preventing Session ID replay attack

Discussion in 'ASP General' started by anoop, Apr 16, 2007.

  1. anoop

    anoop Guest

    Hello,
    I am developing a Simple ASP Website with a login page. I want to
    know how can I change Session ID after login and also Close the current
    Session after User closes the Window or gets logged out of the Website. So
    that every time user logs in into the website, Session ID will be unique.

    Thank you.
     
    anoop, Apr 16, 2007
    #1
    1. Advertising

  2. anoop

    Evertjan. Guest

    =?Utf-8?B?YW5vb3A=?= wrote on 16 apr 2007 in
    microsoft.public.inetserver.asp.general:

    > I am developing a Simple ASP Website with a login page. I want to
    > know how can I change Session ID after login


    You cnnot, simply because changing the session.id would end the session per
    definition.

    > and also Close the
    > current Session after User closes the Window or gets logged out of the
    > Website.


    Use session.abandon if you have to, or empty the
    session("login") value if so designed.

    .... however you cannot reliably trust the closing of window to be reported.
    It depends on the browser used, the closing of the computer, or if someone
    trips over the mains connection or internet connection.

    > So that every time user logs in into the website, Session ID
    > will be unique.


    The session.id is unique as delivered by the system, better than once in a
    lifetime at least.


    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Apr 16, 2007
    #2
    1. Advertising

  3. anoop

    michal Guest

    to release all used sessions
    session.abandon()
    http://msdn.microsoft.com/library/d...html/02106ee0-6603-4123-b5c8-eeb92ebbbc31.asp
    but this wont reset the session id ... (as far as i know)

    On Apr 16, 10:09 am, "Evertjan." <>
    wrote:
    > =?Utf-8?B?YW5vb3A=?= wrote on 16 apr 2007 in
    > microsoft.public.inetserver.asp.general:
    >
    > > I am developing a Simple ASP Website with a login page. I want to
    > > know how can I change Session ID after login

    >
    > You cnnot, simply because changing the session.id would end the session per
    > definition.
    >
    > > and also Close the
    > > current Session after User closes the Window or gets logged out of the
    > > Website.

    >
    > Use session.abandon if you have to, or empty the
    > session("login") value if so designed.
    >
    > ... however you cannot reliably trust the closing of window to be reported.
    > It depends on the browser used, the closing of the computer, or if someone
    > trips over the mains connection or internet connection.
    >
    > > So that every time user logs in into the website, Session ID
    > > will be unique.

    >
    > The session.id is unique as delivered by the system, better than once in a
    > lifetime at least.
    >
    > --
    > Evertjan.
    > The Netherlands.
    > (Please change the x'es to dots in my emailaddress)
     
    michal, Apr 17, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sharone Shani
    Replies:
    1
    Views:
    553
    Cowboy \(Gregory A. Beamer\)
    Oct 21, 2003
  2. Alan G Isaac

    replay 'apply' with extended call

    Alan G Isaac, Oct 25, 2004, in forum: Python
    Replies:
    5
    Views:
    360
    Peter Otten
    Oct 25, 2004
  3. Derrick
    Replies:
    2
    Views:
    710
    Steve C. Orr [MCSD, MVP, CSM, ASP Insider]
    May 10, 2007
  4. Donkey Hot

    Replay for this......

    Donkey Hot, Feb 5, 2008, in forum: Java
    Replies:
    6
    Views:
    334
  5. Elaine
    Replies:
    0
    Views:
    339
    Elaine
    May 21, 2009
Loading...

Share This Page