Problem while using cookieless session

Discussion in 'ASP .Net Security' started by Priya, Aug 16, 2005.

  1. Priya

    Priya Guest

    We are facing problems while using cookieless session. When the user copies
    and pastes the url from one machine to another, he is able to access the data
    entered by the first user. Is there any way to eliminate this problem.

    Thanks in advance.
     
    Priya, Aug 16, 2005
    #1
    1. Advertising

  2. Priya

    Cactus Corp. Guest

    > We are facing problems while using cookieless session. When the user copies
    > and pastes the url from one machine to another, he is able to access the data
    > entered by the first user. Is there any way to eliminate this problem.
    >
    > Thanks in advance.


    Hello ,

    The session identifier is used to identify which session the visitor is linked to.
    As it sounds....

    Consequently , if someone does a copy/paste of one of your cookie-less
    URLs, he gets access to your session.

    The role of the SESSIONID is to establish the link : this is an identification
    process. What you're looking for is an authentication process : after identifying
    which session is requested, you want the application to make sure nobody is
    usurpating an identity.

    You need to add a few checks to make sure of this. There are many discussions
    about that , the term used by many security professionals is "session hijacking".

    For example :
    - adding secure tokens to your urls
    - IP address to session-id link
    - challenged URLs
    - ...and so on...

    Good luck!

    Antonio
     
    Cactus Corp., Aug 16, 2005
    #2
    1. Advertising

  3. Hello Priya,

    no - this is the same as copying the cookie (in cookie session mode).

    Jeff Prosise wrote an article on MSDN where he took some extra info to make
    the session ID unique (IIRC user agent and IP address). Be aware that this
    is not bullet-proof as different users behind a proxy e.g. will have the
    same IP address...

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > We are facing problems while using cookieless session. When the user
    > copies and pastes the url from one machine to another, he is able to
    > access the data entered by the first user. Is there any way to
    > eliminate this problem.
    >
    > Thanks in advance.
    >
     
    Dominick Baier [DevelopMentor], Aug 17, 2005
    #3
  4. Priya

    Priya Guest

    Hi,
    Thanks for the solution
    Is there any way to hide the session id displayed in the URL?
    Can you suggest any alternate solution?As we could find only usage of hidden
    fields which is not a feasible solution for our application.
    -Priya


    "Dominick Baier [DevelopMentor]" wrote:

    > Hello Priya,
    >
    > no - this is the same as copying the cookie (in cookie session mode).
    >
    > Jeff Prosise wrote an article on MSDN where he took some extra info to make
    > the session ID unique (IIRC user agent and IP address). Be aware that this
    > is not bullet-proof as different users behind a proxy e.g. will have the
    > same IP address...
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > We are facing problems while using cookieless session. When the user
    > > copies and pastes the url from one machine to another, he is able to
    > > access the data entered by the first user. Is there any way to
    > > eliminate this problem.
    > >
    > > Thanks in advance.
    > >

    >
    >
    >
    >
     
    Priya, Aug 18, 2005
    #4
  5. Priya

    Priya Guest

    Hi,
    Thanks for the solution
    Is there any way to hide the session id displayed in the URL?
    Can you suggest any alternate solution?As we could find only usage of hidden
    fields which is not a feasible solution for our application.
    -Priya

    "Cactus Corp." wrote:

    > > We are facing problems while using cookieless session. When the user copies
    > > and pastes the url from one machine to another, he is able to access the data
    > > entered by the first user. Is there any way to eliminate this problem.
    > >
    > > Thanks in advance.

    >
    > Hello ,
    >
    > The session identifier is used to identify which session the visitor is linked to.
    > As it sounds....
    >
    > Consequently , if someone does a copy/paste of one of your cookie-less
    > URLs, he gets access to your session.
    >
    > The role of the SESSIONID is to establish the link : this is an identification
    > process. What you're looking for is an authentication process : after identifying
    > which session is requested, you want the application to make sure nobody is
    > usurpating an identity.
    >
    > You need to add a few checks to make sure of this. There are many discussions
    > about that , the term used by many security professionals is "session hijacking".
    >
    > For example :
    > - adding secure tokens to your urls
    > - IP address to session-id link
    > - challenged URLs
    > - ...and so on...
    >
    > Good luck!
    >
    > Antonio
    >
    >
    >
    >
    >
    >
     
    Priya, Aug 18, 2005
    #5
  6. Priya

    Cactus Corp. Guest

    > Hi,
    > Thanks for the solution


    Hi there,

    > Is there any way to hide the session id displayed in the URL?


    Actually if your session ids are showed in your urls, it's obviously
    because you wanted it : url based session ids are set by the
    cookieless property in the webconfig file.


    > Can you suggest any alternate solution?As we could find only usage of hidden
    > fields which is not a feasible solution for our application


    Well, first question would be : why did you chose using cookieless
    session management ? Is it because of a specific requirement ?

    Antonio

    > -Priya
     
    Cactus Corp., Aug 18, 2005
    #6
  7. Hello Priya,

    generally i would not recommend using cookieless sessions - no you cannot
    hide the session id in the url...

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi,
    > Thanks for the solution
    > Is there any way to hide the session id displayed in the URL?
    > Can you suggest any alternate solution?As we could find only usage of
    > hidden
    > fields which is not a feasible solution for our application.
    > -Priya
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hello Priya,
    >>
    >> no - this is the same as copying the cookie (in cookie session mode).
    >>
    >> Jeff Prosise wrote an article on MSDN where he took some extra info
    >> to make the session ID unique (IIRC user agent and IP address). Be
    >> aware that this is not bullet-proof as different users behind a proxy
    >> e.g. will have the same IP address...
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> We are facing problems while using cookieless session. When the user
    >>> copies and pastes the url from one machine to another, he is able to
    >>> access the data entered by the first user. Is there any way to
    >>> eliminate this problem.
    >>>
    >>> Thanks in advance.
    >>>
     
    Dominick Baier [DevelopMentor], Aug 19, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Carpe Diem
    Replies:
    3
    Views:
    7,188
    Carpe Diem
    Feb 23, 2004
  2. alex
    Replies:
    2
    Views:
    1,725
    =?Utf-8?B?bWtsYXBw?=
    Apr 12, 2004
  3. Anthony Williams
    Replies:
    9
    Views:
    3,627
  4. Hope Paka
    Replies:
    0
    Views:
    581
    Hope Paka
    Jun 7, 2005
  5. Replies:
    2
    Views:
    3,274
    Ravi Singh (UCSD)
    May 10, 2006
Loading...

Share This Page