Session ID management

Discussion in 'ASP General' started by anoop, Jun 12, 2007.

  1. anoop

    anoop Guest

    Hello,
    I am developing a Simple ASP Application with a Login page. I
    want to know how session ID can be generated after User has authenticated
    instead of generation along with the Login page request. Also Session ID must
    be unique each time the user logs in. This is required so that Session
    Hijacking and Session Fixation could be prevented. Should I have to use other
    process instead of General ASP Session Management. Please Help

    Thank you
     
    anoop, Jun 12, 2007
    #1
    1. Advertising

  2. "anoop" <> wrote in message
    news:...
    > Hello,
    > I am developing a Simple ASP Application with a Login page. I
    > want to know how session ID can be generated after User has authenticated
    > instead of generation along with the Login page request. Also Session ID

    must
    > be unique each time the user logs in. This is required so that Session
    > Hijacking and Session Fixation could be prevented. Should I have to use

    other
    > process instead of General ASP Session Management. Please Help
    >
    > Thank you


    Bear in mind that simply assigning a session an ID doesn't make the session
    authentic.
    You can store some value in the session object after successful
    authentication which your other pages check before allowing other activity.

    A simple solution is to use https for the entire session. The cost is a
    busy site can create a heavy load on the server and a server can only
    support one https website (no host header site selection).

    I can't see how ASPs standard session management is vunerable to a fixation
    attack.

    As to a hijacking that would require a man in the middle or some locally
    installed network sniffing. In that case anything sent in the clear is
    vunerable. If that is a serious concern then only https provides serious
    level of protection.

    If https is not doable yet your still seriously concerned about session
    hijacking you could use your own cookie to hold unique value which changes
    each request. All you pages would have to check the cookie value with the
    expected value stored in the session then create a new value for the cookie
    and store that in the session. In that case an attacker would have to have
    the latest response in order to hijack and such hijacking is less covert
    since it breaks the existing client activity.

    However the above doesn't protect from clever man-in-the-middle attacks, is
    complex to implement and can make the normal use of the application fragile.

    My guess is ultimately all you really are after is in my first paragraph ;)
     
    Anthony Jones, Jun 12, 2007
    #2
    1. Advertising

  3. "anoop" <> schreef in bericht
    news:...
    > Hello,
    > I am developing a Simple ASP Application with a Login page. I
    > want to know how session ID can be generated after User has authenticated
    > instead of generation along with the Login page request. Also Session ID
    > must
    > be unique each time the user logs in. This is required so that Session
    > Hijacking and Session Fixation could be prevented. Should I have to use
    > other
    > process instead of General ASP Session Management. Please Help


    Sure ;)

    All about session management, ok, not all, but a lot about it below.

    If you really want to be sure that a sessioncookie is not hijacked, you
    should use SSL or use regenerate a new cookie at each request, so that each
    session request, must chain to the previous request.

    ISP Session supports that, and it requires less CPU stress than using sec
    SSL.

    --
    compatible web farm Session replacement for Asp and Asp.Net
    http://www.nieropwebconsult.nl/asp_session_manager.htm
     
    Egbert Nierop \(MVP for IIS\), Jun 12, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeff Smythe
    Replies:
    3
    Views:
    1,259
    Jeff Smythe
    Jan 2, 2004
  2. Floris van Haaster

    Project management / bug management

    Floris van Haaster, Sep 23, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    1,244
    Jon Paal
    Sep 23, 2005
  3. pouet
    Replies:
    2
    Views:
    766
    Will Hartung
    Jul 30, 2004
  4. =?Utf-8?B?Um9iSEs=?=
    Replies:
    4
    Views:
    5,294
    =?Utf-8?B?Um9iSEs=?=
    Apr 11, 2007
  5. Jazzis
    Replies:
    2
    Views:
    253
    Jazzis
    Sep 23, 2003
Loading...

Share This Page