Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Secure Session Keys

Reply
Thread Tools

Secure Session Keys

 
 
David Dunson
Guest
Posts: n/a
 
      08-10-2003
I would like to implement user authentication and session management for my
applications. I've been using solution 1 (below) for most of my
applications in the past since the target audience is mostly intranet based.
Now that I'm creating a more global application, I want to use a method that
does not require cookies, yet maintain a farily high level of security and
fault tolerance.

Is there a better way to handle this problem? What method does the big
Internet shopping companies use?

Scenario:

A user is authenticated and is given a session key. The session key is
passed to the user in an HTML page and returned to the server using a query
string. The user then copies the URL and gives it to his friend to see.
Since the URL now contains the session key, how does the server distinguish
between the authenticated user and his friend?

Solution 1:

Use an ASP session variable to store the session key between page requests.
This solution requires that the client have session cookies enabled. If the
session is not encrypted (i.e. SSL), the ASP session id is still passed via.
clear text, and is vulnerable.

Solution 2:

Use a session key that identifies the location (IP address) of the user. If
the submitted session key doesn't match the user's location, then the
session key is invalid. The session key can be passed as part of the URL
and does not require cookies. This method is vulnerable to IP spoofing, and
breaks if the user is behind a NAT server, or web caching server that masks
the true IP address.

Solution 3:

Have the session key returned to the server via an HTTP POST request. This
method does not require cookies, but is clear text and vulnerable if the
session is not encrypted. The session key is lost if the user navigates to
a page manually issuing an HTTP GET request.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Secure your digital information assets with Secure Auditor. SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:53 AM
Secure your digital information assets with Secure Auditor SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:52 AM
Share session between secure and non-secure applications Joe ASP .Net 5 12-13-2005 01:49 PM
Sharing Session state over secure / non-secure requests Daniel Malcolm ASP .Net 0 01-24-2005 04:45 PM



Advertisments