How do you change the ASPSessionID during a web session? I have an ASP
application in SSL. The first screen is a login screen, which requests user
id and password. An ASPSessionID is assigned for this page. Once the user
is authenticated by valid id/pwd, the second page starts the real
applicaiton. I want to change the ASPSessionID to be different from the
first login page, which was issued to an unauthenticated user. How do I do
that in ASP?
Thanks.
Joseph
27  12336 
The sessionID is like a surrogate key, its value has no real meaning and I
have no idea why you need them to be different.
"Joseph Shoe" <Joseph Sh**@discussion s.microsoft.com> wrote in message
news:AC******** *************** ***********@mic rosoft.com... How do you change the ASPSessionID during a web session? I have an ASP
application in SSL. The first screen is a login screen, which requests
user
id and password. An ASPSessionID is assigned for this page. Once the
user
is authenticated by valid id/pwd, the second page starts the real
applicaiton. I want to change the ASPSessionID to be different from the
first login page, which was issued to an unauthenticated user. How do I
do
that in ASP?
Thanks.
Joseph
ASP maintains the same sessionID for the duration of a session, whether the
user has passed the authentication. The sessionID can be used by someone to
gain access to the part of a sessoin that is considered authenticated, i.e.,
session fixation attachs.
It is a good practice that the server changes the session ID after a user is
sucessfully authenticated.
"Aaron Bertrand [SQL Server MVP]" wrote: The sessionID is like a surrogate key, its value has no real meaning and I
have no idea why you need them to be different.
"Joseph Shoe" <Joseph Sh**@discussion s.microsoft.com> wrote in message
news:AC******** *************** ***********@mic rosoft.com... How do you change the ASPSessionID during a web session? I have an ASP
application in SSL. The first screen is a login screen, which requests
user
id and password. An ASPSessionID is assigned for this page. Once the
user
is authenticated by valid id/pwd, the second page starts the real
applicaiton. I want to change the ASPSessionID to be different from the
first login page, which was issued to an unauthenticated user. How do I
do
that in ASP?
Thanks.
Joseph
> session fixation attachs.
I have no idea what this is. But have you ever tried to fake out or
impersonate a session? It is a good practice that the server changes the session ID after a user
is
sucessfully authenticated.
So the user changes to some other SessionID. Whoopty-doo. If a malicious
user has the ability to impersonate a specific sessionID then certainly they
would be able to impersonate an "authentica ted" one.
How and why are you relying on sessionID to allow access to certain parts of
the application? Why not a variable like Session("authen ticated")?
It is session fixation attacKs. Sorry for the typo.
"If a malicious user has the ability to impersonate a specific sessionID
then certainly they would be able to impersonate an "authentica ted" one."
Not necessary, if the sessionID is changed for the authenticated part of the
session.
"How and why are you relying on sessionID to allow access to certain parts
of the application?" I don't, ASP does. I'm hoping to find an ASP
function call that allows me to change the value of ASPSessionID.
"Aaron Bertrand [SQL Server MVP]" <te*****@dnartr eb.noraa> wrote in message
news:O3******** *****@TK2MSFTNG P09.phx.gbl... session fixation attachs.
I have no idea what this is. But have you ever tried to fake out or
impersonate a session?
It is a good practice that the server changes the session ID after a user
is
sucessfully authenticated.
So the user changes to some other SessionID. Whoopty-doo. If a malicious
user has the ability to impersonate a specific sessionID then certainly
they would be able to impersonate an "authentica ted" one.
How and why are you relying on sessionID to allow access to certain parts
of the application? Why not a variable like Session("authen ticated")?
> Not necessary, if the sessionID is changed for the authenticated part of the session.
Sorry, but I have been working with ASP for 10 years, and this still does
not make any sense to me.
"How and why are you relying on sessionID to allow access to certain parts
of the application?" I don't, ASP does.
How does ASP in and of itself know absolutely anything about different parts
of your application?
I'm hoping to find an ASP function call that allows me to change the value
of ASPSessionID.
Sorry, this is read only. Even if you could change it, I am still 100%
unclear as to what you would have hoped to accomplish.
I think what Aaron was saying is that if a hacker can grab the
"unauthenticate d" session id and impersonate a session then they would be
able to grab the "authentica ted" one as well. What are you doing to protect
the "authentica ted" id that you cannot do for the "unauthenticate d" one?
As far as I know, the only way that a session id changes is if the client's
browser is closed and restarted (or if session cookies are disabled, in
which case you have to do something else anyway).
--
--Mark Schupp
"Joe Hsu" <Jo*****@earthl ink.net> wrote in message
news:vw******** *********@newsr ead1.news.pas.e arthlink.net... It is session fixation attacKs. Sorry for the typo.
"If a malicious user has the ability to impersonate a specific sessionID
then certainly they would be able to impersonate an "authentica ted" one."
Not necessary, if the sessionID is changed for the authenticated part of
the session.
"How and why are you relying on sessionID to allow access to certain parts
of the application?" I don't, ASP does. I'm hoping to find an ASP
function call that allows me to change the value of ASPSessionID.
"Aaron Bertrand [SQL Server MVP]" <te*****@dnartr eb.noraa> wrote in
message news:O3******** *****@TK2MSFTNG P09.phx.gbl... session fixation attachs.
I have no idea what this is. But have you ever tried to fake out or
impersonate a session?
It is a good practice that the server changes the session ID after a
user is
sucessfully authenticated.
So the user changes to some other SessionID. Whoopty-doo. If a
malicious user has the ability to impersonate a specific sessionID then
certainly they would be able to impersonate an "authentica ted" one.
How and why are you relying on sessionID to allow access to certain parts
of the application? Why not a variable like Session("authen ticated")?
As I understand it, the ASPSessionID is used as a reference to all session
variables maintained by ASP for each session. If anybody gains the sessionID
from the unauthenticated screen, they will be able to use it to gain access
to the sesion data I maintain during the subsequent authenticated session.
BTW, it is not difficult to see the pattern of the ASPSessionID of any given
site.
The whitepaper in SANS on "Secure Session Mangement" has the following
advice on page 16:
"9. Force Server-side Session ID Creation
The server should never assume the value of a session ID that is given
before login. Instead the server mush create a unique session ID after the
user successfully authenticates (a strict web application). This will foil
session fixatin attacks."
Again, I'm looking for any ASP API to change the SessionID. If it is not
available, then I'll need to find other means.
Thanks!
"Mark Schupp" wrote: I think what Aaron was saying is that if a hacker can grab the
"unauthenticate d" session id and impersonate a session then they would be
able to grab the "authentica ted" one as well. What are you doing to protect
the "authentica ted" id that you cannot do for the "unauthenticate d" one?
As far as I know, the only way that a session id changes is if the client's
browser is closed and restarted (or if session cookies are disabled, in
which case you have to do something else anyway).
--
--Mark Schupp
"Joe Hsu" <Jo*****@earthl ink.net> wrote in message
news:vw******** *********@newsr ead1.news.pas.e arthlink.net... It is session fixation attacKs. Sorry for the typo.
"If a malicious user has the ability to impersonate a specific sessionID
then certainly they would be able to impersonate an "authentica ted" one."
Not necessary, if the sessionID is changed for the authenticated part of
the session.
"How and why are you relying on sessionID to allow access to certain parts
of the application?" I don't, ASP does. I'm hoping to find an ASP
function call that allows me to change the value of ASPSessionID.
"Aaron Bertrand [SQL Server MVP]" <te*****@dnartr eb.noraa> wrote in
message news:O3******** *****@TK2MSFTNG P09.phx.gbl... session fixation attachs.
I have no idea what this is. But have you ever tried to fake out or
impersonate a session?
It is a good practice that the server changes the session ID after a
user is
sucessfully authenticated.
So the user changes to some other SessionID. Whoopty-doo. If a
malicious user has the ability to impersonate a specific sessionID then
certainly they would be able to impersonate an "authentica ted" one.
How and why are you relying on sessionID to allow access to certain parts
of the application? Why not a variable like Session("authen ticated")?
> As I understand it, the ASPSessionID is used as a reference to all session variables maintained by ASP for each session. If anybody gains the
sessionID
from the unauthenticated screen, they will be able to use it to gain
access
to the sesion data I maintain during the subsequent authenticated session.
Can you please demonstrate either of these two parts.
I have never seen a demonstration of guessing or sniffing a currently active
sessionID, much less impersonating it.
"9. Force Server-side Session ID Creation
The server should never assume the value of a session ID that is given
before login. Instead the server mush create a unique session ID after
the
user successfully authenticates (a strict web application). This will
foil
session fixatin attacks."
I think you're chasing the wrong squirrel up the wrong tree. I think they
are talking about authenticating here via e.g. Windows Authentication, not
some silly login form in your own app. Your own web application is only as
strong as you make it.
Do you understand the statement that changing the SessionID is not going to
make your application any more secure?
Thank you for replies. For confidentiality , I could not reveal more than
what I've stated so far. I'll need to look elsewhere. BTW, there is no
"silly login form" in the application.
"Aaron Bertrand [SQL Server MVP]" wrote: As I understand it, the ASPSessionID is used as a reference to all session
variables maintained by ASP for each session. If anybody gains the
sessionID
from the unauthenticated screen, they will be able to use it to gain
access
to the sesion data I maintain during the subsequent authenticated session.
Can you please demonstrate either of these two parts.
I have never seen a demonstration of guessing or sniffing a currently active
sessionID, much less impersonating it.
"9. Force Server-side Session ID Creation
The server should never assume the value of a session ID that is given
before login. Instead the server mush create a unique session ID after
the
user successfully authenticates (a strict web application). This will
foil
session fixatin attacks."
I think you're chasing the wrong squirrel up the wrong tree. I think they
are talking about authenticating here via e.g. Windows Authentication, not
some silly login form in your own app. Your own web application is only as
strong as you make it.
Do you understand the statement that changing the SessionID is not going to
make your application any more secure?
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: J.C. Flores |
last post by:
Hello all,
First of all, I must state that I'm new to SQL Server, but have been a
long-time software guy for quite some time. Please excuse the potential
simplicity of the solution to my problem.
I create a blank database (TestDB) under my server machine (SQL Server 2000
Standard)... I then create a new table (Run_Number) with only one record in
it.
|
by: Spike |
last post by:
Hello!
Im going to make a javascript for changing alot of images. But im not
sure how to do it., where to start..
Ok, first.. this is the isue.
I have 3 images(I call them 1a-3a).
when u click on image 1a u change" image x" to image 1a
when u click on image 2a u change" image x" to image 2a
when u click on image 3a u change" image x" to image 3a
|
by: beanweed |
last post by:
BACKGROUND
----------
I have an ASP.NET application having two panels. In one panel, an XML
document, transformed using xsl, is displayed. In the other panel are some
controls that allow a user to change the xml. For example, each "l_item"
element appears as a row in a table labelled with a "label"; so if I have
<l_item id="1">
<label>blah</label>
...
|
by: Hank |
last post by:
My Access 2000 code has been running for several years in our main
plant. Now we need to install it, as a stand-along application, at
remote sites, some of which are out of state.
My problem is the printer destination for special reports such as
stickers and mailing labels. The Mailing Label report is, of course,
designed here for a specific printer (Mailing Label). At another site,
the name could be completely different. Other than...
|
by: Fabrizio |
last post by:
(Sorry for the crosspost, but I really don't know which is the right
newsgroup!)
Hi all,
I try to change the password to a user that as to change the password at
first logon:
try
{
| | |
by: active |
last post by:
It appears to me that if I change the Control's client size the controls
size does not change to agree with the new size.
Does it work like the VB6 ScaleWidth and ScaleHeight?
That is after I change the Clientsize does the display stay the same but the
number of units required to reference a given point changes?
Anyway, it appears to me that If I want to change to size of the control so
that the client size is some value, I need to...
|
by: mike.biang |
last post by:
I am using the XMLHTTP object to request a page from within another ASP
page. For my scenario, the two pages should operate in the same
session. However, when I request the second page, a new session is
created. This makes sense since it is coming from a different client
(the XMLHTTP object as opposed to my browser).
I've tried to pass the ASPSESSIONID cookie along with the XMLHTTP post,
but every time I pass the valid cookie, the...
|
by: Simon |
last post by:
Dear reader,
The syntax for the VBA code to change the RowSource of a Master Report is:
Me.RowSource = "TableOrQueryName"
|
by: monkey1001 |
last post by:
my program is suppose to show my due change and i got it working but my change and coins are wrong how can i improve it thank you..(its supposed to be in java)
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
