Help | Site Map
Connecting Tech Pros Worldwide
bytes > groups > ASP
 
 
LinkBack Thread Tools
  #1  
Old April 16th, 2007, 08:05 AM
=?Utf-8?B?YW5vb3A=?=
Guest
  
Posts: n/a
Default preventing Session ID replay attack
Hello,
I am developing a Simple ASP Website with a login page. I want to
know how can I change Session ID after login and also Close the current
Session after User closes the Window or gets logged out of the Website. So
that every time user logs in into the website, Session ID will be unique.

Thank you.
  #2  
Old April 16th, 2007, 09:15 AM
Evertjan.
Guest
  
Posts: n/a
Default Re: preventing Session ID replay attack
=?Utf-8?B?YW5vb3A=?= wrote on 16 apr 2007 in
microsoft.public.inetserver.asp.general:
Quote:
I am developing a Simple ASP Website with a login page. I want to
know how can I change Session ID after login
You cnnot, simply because changing the session.id would end the session per
definition.
Quote:
and also Close the
current Session after User closes the Window or gets logged out of the
Website.
Use session.abandon if you have to, or empty the
session("login") value if so designed.

.... however you cannot reliably trust the closing of window to be reported.
It depends on the browser used, the closing of the computer, or if someone
trips over the mains connection or internet connection.
Quote:
So that every time user logs in into the website, Session ID
will be unique.
The session.id is unique as delivered by the system, better than once in a
lifetime at least.


--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
  #3  
Old April 17th, 2007, 08:35 AM
michal
Guest
  
Posts: n/a
Default Re: preventing Session ID replay attack
to release all used sessions
session.abandon()
http://msdn.microsoft.com/library/de...b92ebbbc31.asp
but this wont reset the session id ... (as far as i know)

On Apr 16, 10:09 am, "Evertjan." <exjxw.hannivo...@interxnl.net>
wrote:
Quote:
=?Utf-8?B?YW5vb3A=?= wrote on 16 apr 2007 in
microsoft.public.inetserver.asp.general:
>
Quote:
I am developing a Simple ASP Website with a login page. I want to
know how can I change Session ID after login
>
You cnnot, simply because changing the session.id would end the session per
definition.
>
Quote:
and also Close the
current Session after User closes the Window or gets logged out of the
Website.
>
Use session.abandon if you have to, or empty the
session("login") value if so designed.
>
... however you cannot reliably trust the closing of window to be reported.
It depends on the browser used, the closing of the computer, or if someone
trips over the mains connection or internet connection.
>
Quote:
So that every time user logs in into the website, Session ID
will be unique.
>
The session.id is unique as delivered by the system, better than once in a
lifetime at least.
>
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

 

Bookmarks

« Previous Thread | Next Thread »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

What is Bytes?

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over network members.
Post your question now . . .
It's fast and it's free

Popular Articles
Quick Browse:
Communities / Archives
XML / CSS | HTML | Javascript | PHP | Perl | Visual Basic | Python | C++ / C | Java | .NET / C# / VB / XML / ASP.net | ASP
PostgreSQL | MS SQL | Oracle | IBM DB2 | MS Access | MySQL

About Bytes | Sitemap | Privacy Policy | Terms of Use
Copyright 1995-2008 Bytes.com. All rights Reserved