Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Major Security Issue

Reply
Thread Tools

Major Security Issue

 
 
Amir Ghezelbash
Guest
Posts: n/a
 
      04-22-2004
Hi every one

I have a major MAJOR MAJOR problem
Ok I have been using cookies for my site for a while and now I have been
trying to use session less cookies because I find them much faster
Any way now the problem
With session less cookies since ID is embedded within URL every time
someone signs into their account and then logout if they send their link
to someone else, that other person can login into their account without
needing to know their user name and pass ok let me show you what I mean
by example
Here is my site go to my site

http://www.riseofkingdoms.org/rok

Now if you login using: UserName:d1 and password:dzl786
You be taking to your page now if you go in menu and go to Palac and
sign-out but before doing that copy the link in your browser, now
sign-out close your browser and paste your link and you be taking back
to your profile without needing to sign in
Even if you send your link to someone else they will be able to sign in
without needing to log in here is the link when I signed in you can just
go to that account using this link you donít need to sign in

http://www.riseofkingdoms.org/rok/(c...5)/ROKGame/Ris
e_Of_Kingdoms/Home.aspx

This cannot be good
I am sure there is a way around this I mean I hope, why is it doing
this?
I expire sessions when sign-out has been clicked, Session.
Remove("UserName");

Any suggestions




---
Best Regards
Amir

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
 
Reply With Quote
 
 
 
 
Scott M.
Guest
Posts: n/a
 
      04-22-2004
You are storing the user and password data in the cookie? There is your
security problem right there. Cookies are only as secure as the data you
put in them.

You should be storing the user names and passwords in a database and
authenticating users against that database. Also, since cookies can be
"turned off" at the client level, you should never build any functionality
into them that you aren't willing to lose.


"Amir Ghezelbash" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi every one
>
> I have a major MAJOR MAJOR problem
> Ok I have been using cookies for my site for a while and now I have been
> trying to use session less cookies because I find them much faster
> Any way now the problem
> With session less cookies since ID is embedded within URL every time
> someone signs into their account and then logout if they send their link
> to someone else, that other person can login into their account without
> needing to know their user name and pass ok let me show you what I mean
> by example
> Here is my site go to my site
>
> http://www.riseofkingdoms.org/rok
>
> Now if you login using: UserName:d1 and password:dzl786
> You be taking to your page now if you go in menu and go to Palac and
> sign-out but before doing that copy the link in your browser, now
> sign-out close your browser and paste your link and you be taking back
> to your profile without needing to sign in
> Even if you send your link to someone else they will be able to sign in
> without needing to log in here is the link when I signed in you can just
> go to that account using this link you don't need to sign in
>
> http://www.riseofkingdoms.org/rok/(c...5)/ROKGame/Ris
> e_Of_Kingdoms/Home.aspx
>
> This cannot be good
> I am sure there is a way around this I mean I hope, why is it doing
> this?
> I expire sessions when sign-out has been clicked, Session.
> Remove("UserName");
>
> Any suggestions
>
>
>
>
> ---
> Best Regards
> Amir
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!



 
Reply With Quote
 
 
 
 
Amir Ghezelbash
Guest
Posts: n/a
 
      04-23-2004
?
did you even read my question?
no i am not using cookies, passwords are saved into database

i am using cookieless sessions here

---
Best Regards
Amir

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
 
Reply With Quote
 
Ken Schaefer
Guest
Posts: n/a
 
      04-23-2004
How are you expiring the session?

Cheers
Ken


"Amir Ghezelbash" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
: ?
: did you even read my question?
: no i am not using cookies, passwords are saved into database
:
: i am using cookieless sessions here
:
: ---
: Best Regards
: Amir
:
: *** Sent via Developersdex http://www.developersdex.com ***
: Don't just participate in USENET...get rewarded for it!


 
Reply With Quote
 
Arthur Nesterovsky
Guest
Posts: n/a
 
      04-23-2004
Hi Amir,

> This cannot be good
> I am sure there is a way around this I mean I hope, why is it doing
> this?
> I expire sessions when sign-out has been clicked, Session.
> Remove("UserName");


Do you check the existence of "UserName" in Session object in every method
of your code? The real session will expire not early than 20 min or whatever
you had specified for your application.

--
______________________________
With best wishes, Arthur Nesterovsky
Visit, please, my home page:
http://www.nesterovsky-bros.com


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Confusion about row-major and column-major Jef Driesen C++ 2 01-12-2006 03:02 PM
Major security issue? Keith ASP .Net 5 02-01-2004 01:10 PM
Major ASP.Net Security Issue? Keith ASP .Net Security 2 02-01-2004 10:33 AM
NArray indexing order: row major vs column major ara howard Ruby 0 10-28-2003 04:16 PM
Major Major Problem With ASP.NET kokwooi ASP .Net 6 09-19-2003 08:52 AM



Advertisments