Ask a Question related to ASP.NET Security, Design and Development.
-
Dave #1
Hijack Session
Has anyone seen any good examples of how to stop someone
from stealing the session id to hijack the session?
Thanks...
Dave Guest
-
#16263 [Com]: session.start() create new empty session file and not resume existing session
ID: 16263 Comment by: pat at burnttech dot com Reported By: kur at natur dot cuni dot cz Status: No Feedback... -
How can I "know" the difference between a session timed out and a session that did session.abort?
Any clues? Thanks for your time. Adam -
#25551 [Bgs->Opn]: Session data loss when accessing session from multiple windows.
ID: 25551 User updated by: brett at realestate-school dot com Reported By: brett at realestate-school dot com -Status: ... -
#25551 [NEW]: Session data loss when accessing session from multiple windows.
From: brett at realestate-school dot com Operating system: Linux - Red Hat PHP version: 4.3.1 PHP Bug Type: Session related... -
#25307 [Ver]: Crash when session.serialize_handler=wddx & session, post, get vars
ID: 25307 User updated by: cristea at pntcd dot ro Reported By: cristea at pntcd dot ro Status: Verified Bug Type: ... -
Chris Jackson #2 Re: Hijack Session
Well, the only way to really do this is to prevent somebody from gettng the
session id in the first place - this is the danger of cookieless session
state, where it is in the URL for all to see. Once somebody has the ID,
there isn't anything you can do to differentiate that person from the
legitimate user. If information is extremely senstive, then don't use
persistent cookies (so they won't be sitting on disk) and use HTTPS so it's
encrypted over the wire. Require authentication again when you get to
something particularly sensitive.
--
Chris Jackson
Software Engineer
Microsoft MVP - Windows Client
Windows XP Associate Expert
--
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
--
"Dave" <anonymous@discussions.microsoft.com> wrote in message
news:014e01c3d60d$9ca9abb0$a301280a@phx.gbl...> Has anyone seen any good examples of how to stop someone
> from stealing the session id to hijack the session?
>
> Thanks...
Chris Jackson Guest
-
Keith #3 Hijack Session
An apporach I'm considering is to:
1. Store the source IP and user agent
2. Compare the request IP and user agent on each page to
the session ID
3. Not use cookieless sessions
4. Not persist the ticket
This will give me the security I need to get ASP.Net
working in my organization.
>-----Original Message-----
>Has anyone seen any good examples of how to stop someone
>from stealing the session id to hijack the session?
>
>Thanks...
>.
>Keith Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
