Patterns And Practices Security Checklists

02-17-2004

Hi,

In Architecture and Design Review Security Checklist at following link:

http://msdn.microsoft.com/library/en...rame=true&_r=1

I don't underestand following two items:

1) Session state is protected from unauthorized access.
2) Session identifiers are not passed in query strings.

How an unauthorized access to session state can happen and why would i pass
session identifier in query string ?

Thanks,
Ali

02-17-2004

there are only a couple of ways to pass a session key

1) in a cookie (asp.net)
2) in the url
3) hidden field (though a url is often required for bootstrap)

your worried about how easy it is to hijack someone's session. in all the
above techinques the session key can be discovered by a network sniffer. so
now that i have the key, how easy is to use. a sample of a bad session key,
is an incrementing number, these are easy to hijack.

-- bruce (sqlwork.com)

"A.M" <> wrote in message
news:#...
> Hi,
>
> In Architecture and Design Review Security Checklist at following link:
>
>
http://msdn.microsoft.com/library/en...es.asp?frame=t
rue&_r=1
>
> I don't underestand following two items:
>
> 1) Session state is protected from unauthorized access.
> 2) Session identifiers are not passed in query strings.
>
> How an unauthorized access to session state can happen and why would i
pass
> session identifier in query string ?
>
> Thanks,
> Ali
>
>

02-18-2004

Hello Ali,

I agreed with Bruce on it. For an example, if a client browser doesn't
support/allow cookie, we can't store session in cookie then. Under this
situation, some web sites will transfer session ID through URL. If somebody
hacked sessionID by using network sniffer, he can visit the web site by
using another people's identity.

Another concern is that cookies are sent between browser and server as
plain text, and anyone who can intercept your Web traffic can read the
cookie. You can set a cookie property that causes the cookie to be
transmitted only if the connection uses the Secure Sockets Layer (SSL, aka
https://). SSL does not protect the cookie from being read or manipulated
while it is on the user's computer, but it does prevent the cookie from
being intercepted in transit.

You can refer to the following article for some more info on it:
"Basics of Cookies in ASP.NET"
http://msdn.microsoft.com/library/de...us/dv_vstechar
t/html/vbtchaspnetcookies101.asp

Hope that helps.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Full Ajax driven application - patterns/practices	Piotr Nowak	ASP .Net	1	10-15-2007 04:04 PM
using patterns and practices libraries as com dll	Luca	ASP General	0	05-28-2007 12:12 PM
Design Patterns Books and Best Practices Books.	Luis Esteban Valencia	ASP .Net	4	07-01-2005 07:29 AM
where to find good patterns and sources of patterns (was Re: singletons)	crichmon	C++	4	07-07-2004 10:02 PM
Patterns And Practices Security Checklists	A.M	ASP .Net	2	02-18-2004 03:01 AM