H
Hope Paka
I am storing user login information (not password) in the session. I also
use, cookieless session. I realized that, if someone copy-pastes the URL
after he/she logged in to the system to another person, the other person's
browser opens as if the sender logged in.
1) Person A Logins to the system. (login information is stored in SQL
Session state)
2) Person A copy-paster the url and sends it to person B (format of the
url is http://domain/(sessionid)/XYZ.aspx)
3) When person B opens the URL, its window opens as if person A was
logged in to the system.
This is a security threat. I have overcome this by doing the following.
When user logins to the system, a login ticket is generated and
it is stored in the session. This login ticket contains two things, one is
client ip address, the other one is user-agent.
Then at the each request, I validate if the registered login ticket
information is same.
If person A sends URL to person B, then I assumed that, person Bs ip address
should be different than person A.
I found an article on MSND,
http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/ (Foiling Session
Hijacking Attempts). The way Jeff have done is similar to the one that i
have done. Is this relaible. The only think i wonder is if the users IP
address changes at each request!
use, cookieless session. I realized that, if someone copy-pastes the URL
after he/she logged in to the system to another person, the other person's
browser opens as if the sender logged in.
1) Person A Logins to the system. (login information is stored in SQL
Session state)
2) Person A copy-paster the url and sends it to person B (format of the
url is http://domain/(sessionid)/XYZ.aspx)
3) When person B opens the URL, its window opens as if person A was
logged in to the system.
This is a security threat. I have overcome this by doing the following.
When user logins to the system, a login ticket is generated and
it is stored in the session. This login ticket contains two things, one is
client ip address, the other one is user-agent.
Then at the each request, I validate if the registered login ticket
information is same.
If person A sends URL to person B, then I assumed that, person Bs ip address
should be different than person A.
I found an article on MSND,
http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/ (Foiling Session
Hijacking Attempts). The way Jeff have done is similar to the one that i
have done. Is this relaible. The only think i wonder is if the users IP
address changes at each request!