Problem while using cookieless session

[Priya]

We are facing problems while using cookieless session. When the user copies
and pastes the url from one machine to another, he is able to access the data
entered by the first user. Is there any way to eliminate this problem.

Thanks in advance.

 

[Cactus Corp.]

We are facing problems while using cookieless session. When the user copies

and pastes the url from one machine to another, he is able to access the data
entered by the first user. Is there any way to eliminate this problem.

Thanks in advance.

Hello ,

The session identifier is used to identify which session the visitor is linked to.
As it sounds....

Consequently , if someone does a copy/paste of one of your cookie-less
URLs, he gets access to your session.

The role of the SESSIONID is to establish the link : this is an identification
process. What you're looking for is an authentication process : after identifying
which session is requested, you want the application to make sure nobody is
usurpating an identity.

You need to add a few checks to make sure of this. There are many discussions
about that , the term used by many security professionals is "session hijacking".

For example :
- adding secure tokens to your urls
- IP address to session-id link
- challenged URLs
- ...and so on...

Good luck!

Antonio

 

[Dominick Baier [DevelopMentor]]

Hello Priya,

no - this is the same as copying the cookie (in cookie session mode).

Jeff Prosise wrote an article on MSDN where he took some extra info to make
the session ID unique (IIRC user agent and IP address). Be aware that this
is not bullet-proof as different users behind a proxy e.g. will have the
same IP address...

 

[Priya]

Hi,
Thanks for the solution
Is there any way to hide the session id displayed in the URL?
Can you suggest any alternate solution?As we could find only usage of hidden
fields which is not a feasible solution for our application.
-Priya

 

[Priya]

Hi,
Thanks for the solution
Is there any way to hide the session id displayed in the URL?
Can you suggest any alternate solution?As we could find only usage of hidden
fields which is not a feasible solution for our application.
-Priya

 

[Cactus Corp.]

Hi,

Thanks for the solution

Hi there,

Is there any way to hide the session id displayed in the URL?

Actually if your session ids are showed in your urls, it's obviously
because you wanted it : url based session ids are set by the
cookieless property in the webconfig file.

Can you suggest any alternate solution?As we could find only usage of hidden
fields which is not a feasible solution for our application

Well, first question would be : why did you chose using cookieless
session management ? Is it because of a specific requirement ?

Antonio

 

[Dominick Baier [DevelopMentor]]

Hello Priya,

generally i would not recommend using cookieless sessions - no you cannot
hide the session id in the url...