Help - Can I reuse existing session ID from email link?

N

Nanker

Our existing ASP.NET web application does store a session ID in the
cookies (ASP.Net_SessionID) for a logged in user. A new requirement has
been stated that we need to be able to send a customer an email with a
link to a specific page in the application, and if the user clicks on
the email link while they are logged in to the application, they will
be taken to that page in the application without having to log in.
Given this:

- Is this possible to read the session ID from the cookie for the
active login and reuse it for this other request?
- Is it possible to do this within the specific browser with which they
are already logged in or will a separate browser have to be created?

I've been trying to read up on the best overall approach to this
problem, and I thought that asking here would provide good feedback.
Your response is appreciated.

Thanks in advance
 
S

sloan

I don't think you can do that.
Or at best, its more drama then its worth.


My approach would be:

generate a guid (System.Guid.NewGuid().ToString() )

Keep a table that maps this guid to a user.

Have a special page that handles these guid inputs.

www.myapp.com/EntryPoint/GuidTaker.aspx

When sending them a URL, do this
www.myapp.com/EntryPoint/GuidTaker.aspx?loginuuid=aaabbbcccdddeeeaaabbbcccdd
deee

Read the database, find the user, set their credentails, redirect them.

You might even have:
www.myapp.com/EntryPoint/GuidTaker.aspx?page=aboutus&loginuuid=aaabbbcccddde
eeaaabbbcccdddeee

Where you have a few pages (like "aboutus" and it takes you to
"aboutus.aspx" or something like that).

Between the crossbrowser issue. And the fact that SessionID (I think) are
abandoned.....I don't think your approach is a good one.


You can add some logic to GuidTaker.aspx to track subsequent tries, if
they're trying an attack.

If security is an issue, then you can use 2 guids.
www.myapp.com/EntryPoint/GuidTaker.aspx?loginuuid=aaabbbcccdddeeeaaabbbcccdd
deee&checkuuid=eeefffeeeaaadddeeeecccdddeeebbbaaa&page=aboutus

The liklihood of guessing 2 guid's has to be out the roof.

You'll have to cleanup the table where you store the guid's and the userid
once in a while.

But this way, you can give the same user different entry points
 
?

=?ISO-8859-1?Q?G=F6ran_Andersson?=

You can read the value of the cookie and use it, for an example to
compare it to a value previously saved in the database. You can not use
the value as session id, though, the user will get a new session id as
it's a new session.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,906
Latest member
SkinfixSkintag

Latest Threads

Top