Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > asp.net cookie security

Reply
Thread Tools

asp.net cookie security

 
 
smurph
Guest
Posts: n/a
 
      11-01-2006
In ASP, when we authenticate a user we insert a record in a table
containing data such as the client ip address and session id, the
session id representing this record in the database is appended to the
query string for each request. When a request is processed the session
data in the database is compared to the clients session id and ip
address and if it does not match then its access denied. This approach
prevents cookies being stolen or sessions hijacked from another
computer.

This solution seems to be implemented in many classic ASP sites, but I
have not seen a single asp.net site that has some kind of sessionID
appended in the query string for all requests. Does asp.net have some
extra security that makes this idea obsolete?

 
Reply With Quote
 
 
 
 
Cowboy \(Gregory A. Beamer\)
Guest
Posts: n/a
 
      11-01-2006
You can use the coookieless sessions, which will append SessionID to the
URL, but that does not sound like what you are talking about.

As far as the second question goes, ASP.NET is more secure than ASP., but
there is nothing to stop hijacked session cookies. It is a rare hack,
however, as there are far too many houses that have the doors wide open.
Instituting SSL will eliminate the need, as well, as the session cookie is
part of an encrypted stream.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
http://gregorybeamer.spaces.live.com

*************************************************
Think outside of the box!
*************************************************
"smurph" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> In ASP, when we authenticate a user we insert a record in a table
> containing data such as the client ip address and session id, the
> session id representing this record in the database is appended to the
> query string for each request. When a request is processed the session
> data in the database is compared to the clients session id and ip
> address and if it does not match then its access denied. This approach
> prevents cookies being stolen or sessions hijacked from another
> computer.
>
> This solution seems to be implemented in many classic ASP sites, but I
> have not seen a single asp.net site that has some kind of sessionID
> appended in the query string for all requests. Does asp.net have some
> extra security that makes this idea obsolete?
>



 
Reply With Quote
 
 
 
 
bruce barker \(sqlwork.com\)
Guest
Posts: n/a
 
      11-01-2006
also storing the client ipaddress only works on local lans with no
proxy/firewalls. with proxy servers (and nat translation), several users
will have the same ipaddress, or the clients ipaddress may change on
different requests.

-- bruce (sqlwork.com)


"Cowboy (Gregory A. Beamer)" <(E-Mail Removed)> wrote in
message news:OaawSsc$(E-Mail Removed)...
> You can use the coookieless sessions, which will append SessionID to the
> URL, but that does not sound like what you are talking about.
>
> As far as the second question goes, ASP.NET is more secure than ASP., but
> there is nothing to stop hijacked session cookies. It is a rare hack,
> however, as there are far too many houses that have the doors wide open.
> Instituting SSL will eliminate the need, as well, as the session cookie is
> part of an encrypted stream.
>
> --
> Gregory A. Beamer
> MVP; MCP: +I, SE, SD, DBA
> http://gregorybeamer.spaces.live.com
>
> *************************************************
> Think outside of the box!
> *************************************************
> "smurph" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
>> In ASP, when we authenticate a user we insert a record in a table
>> containing data such as the client ip address and session id, the
>> session id representing this record in the database is appended to the
>> query string for each request. When a request is processed the session
>> data in the database is compared to the clients session id and ip
>> address and if it does not match then its access denied. This approach
>> prevents cookies being stolen or sessions hijacked from another
>> computer.
>>
>> This solution seems to be implemented in many classic ASP sites, but I
>> have not seen a single asp.net site that has some kind of sessionID
>> appended in the query string for all requests. Does asp.net have some
>> extra security that makes this idea obsolete?
>>

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What is different between Request.Cookie and Response.Cookie ad ASP .Net 2 01-27-2006 12:54 PM
Cookie Question (IP as domain and cookie file location) =?Utf-8?B?UGF1bA==?= ASP .Net 1 01-10-2006 08:37 PM
Any downsides to cookie assignment inside custom class using HttpContext.Current? ASP.NET 2.0 cookie fix? ASP .Net 2 08-17-2005 06:43 AM
Cookie and Session Cookie Questions. Shapper ASP .Net 1 04-27-2005 11:20 AM
Session cookie? Browser instance cookie? Ben ASP .Net 3 06-03-2004 03:41 AM



Advertisments