«

Hello everyone!

We are developing a webshop in asp.net. We did not want to use cookies
for session management, so we tried cookieless sessions.


This changes the URL requested to something like


http://.../WebApplication3/(xwa4n4a3.../WebForm1.aspx


Well, this -> (xwa4n4a3cr45h2idog25v355) is the session id. Someone
sniffing on the net can easily obtain this request and use it from
another computer. As long as the session still exists this someone will
have full access to all the users information at this moment. I thought
at least it should be bound to a IP to prevent such attacks from other
networks than the one the user is using at the moment.


Another not really nice behaviour of the cookieless session management
is, that you can reuse(or maybe better:inject?) session ids. When the
session has already expired and you use a link with a session id,
asp.net will create a new session - but use the old id.
Now - you can imagine what happens if someone posts such link into a
forum or something (to e.g. show all his friends that there is a
wonderful cheap and extremly useful article in the webshop). They will
be shopping in a group (hey - nice feature :/)...
Additionally I don't have a clue how to prevent these ids from being
bookmarked. I don't really want every user in the shop have his or her
own private session id.


Any proposals how to circumvent these problems?
Maybe i just configured something really wrong?


Thanks in advance,
Stefan Hoffmann
PS: If you don't understand my english, ask and i will try to explain.

In article <>, s.hoffmann@d-s-a-
g.de says...
> Hello everyone!
>
> We are developing a webshop in asp.net. We did not want to use cookies
> for session management, so we tried cookieless sessions.
>
>
This is a well-known shortcoming. At the last PDC in Los Angeles this
was demonstrated by Microsoft Employees themselves. It's very easy for
someone to fake a session-id and suddenly find himself in someone elses
session. That's not what we want!

There is a good article on this at
http://www.developer.com/net/vb/article.php/2216431 where you can find
more information about this and how to prevent this from happening. It's
a good article so I won't try to replicate it here. Just read it (No,
I am not the author of that article nor do I get payed for advertising
it)

Good luck!