C
Chris
I have a security consultant group bashing Microsoft byt stating that the way
IIS handles Session ID is flawed. They're asking me to, once my users hit the
first asp page pre-authentication, to then destroy that session id
(ASPSESSIONID) and re-assign one. How can that be done? It's read only. And I
keep stating that this is in 128-bit SSL where the header is encrypted. Since
my code is coming from COM+ (VB6.0) and I'm recycling to the same 'asp' page,
I can not see a way to abandon the session, since I have items in the session
prior to login.
Is there a better approach?
Is there a way in COM+ VB to trick it by giving it a new page to reset the
session? I can abandon the session but I won't get a new ID since the page is
not re-rendered. And during that grey area I'm setting more session values.
I'm running on a Win2K server w/SP4 and the secureaspsessionid patch.
thanx!
IIS handles Session ID is flawed. They're asking me to, once my users hit the
first asp page pre-authentication, to then destroy that session id
(ASPSESSIONID) and re-assign one. How can that be done? It's read only. And I
keep stating that this is in 128-bit SSL where the header is encrypted. Since
my code is coming from COM+ (VB6.0) and I'm recycling to the same 'asp' page,
I can not see a way to abandon the session, since I have items in the session
prior to login.
Is there a better approach?
Is there a way in COM+ VB to trick it by giving it a new page to reset the
session? I can abandon the session but I won't get a new ID since the page is
not re-rendered. And during that grey area I'm setting more session values.
I'm running on a Win2K server w/SP4 and the secureaspsessionid patch.
thanx!