Velocity Reviews - Computer Hardware Reviews
Home Forums Reviews Guides Newsgroups Register Search
Member Login:

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Secure ASP.Net Sessions

Reply
Thread Tools

Secure ASP.Net Sessions

 
 
Martin
Guest
Posts: n/a
 
      09-03-2004
Hi,

I have a requirement for an ASP.Net application with both secure and
insecure pages. I want to have ASP.Net sessions used/shared by both types
of page.

The current implementation has used 2 ASP.Net applications one secure and
one insecure, to avoid the insecure session ID (cookie based) being hijacked
and used to access secure https pages. This creates a number of headaches
for normal application development, and I can't believe that with a
technology as mature as http(s) sessions, that there isn't a more elegant
solution.

In an ideal world I want the application to also handle the cookie less
scenario.

In both cookie and cookie less scenarios, I would imagine a solution that
works something like the following (but I can't see any hint this has been
implemented in ASP.Net).


There should be 2 session IDs, one for insecure sessions and one for secure
sessions.
The insecure session ID is passed to both secure and insecure pages
The secure session ID is passed only to secure pages
(So far, I know cookies are capable of this behaviour with the secure cookie
property)

Now, ASP.Net should expose a unified Session object as a set of properties,
some properties associated with the secure session, and some associated with
the insecure session.

Which properties belong to which session?
When a new property is set, it should be associated with the secure session
if it is set in a secure page, and associated with the insecure session if
set in an insecure page.

On secure pages, both secure and insecure properties are accessible. (The
accessor should not have to care which type of property they are accessing)
On insecure pages, only insecure properties should be accessible.

Obviously a careless programmer might set a sensitive property on an
insecure page, thus making that data open to a hack attack, but it is always
possible to write buggy code.



This is just an outline of my thoughts/expecations on this. Am I living in
a dream world, or does this actually exist? What is the design pattern for
secure/insecure ASP.Net applications, that avoids sessionID hijacking.


Thanks in advance.
Martin
 
Reply With Quote
 
 
 
Reply

« restrict ASPNET to one SSL site | simple login form »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Secure your digital information assets with Secure Auditor. SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:53 AM
Secure your digital information assets with Secure Auditor SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:52 AM
Secure your digital information assets with Secure Auditor and alsoSecure Windows with Secure Auditor alannis.albert@googlemail.com Wireless Networking 0 04-14-2008 06:37 AM
Cookieless Sessions (Sessions Without Cookies) and Security scottymo ASP .Net Security 3 09-29-2006 11:00 PM
Re: Relationship between IIS Sessions and ASP.NET Sessions? Ken Cox [Microsoft MVP] ASP .Net 1 08-08-2003 03:22 PM



Advertisments
 


Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc..
SEO by vBSEO ©2010, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57