Ask a Question related to ASP.NET Security, Design and Development.
-
A.M #1
Patterns And Practices Security Checklists
Hi,
In Architecture and Design Review Security Checklist at following link:
[url]http://msdn.microsoft.com/library/en-us/dnnetsec/html/CL_ArchDes.asp?frame=true&_r=1[/url]
I don't underestand following two items:
1) Session state is protected from unauthorized access.
2) Session identifiers are not passed in query strings.
How an unauthorized access to session state can happen and why would i pass
session identifier in query string ?
Thanks,
Ali
A.M Guest
-
Best practices
Hello All, I am working on an application involving the interoperability between J2EE and .NET. One of my requirements is to send an XML document... -
Patterns
Hi ! I've got a simple looking problem, do maybe someone will have simple, short solution for it. I hava a string whis is an expression e.g.:... -
security practices
"Tim Mulholland" <tim@eyeresponse.com> wrote Tim, It sounds like you are running into a delegation issue (the local ASPNET user credentials... -
Best Security Practices for ASP against SQL Server
No, you shouldn't use a DSN. You should use OLEDB connection strings and create your connection when you need it. You can store the connection... -
Some PHP best practices
I'm starting a new project, and I was wondering what is considered best practise in the following cases: * Connecting to multiple databases... -
bruce barker #2 Re: Patterns And Practices Security Checklists
there are only a couple of ways to pass a session key
1) in a cookie (asp.net)
2) in the url
3) hidden field (though a url is often required for bootstrap)
your worried about how easy it is to hijack someone's session. in all the
above techinques the session key can be discovered by a network sniffer. so
now that i have the key, how easy is to use. a sample of a bad session key,
is an incrementing number, these are easy to hijack.
-- bruce (sqlwork.com)
"A.M" <IHateSpam@sapm123.com> wrote in message
news:#FN9LBZ9DHA.3648@TK2MSFTNGP11.phx.gbl...[url]http://msdn.microsoft.com/library/en-us/dnnetsec/html/CL_ArchDes.asp?frame=t[/url]> Hi,
>
> In Architecture and Design Review Security Checklist at following link:
>
>
rue&_r=1pass>
> I don't underestand following two items:
>
> 1) Session state is protected from unauthorized access.
> 2) Session identifiers are not passed in query strings.
>
> How an unauthorized access to session state can happen and why would i> session identifier in query string ?
>
> Thanks,
> Ali
>
>
bruce barker Guest
-
Yan-Hong Huang[MSFT] #3 RE: Patterns And Practices Security Checklists
Hello Ali,
I agreed with Bruce on it. For an example, if a client browser doesn't
support/allow cookie, we can't store session in cookie then. Under this
situation, some web sites will transfer session ID through URL. If somebody
hacked sessionID by using network sniffer, he can visit the web site by
using another people's identity.
Another concern is that cookies are sent between browser and server as
plain text, and anyone who can intercept your Web traffic can read the
cookie. You can set a cookie property that causes the cookie to be
transmitted only if the connection uses the Secure Sockets Layer (SSL, aka
[url]https://)[/url]. SSL does not protect the cookie from being read or manipulated
while it is on the user's computer, but it does prevent the cookie from
being intercepted in transit.
You can refer to the following article for some more info on it:
"Basics of Cookies in ASP.NET"
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_vstechar[/url]
t/html/vbtchaspnetcookies101.asp
Hope that helps.
Best regards,
Yanhong Huang
Microsoft Community Support
Get Secure! ¨C [url]www.microsoft.com/security[/url]
This posting is provided "AS IS" with no warranties, and confers no rights.
Yan-Hong Huang[MSFT] Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
