473,849 Members | 1,811 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Change ASPSessionID

How do you change the ASPSessionID during a web session? I have an ASP
application in SSL. The first screen is a login screen, which requests user
id and password. An ASPSessionID is assigned for this page. Once the user
is authenticated by valid id/pwd, the second page starts the real
applicaiton. I want to change the ASPSessionID to be different from the
first login page, which was issued to an unauthenticated user. How do I do
that in ASP?

Thanks.
Joseph
Jul 22 '05 #1
27 12347
The sessionID is like a surrogate key, its value has no real meaning and I
have no idea why you need them to be different.


"Joseph Shoe" <Joseph Sh**@discussion s.microsoft.com> wrote in message
news:AC******** *************** ***********@mic rosoft.com...
How do you change the ASPSessionID during a web session? I have an ASP
application in SSL. The first screen is a login screen, which requests
user
id and password. An ASPSessionID is assigned for this page. Once the
user
is authenticated by valid id/pwd, the second page starts the real
applicaiton. I want to change the ASPSessionID to be different from the
first login page, which was issued to an unauthenticated user. How do I
do
that in ASP?

Thanks.
Joseph

Jul 22 '05 #2
ASP maintains the same sessionID for the duration of a session, whether the
user has passed the authentication. The sessionID can be used by someone to
gain access to the part of a sessoin that is considered authenticated, i.e.,
session fixation attachs.

It is a good practice that the server changes the session ID after a user is
sucessfully authenticated.

"Aaron Bertrand [SQL Server MVP]" wrote:
The sessionID is like a surrogate key, its value has no real meaning and I
have no idea why you need them to be different.


"Joseph Shoe" <Joseph Sh**@discussion s.microsoft.com> wrote in message
news:AC******** *************** ***********@mic rosoft.com...
How do you change the ASPSessionID during a web session? I have an ASP
application in SSL. The first screen is a login screen, which requests
user
id and password. An ASPSessionID is assigned for this page. Once the
user
is authenticated by valid id/pwd, the second page starts the real
applicaiton. I want to change the ASPSessionID to be different from the
first login page, which was issued to an unauthenticated user. How do I
do
that in ASP?

Thanks.
Joseph


Jul 22 '05 #3
> session fixation attachs.

I have no idea what this is. But have you ever tried to fake out or
impersonate a session?
It is a good practice that the server changes the session ID after a user
is
sucessfully authenticated.


So the user changes to some other SessionID. Whoopty-doo. If a malicious
user has the ability to impersonate a specific sessionID then certainly they
would be able to impersonate an "authentica ted" one.

How and why are you relying on sessionID to allow access to certain parts of
the application? Why not a variable like Session("authen ticated")?
Jul 22 '05 #4
It is session fixation attacKs. Sorry for the typo.

"If a malicious user has the ability to impersonate a specific sessionID
then certainly they would be able to impersonate an "authentica ted" one."
Not necessary, if the sessionID is changed for the authenticated part of the
session.

"How and why are you relying on sessionID to allow access to certain parts
of the application?" I don't, ASP does. I'm hoping to find an ASP
function call that allows me to change the value of ASPSessionID.
"Aaron Bertrand [SQL Server MVP]" <te*****@dnartr eb.noraa> wrote in message
news:O3******** *****@TK2MSFTNG P09.phx.gbl...
session fixation attachs.


I have no idea what this is. But have you ever tried to fake out or
impersonate a session?
It is a good practice that the server changes the session ID after a user
is
sucessfully authenticated.


So the user changes to some other SessionID. Whoopty-doo. If a malicious
user has the ability to impersonate a specific sessionID then certainly
they would be able to impersonate an "authentica ted" one.

How and why are you relying on sessionID to allow access to certain parts
of the application? Why not a variable like Session("authen ticated")?

Jul 22 '05 #5
> Not necessary, if the sessionID is changed for the authenticated part of
the session.
Sorry, but I have been working with ASP for 10 years, and this still does
not make any sense to me.
"How and why are you relying on sessionID to allow access to certain parts
of the application?" I don't, ASP does.
How does ASP in and of itself know absolutely anything about different parts
of your application?
I'm hoping to find an ASP function call that allows me to change the value
of ASPSessionID.


Sorry, this is read only. Even if you could change it, I am still 100%
unclear as to what you would have hoped to accomplish.
Jul 22 '05 #6
I think what Aaron was saying is that if a hacker can grab the
"unauthenticate d" session id and impersonate a session then they would be
able to grab the "authentica ted" one as well. What are you doing to protect
the "authentica ted" id that you cannot do for the "unauthenticate d" one?

As far as I know, the only way that a session id changes is if the client's
browser is closed and restarted (or if session cookies are disabled, in
which case you have to do something else anyway).

--
--Mark Schupp
"Joe Hsu" <Jo*****@earthl ink.net> wrote in message
news:vw******** *********@newsr ead1.news.pas.e arthlink.net...
It is session fixation attacKs. Sorry for the typo.

"If a malicious user has the ability to impersonate a specific sessionID
then certainly they would be able to impersonate an "authentica ted" one."
Not necessary, if the sessionID is changed for the authenticated part of
the session.

"How and why are you relying on sessionID to allow access to certain parts
of the application?" I don't, ASP does. I'm hoping to find an ASP
function call that allows me to change the value of ASPSessionID.
"Aaron Bertrand [SQL Server MVP]" <te*****@dnartr eb.noraa> wrote in
message news:O3******** *****@TK2MSFTNG P09.phx.gbl...
session fixation attachs.


I have no idea what this is. But have you ever tried to fake out or
impersonate a session?
It is a good practice that the server changes the session ID after a
user is
sucessfully authenticated.


So the user changes to some other SessionID. Whoopty-doo. If a
malicious user has the ability to impersonate a specific sessionID then
certainly they would be able to impersonate an "authentica ted" one.

How and why are you relying on sessionID to allow access to certain parts
of the application? Why not a variable like Session("authen ticated")?


Jul 22 '05 #7
As I understand it, the ASPSessionID is used as a reference to all session
variables maintained by ASP for each session. If anybody gains the sessionID
from the unauthenticated screen, they will be able to use it to gain access
to the sesion data I maintain during the subsequent authenticated session.
BTW, it is not difficult to see the pattern of the ASPSessionID of any given
site.

The whitepaper in SANS on "Secure Session Mangement" has the following
advice on page 16:
"9. Force Server-side Session ID Creation
The server should never assume the value of a session ID that is given
before login. Instead the server mush create a unique session ID after the
user successfully authenticates (a strict web application). This will foil
session fixatin attacks."

Again, I'm looking for any ASP API to change the SessionID. If it is not
available, then I'll need to find other means.

Thanks!
"Mark Schupp" wrote:
I think what Aaron was saying is that if a hacker can grab the
"unauthenticate d" session id and impersonate a session then they would be
able to grab the "authentica ted" one as well. What are you doing to protect
the "authentica ted" id that you cannot do for the "unauthenticate d" one?

As far as I know, the only way that a session id changes is if the client's
browser is closed and restarted (or if session cookies are disabled, in
which case you have to do something else anyway).

--
--Mark Schupp
"Joe Hsu" <Jo*****@earthl ink.net> wrote in message
news:vw******** *********@newsr ead1.news.pas.e arthlink.net...
It is session fixation attacKs. Sorry for the typo.

"If a malicious user has the ability to impersonate a specific sessionID
then certainly they would be able to impersonate an "authentica ted" one."
Not necessary, if the sessionID is changed for the authenticated part of
the session.

"How and why are you relying on sessionID to allow access to certain parts
of the application?" I don't, ASP does. I'm hoping to find an ASP
function call that allows me to change the value of ASPSessionID.
"Aaron Bertrand [SQL Server MVP]" <te*****@dnartr eb.noraa> wrote in
message news:O3******** *****@TK2MSFTNG P09.phx.gbl...
session fixation attachs.

I have no idea what this is. But have you ever tried to fake out or
impersonate a session?

It is a good practice that the server changes the session ID after a
user is
sucessfully authenticated.

So the user changes to some other SessionID. Whoopty-doo. If a
malicious user has the ability to impersonate a specific sessionID then
certainly they would be able to impersonate an "authentica ted" one.

How and why are you relying on sessionID to allow access to certain parts
of the application? Why not a variable like Session("authen ticated")?



Jul 22 '05 #8
> As I understand it, the ASPSessionID is used as a reference to all session
variables maintained by ASP for each session. If anybody gains the
sessionID
from the unauthenticated screen, they will be able to use it to gain
access
to the sesion data I maintain during the subsequent authenticated session.
Can you please demonstrate either of these two parts.

I have never seen a demonstration of guessing or sniffing a currently active
sessionID, much less impersonating it.
"9. Force Server-side Session ID Creation
The server should never assume the value of a session ID that is given
before login. Instead the server mush create a unique session ID after
the
user successfully authenticates (a strict web application). This will
foil
session fixatin attacks."


I think you're chasing the wrong squirrel up the wrong tree. I think they
are talking about authenticating here via e.g. Windows Authentication, not
some silly login form in your own app. Your own web application is only as
strong as you make it.

Do you understand the statement that changing the SessionID is not going to
make your application any more secure?
Jul 22 '05 #9
Thank you for replies. For confidentiality , I could not reveal more than
what I've stated so far. I'll need to look elsewhere. BTW, there is no
"silly login form" in the application.

"Aaron Bertrand [SQL Server MVP]" wrote:
As I understand it, the ASPSessionID is used as a reference to all session
variables maintained by ASP for each session. If anybody gains the
sessionID
from the unauthenticated screen, they will be able to use it to gain
access
to the sesion data I maintain during the subsequent authenticated session.


Can you please demonstrate either of these two parts.

I have never seen a demonstration of guessing or sniffing a currently active
sessionID, much less impersonating it.
"9. Force Server-side Session ID Creation
The server should never assume the value of a session ID that is given
before login. Instead the server mush create a unique session ID after
the
user successfully authenticates (a strict web application). This will
foil
session fixatin attacks."


I think you're chasing the wrong squirrel up the wrong tree. I think they
are talking about authenticating here via e.g. Windows Authentication, not
some silly login form in your own app. Your own web application is only as
strong as you make it.

Do you understand the statement that changing the SessionID is not going to
make your application any more secure?

Jul 22 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
3897
by: J.C. Flores | last post by:
Hello all, First of all, I must state that I'm new to SQL Server, but have been a long-time software guy for quite some time. Please excuse the potential simplicity of the solution to my problem. I create a blank database (TestDB) under my server machine (SQL Server 2000 Standard)... I then create a new table (Run_Number) with only one record in it.
1
3228
by: Spike | last post by:
Hello! Im going to make a javascript for changing alot of images. But im not sure how to do it., where to start.. Ok, first.. this is the isue. I have 3 images(I call them 1a-3a). when u click on image 1a u change" image x" to image 1a when u click on image 2a u change" image x" to image 2a when u click on image 3a u change" image x" to image 3a
0
1835
by: beanweed | last post by:
BACKGROUND ---------- I have an ASP.NET application having two panels. In one panel, an XML document, transformed using xsl, is displayed. In the other panel are some controls that allow a user to change the xml. For example, each "l_item" element appears as a row in a table labelled with a "label"; so if I have <l_item id="1"> <label>blah</label> ...
5
7132
by: Hank | last post by:
My Access 2000 code has been running for several years in our main plant. Now we need to install it, as a stand-along application, at remote sites, some of which are out of state. My problem is the printer destination for special reports such as stickers and mailing labels. The Mailing Label report is, of course, designed here for a specific printer (Mailing Label). At another site, the name could be completely different. Other than...
10
9903
by: Fabrizio | last post by:
(Sorry for the crosspost, but I really don't know which is the right newsgroup!) Hi all, I try to change the password to a user that as to change the password at first logon: try {
4
4459
by: active | last post by:
It appears to me that if I change the Control's client size the controls size does not change to agree with the new size. Does it work like the VB6 ScaleWidth and ScaleHeight? That is after I change the Clientsize does the display stay the same but the number of units required to reference a given point changes? Anyway, it appears to me that If I want to change to size of the control so that the client size is some value, I need to...
3
3381
by: mike.biang | last post by:
I am using the XMLHTTP object to request a page from within another ASP page. For my scenario, the two pages should operate in the same session. However, when I request the second page, a new session is created. This makes sense since it is coming from a different client (the XMLHTTP object as opposed to my browser). I've tried to pass the ASPSESSIONID cookie along with the XMLHTTP post, but every time I pass the valid cookie, the...
11
7465
by: Simon | last post by:
Dear reader, The syntax for the VBA code to change the RowSource of a Master Report is: Me.RowSource = "TableOrQueryName"
1
16459
by: monkey1001 | last post by:
my program is suppose to show my due change and i got it working but my change and coins are wrong how can i improve it thank you..(its supposed to be in java)
0
9738
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
11005
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10665
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
10349
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9501
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
7894
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
7070
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
1
4544
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
4139
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.