
    hacked sessionID by using network sniffer, he can visit the web site by
    using another people's identity.

    Another concern is that cookies are sent between browser and server as
    plain text, and anyone who can intercept your Web traffic can read the
    cookie. You can set a cookie property that causes the cookie to be
    transmitted only if the connection uses the Secure Sockets Layer (SSL, aka
    https://). SSL does not protect the cookie from being read or manipulated
    while it is on the user's computer, but it does prevent the cookie from
    being intercepted in transit.

    You can refer to the following article for some more info on it:
    "Basics of Cookies in ASP.NET"
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_vstechar
    t/html/vbtchaspnetcookies101.asp

    Hope that helps.

    Best regards,
    Yanhong Huang
    Microsoft Community Support

    Get Secure! ┬ĘC www.microsoft.com/security
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Yan-Hong Huang[MSFT], Feb 18, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. A.M
    Replies:
    2
    Views:
    347
    Yan-Hong Huang[MSFT]
    Feb 18, 2004
  2. Luis Esteban Valencia

    Design Patterns Books and Best Practices Books.

    Luis Esteban Valencia, Jun 30, 2005, in forum: ASP .Net
    Replies:
    4
    Views:
    517
    Joerg Jooss
    Jul 1, 2005
  3. crichmon
    Replies:
    4
    Views:
    485
    Mabden
    Jul 7, 2004
  4. Piotr Nowak
    Replies:
    1
    Views:
    429
    bruce barker
    Oct 15, 2007
  5. Luca
    Replies:
    0
    Views:
    103
Loading...

Share This Page