asp.net cookie security

[smurph]

In ASP, when we authenticate a user we insert a record in a table
containing data such as the client ip address and session id, the
session id representing this record in the database is appended to the
query string for each request. When a request is processed the session
data in the database is compared to the clients session id and ip
address and if it does not match then its access denied. This approach
prevents cookies being stolen or sessions hijacked from another
computer.

This solution seems to be implemented in many classic ASP sites, but I
have not seen a single asp.net site that has some kind of sessionID
appended in the query string for all requests. Does asp.net have some
extra security that makes this idea obsolete?

 

[Cowboy \(Gregory A. Beamer\)]

You can use the coookieless sessions, which will append SessionID to the
URL, but that does not sound like what you are talking about.

As far as the second question goes, ASP.NET is more secure than ASP., but
there is nothing to stop hijacked session cookies. It is a rare hack,
however, as there are far too many houses that have the doors wide open.
Instituting SSL will eliminate the need, as well, as the session cookie is
part of an encrypted stream.

 

[bruce barker \(sqlwork.com\)]

also storing the client ipaddress only works on local lans with no
proxy/firewalls. with proxy servers (and nat translation), several users
will have the same ipaddress, or the clients ipaddress may change on
different requests.

-- bruce (sqlwork.com)