Secure Session Keys

Discussion in 'ASP General' started by David Dunson, Aug 10, 2003.

  1. David Dunson

    David Dunson Guest

    I would like to implement user authentication and session management for my
    applications. I've been using solution 1 (below) for most of my
    applications in the past since the target audience is mostly intranet based.
    Now that I'm creating a more global application, I want to use a method that
    does not require cookies, yet maintain a farily high level of security and
    fault tolerance.

    Is there a better way to handle this problem? What method does the big
    Internet shopping companies use?

    Scenario:

    A user is authenticated and is given a session key. The session key is
    passed to the user in an HTML page and returned to the server using a query
    string. The user then copies the URL and gives it to his friend to see.
    Since the URL now contains the session key, how does the server distinguish
    between the authenticated user and his friend?

    Solution 1:

    Use an ASP session variable to store the session key between page requests.
    This solution requires that the client have session cookies enabled. If the
    session is not encrypted (i.e. SSL), the ASP session id is still passed via.
    clear text, and is vulnerable.

    Solution 2:

    Use a session key that identifies the location (IP address) of the user. If
    the submitted session key doesn't match the user's location, then the
    session key is invalid. The session key can be passed as part of the URL
    and does not require cookies. This method is vulnerable to IP spoofing, and
    breaks if the user is behind a NAT server, or web caching server that masks
    the true IP address.

    Solution 3:

    Have the session key returned to the server via an HTTP POST request. This
    method does not require cookies, but is clear text and vulnerable if the
    session is not encrypted. The session key is lost if the user navigates to
    a page manually issuing an HTTP GET request.
     
    David Dunson, Aug 10, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. A.M
    Replies:
    5
    Views:
    5,471
    Teemu Keiski
    Jun 8, 2004
  2. Daniel Malcolm
    Replies:
    0
    Views:
    566
    Daniel Malcolm
    Jan 24, 2005
  3. zdrakec
    Replies:
    1
    Views:
    443
    zdrakec
    Jul 25, 2005
  4. Joe
    Replies:
    5
    Views:
    975
    Steven Cheng[MSFT]
    Dec 13, 2005
  5. verbal kint
    Replies:
    1
    Views:
    556
    Sudsy
    Sep 4, 2004
Loading...

Share This Page