Secure ASP.Net Sessions

Discussion in 'ASP .Net Security' started by Martin, Sep 3, 2004.

  1. Martin

    Martin Guest

    Hi,

    I have a requirement for an ASP.Net application with both secure and
    insecure pages. I want to have ASP.Net sessions used/shared by both types
    of page.

    The current implementation has used 2 ASP.Net applications one secure and
    one insecure, to avoid the insecure session ID (cookie based) being hijacked
    and used to access secure https pages. This creates a number of headaches
    for normal application development, and I can't believe that with a
    technology as mature as http(s) sessions, that there isn't a more elegant
    solution.

    In an ideal world I want the application to also handle the cookie less
    scenario.

    In both cookie and cookie less scenarios, I would imagine a solution that
    works something like the following (but I can't see any hint this has been
    implemented in ASP.Net).


    There should be 2 session IDs, one for insecure sessions and one for secure
    sessions.
    The insecure session ID is passed to both secure and insecure pages
    The secure session ID is passed only to secure pages
    (So far, I know cookies are capable of this behaviour with the secure cookie
    property)

    Now, ASP.Net should expose a unified Session object as a set of properties,
    some properties associated with the secure session, and some associated with
    the insecure session.

    Which properties belong to which session?
    When a new property is set, it should be associated with the secure session
    if it is set in a secure page, and associated with the insecure session if
    set in an insecure page.

    On secure pages, both secure and insecure properties are accessible. (The
    accessor should not have to care which type of property they are accessing)
    On insecure pages, only insecure properties should be accessible.

    Obviously a careless programmer might set a sensitive property on an
    insecure page, thus making that data open to a hack attack, but it is always
    possible to write buggy code.



    This is just an outline of my thoughts/expecations on this. Am I living in
    a dream world, or does this actually exist? What is the design pattern for
    secure/insecure ASP.Net applications, that avoids sessionID hijacking.


    Thanks in advance.
    Martin
    Martin, Sep 3, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ken Cox [Microsoft MVP]

    Re: Relationship between IIS Sessions and ASP.NET Sessions?

    Ken Cox [Microsoft MVP], Aug 8, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    5,345
    Luther Miller
    Aug 8, 2003
  2. A.M
    Replies:
    5
    Views:
    5,421
    Teemu Keiski
    Jun 8, 2004
  3. Daniel Malcolm
    Replies:
    0
    Views:
    545
    Daniel Malcolm
    Jan 24, 2005
  4. zdrakec
    Replies:
    1
    Views:
    428
    zdrakec
    Jul 25, 2005
  5. Bookham Measures

    Moving from ASP Sessions to Database Sessions

    Bookham Measures, Jul 23, 2007, in forum: ASP General
    Replies:
    19
    Views:
    543
    Bookham Measures
    Aug 23, 2007
Loading...

Share This Page