Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Session ID management

Reply
Thread Tools

Session ID management

 
 
anoop
Guest
Posts: n/a
 
      06-12-2007
Hello,
I am developing a Simple ASP Application with a Login page. I
want to know how session ID can be generated after User has authenticated
instead of generation along with the Login page request. Also Session ID must
be unique each time the user logs in. This is required so that Session
Hijacking and Session Fixation could be prevented. Should I have to use other
process instead of General ASP Session Management. Please Help

Thank you
 
Reply With Quote
 
 
 
 
Anthony Jones
Guest
Posts: n/a
 
      06-12-2007

"anoop" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
> I am developing a Simple ASP Application with a Login page. I
> want to know how session ID can be generated after User has authenticated
> instead of generation along with the Login page request. Also Session ID

must
> be unique each time the user logs in. This is required so that Session
> Hijacking and Session Fixation could be prevented. Should I have to use

other
> process instead of General ASP Session Management. Please Help
>
> Thank you


Bear in mind that simply assigning a session an ID doesn't make the session
authentic.
You can store some value in the session object after successful
authentication which your other pages check before allowing other activity.

A simple solution is to use https for the entire session. The cost is a
busy site can create a heavy load on the server and a server can only
support one https website (no host header site selection).

I can't see how ASPs standard session management is vunerable to a fixation
attack.

As to a hijacking that would require a man in the middle or some locally
installed network sniffing. In that case anything sent in the clear is
vunerable. If that is a serious concern then only https provides serious
level of protection.

If https is not doable yet your still seriously concerned about session
hijacking you could use your own cookie to hold unique value which changes
each request. All you pages would have to check the cookie value with the
expected value stored in the session then create a new value for the cookie
and store that in the session. In that case an attacker would have to have
the latest response in order to hijack and such hijacking is less covert
since it breaks the existing client activity.

However the above doesn't protect from clever man-in-the-middle attacks, is
complex to implement and can make the normal use of the application fragile.

My guess is ultimately all you really are after is in my first paragraph









 
Reply With Quote
 
 
 
 
Egbert Nierop \(MVP for IIS\)
Guest
Posts: n/a
 
      06-12-2007

"anoop" <(E-Mail Removed)> schreef in bericht
news:(E-Mail Removed)...
> Hello,
> I am developing a Simple ASP Application with a Login page. I
> want to know how session ID can be generated after User has authenticated
> instead of generation along with the Login page request. Also Session ID
> must
> be unique each time the user logs in. This is required so that Session
> Hijacking and Session Fixation could be prevented. Should I have to use
> other
> process instead of General ASP Session Management. Please Help


Sure

All about session management, ok, not all, but a lot about it below.

If you really want to be sure that a sessioncookie is not hijacked, you
should use SSL or use regenerate a new cookie at each request, so that each
session request, must chain to the previous request.

ISP Session supports that, and it requires less CPU stress than using sec
SSL.

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Looking for System Management (Remote Management) application for organisation maruffaiz General Computer Support 0 12-11-2012 07:40 AM
Project management / bug management Floris van Haaster ASP .Net 3 09-23-2005 08:36 PM
queue management with "application failure management" pouet Java 2 07-30-2004 09:59 PM
CatOS web management or CiscoView management ? Martin Bilgrav Cisco 1 12-20-2003 01:49 PM



Advertisments