Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Cookieless Sessions (Sessions Without Cookies) and Security

Reply
Thread Tools

Cookieless Sessions (Sessions Without Cookies) and Security

 
 
scottymo
Guest
Posts: n/a
 
      09-29-2006
My research to this point indicates that cookieless sessions have two
main drawbacks:
1.) Absolute paths cannot be used without a workaround for the session
id storage in the URL.

2.) A security hole is opened due to the visibility of the session id
in the URL.

Are there any other draw backs?

Number 2 is my main concern. To overcome the security risk with
cookieless sessions, couldn't I simply track the initial IP of the
client, and verify that against all requests? That way, if someone on
another box tried to spoof the session, I would be able to kick them
out due to the IP difference.

Thoughts? Other possible solutions to the security risk with cookieless
sessions?

 
Reply With Quote
 
 
 
 
Dominick Baier
Guest
Posts: n/a
 
      09-29-2006
IP tracking is not reliable - proxies and routers can change the source IP
- even while working with the application.

You have to live with that problem.

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

> My research to this point indicates that cookieless sessions have two
> main drawbacks:
> 1.) Absolute paths cannot be used without a workaround for the session
> id storage in the URL.
> 2.) A security hole is opened due to the visibility of the session id
> in the URL.
>
> Are there any other draw backs?
>
> Number 2 is my main concern. To overcome the security risk with
> cookieless sessions, couldn't I simply track the initial IP of the
> client, and verify that against all requests? That way, if someone on
> another box tried to spoof the session, I would be able to kick them
> out due to the IP difference.
>
> Thoughts? Other possible solutions to the security risk with
> cookieless sessions?
>



 
Reply With Quote
 
 
 
 
scottymo
Guest
Posts: n/a
 
      09-29-2006
Thanks for the quick reply.

Some suggest that SSL is the cure all for cookieless sessions. I did
not want to due this initially, but if will allow the secure use of
cookieless sessions, it may be the only option. What are your thoughts?
Does SSL close the security gaps opened by cookieless sessions, or at
least make them as secure as sessions with cookies?

Here is another thought: are sessions with cookies really that much
more secure than cookieless sessions? If someone knows how to obtain
your URL from a remote location, that same person can probably spoof
your cookie.

 
Reply With Quote
 
Dominick Baier
Guest
Posts: n/a
 
      09-29-2006
You always have to use SSL if you care about the data on the wire!

If someone can sniff your connection (no SSL) - there is no difference between
cookies and cookieless security-wise.

Cookie-less have different (additional) problems:

- session fixation (someone sends you a link with a pre-generated session)
- user copy&paste session URL and send them e.g. via mail
- id is visible in browser (screenshots etc.)

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

> Thanks for the quick reply.
>
> Some suggest that SSL is the cure all for cookieless sessions. I did
> not want to due this initially, but if will allow the secure use of
> cookieless sessions, it may be the only option. What are your
> thoughts? Does SSL close the security gaps opened by cookieless
> sessions, or at least make them as secure as sessions with cookies?
>
> Here is another thought: are sessions with cookies really that much
> more secure than cookieless sessions? If someone knows how to obtain
> your URL from a remote location, that same person can probably spoof
> your cookie.
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sessionState cookieless and forms cookieless ravisingh11@gmail.com ASP .Net 2 05-09-2006 11:26 PM
ASP.NET Mobile, Cookieless Sessions, and Load Balancing thinkfr33ly@gmail.com ASP .Net 2 08-11-2005 03:01 AM
Cookieless Sessions and Absolute Paths Chris Gill ASP .Net 0 06-27-2005 08:59 AM
How to store session ID without cookies and without "Cookieless=True" Paul W ASP .Net 4 06-02-2005 09:34 AM
Cookieless Sessions and Search Engines dev@thehexx.com ASP .Net 0 10-25-2004 01:20 PM



Advertisments