How do you change the ASPSessionID during a web session? I have an ASP
application in SSL. The first screen is a login screen, which requests user
id and password. An ASPSessionID is assigned for this page. Once the user
is authenticated by valid id/pwd, the second page starts the real
applicaiton. I want to change the ASPSessionID to be different from the
first login page, which was issued to an unauthenticated user. How do I do
that in ASP?
Thanks.
Joseph
Jul 22 '05
27 12337
How about this scenario (multi-user PC) ?
1. User A attempts to log in, has no valid UN/PW but is able to grab the
value of the SessionId using (eg.) a js bookmarklet
2. User B logs in (on the same PC, before the session has timed out) and
begins using the application.
Can user A now access user B's session from another PC by setting a session
cookie to the same value they captured in Step 1 ? Seems to me that they
they might be able to...
--
Tim Williams
Palo Alto, CA
"Aaron Bertrand [SQL Server MVP]" <te*****@dnartr eb.noraa> wrote in message
news:uG******** ******@TK2MSFTN GP15.phx.gbl... As I understand it, the ASPSessionID is used as a reference to all
session variables maintained by ASP for each session. If anybody gains the sessionID from the unauthenticated screen, they will be able to use it to gain access to the sesion data I maintain during the subsequent authenticated
session. Can you please demonstrate either of these two parts.
I have never seen a demonstration of guessing or sniffing a currently
active sessionID, much less impersonating it.
"9. Force Server-side Session ID Creation The server should never assume the value of a session ID that is given before login. Instead the server mush create a unique session ID after the user successfully authenticates (a strict web application). This will foil session fixatin attacks." I think you're chasing the wrong squirrel up the wrong tree. I think they are talking about authenticating here via e.g. Windows Authentication, not some silly login form in your own app. Your own web application is only
as strong as you make it.
Do you understand the statement that changing the SessionID is not going
to make your application any more secure?
Gazing into my crystal ball I observed "Tim Williams" <saxifrax at
pacbell dot net> writing in news:eE******** ******@TK2MSFTN GP10.phx.gbl: How about this scenario (multi-user PC) ?
1. User A attempts to log in, has no valid UN/PW but is able to grab the value of the SessionId using (eg.) a js bookmarklet 2. User B logs in (on the same PC, before the session has timed out) and begins using the application.
Can user A now access user B's session from another PC by setting a session cookie to the same value they captured in Step 1 ? Seems to me that they they might be able to...
The problem is that if someone really wants to break in, they will. And
sometimes, things just happen. For example, there's a PC at the bank so
you can look up your account information online. Sometimes (a lot of
times), people forget to logout when they're done, and the bank doesn't
automatically log you out for inactivity for 5 minutes. Someone can get
a lot of information in 5 minutes.
--
Adrienne Boswell http://www.cavalcade-of-coding.info
Please respond to the group so others can share
If someone really wants to break into your car they will.
Doesn't mean it's not worth locking your doors.
Tim.
--
Tim Williams
Palo Alto, CA
"Adrienne" <ar********@sbc global.net> wrote in message
news:Xn******** *************** *****@207.115.6 3.158... Gazing into my crystal ball I observed "Tim Williams" <saxifrax at pacbell dot net> writing in news:eE******** ******@TK2MSFTN GP10.phx.gbl:
How about this scenario (multi-user PC) ?
1. User A attempts to log in, has no valid UN/PW but is able to grab the value of the SessionId using (eg.) a js bookmarklet 2. User B logs in (on the same PC, before the session has timed out) and begins using the application.
Can user A now access user B's session from another PC by setting a session cookie to the same value they captured in Step 1 ? Seems to me that they they might be able to...
The problem is that if someone really wants to break in, they will. And sometimes, things just happen. For example, there's a PC at the bank so you can look up your account information online. Sometimes (a lot of times), people forget to logout when they're done, and the bank doesn't automatically log you out for inactivity for 5 minutes. Someone can get a lot of information in 5 minutes.
-- Adrienne Boswell http://www.cavalcade-of-coding.info Please respond to the group so others can share
> Can user A now access user B's session from another PC by setting a session cookie to the same value they captured in Step 1 ?
No, because (a) I don't think JS has the ability to read a server-side
sessionID, even if the author of the web page would put it there, and (b)
you can't access user B's session just by changing your cookie.
alert (document.cooki e);
works if I remember correctly. The cookie can be set in similar
fashion (eg) using a js bookmarklet. Since you would then have the
"correct" SessionId why couldn't you access the other session?
Tim.
"Aaron Bertrand [SQL Server MVP]" <te*****@dnartr eb.noraa> wrote in
message news:u1******** ******@TK2MSFTN GP10.phx.gbl... Can user A now access user B's session from another PC by setting a session cookie to the same value they captured in Step 1 ?
No, because (a) I don't think JS has the ability to read a server-side sessionID, even if the author of the web page would put it there, and (b) you can't access user B's session just by changing your cookie.
> works if I remember correctly. The cookie can be set in similar fashion (eg) using a js bookmarklet. Since you would then have the "correct" SessionId
Well, let me know exactly how you plan to do it. See if you can set a
session variable for a browser on one machine, get the cookie without having
access to the ASP file(s) directly, then use another machine and fiddle with
the cookie however you see fit, and see if you can retrieve the session
variable on machine B that was set for the user on machine A.
My experiments in the past have proved to me that it will not work.
In any case, even if the above were to work, a malicious user would have to
have access to the first user's session to get their sessionID at all, and
if they can do that, why not just continue their session?
So said so done. Exactly as described.
Opened login page on PC1, copied sessionid cookie name/value to text
file. Then logged in on PC1 using a known UN/PW.
Few minutes later on PC2, used an "edit cookie" bookmarklet to create
the session cookie from PC1, and was able to bypass the login page and
go directly to a "protected" page. This page would normally (on
seeing there is no "logged in=yes" session variable) redirect me to
the login page but in this case the session from PC1 is referenced due
to the copied cookie.
Bookmarklet for editing the session cookie was from here: http://visitjesper.homeip.net/bookmarklets.html
However unlikely the scenario, it has to be admitted to be possible
(and not that difficult either). That is the only point I'm trying to
make here.
Easy to prevent just by adding another session cookie on login and
checking for both that *and* the session variable, rather than relying
only on the session variable.
Tim.
"Aaron Bertrand [SQL Server MVP]" <te*****@dnartr eb.noraa> wrote in
message news:uU******** ******@TK2MSFTN GP14.phx.gbl... works if I remember correctly. The cookie can be set in similar fashion (eg) using a js bookmarklet. Since you would then have the "correct" SessionId
Well, let me know exactly how you plan to do it. See if you can set a session variable for a browser on one machine, get the cookie without having access to the ASP file(s) directly, then use another machine and fiddle with the cookie however you see fit, and see if you can retrieve the session variable on machine B that was set for the user on machine A.
My experiments in the past have proved to me that it will not work.
In any case, even if the above were to work, a malicious user would have to have access to the first user's session to get their sessionID at all, and if they can do that, why not just continue their session?
Joseph Shoe wrote: How do you change the ASPSessionID during a web session? I have an ASP application in SSL. The first screen is a login screen, which requests user id and password. An ASPSessionID is assigned for this page. Once the user is authenticated by valid id/pwd, the second page starts the real applicaiton. I want to change the ASPSessionID to be different from the first login page, which was issued to an unauthenticated user. How do I do that in ASP?
Don't use ASP sessions. Instead create and maintain your own "session
ID" passed in the querystring or in hidden field(s). Then you can change
it wherever and whenever you wish, even with each page submission.
> However unlikely the scenario, it has to be admitted to be possible (and not that difficult either). That is the only point I'm trying to make here.
I wasn't able to reproduce, but I'll take your word for it for now.
Easy to prevent just by adding another session cookie on login and checking for both that *and* the session variable, rather than relying only on the session variable.
Which is what I suggested further up in the thread (I also still didn't get
a decent answer to my question, what would be accomplished by changing the
sessionID).
Thanks, Tim. Your description is mostly correct. One clarificaiton: when
PC2 is able to get to the protected page of PC1 using the same SessionID, the
session variable "logged in" would be yes for PC2, as seen by PC1. PC2 will
not be redirected to the login page.
Your suggestion of using a second session cookie is a sound one. I was
merely looking for a shortcut. Afterall, it shouldn't be much difficult for
ASP to provide an API to change the SessionID.
"Tim Williams" wrote: So said so done. Exactly as described.
Opened login page on PC1, copied sessionid cookie name/value to text file. Then logged in on PC1 using a known UN/PW.
Few minutes later on PC2, used an "edit cookie" bookmarklet to create the session cookie from PC1, and was able to bypass the login page and go directly to a "protected" page. This page would normally (on seeing there is no "logged in=yes" session variable) redirect me to the login page but in this case the session from PC1 is referenced due to the copied cookie.
Bookmarklet for editing the session cookie was from here: http://visitjesper.homeip.net/bookmarklets.html
However unlikely the scenario, it has to be admitted to be possible (and not that difficult either). That is the only point I'm trying to make here. Easy to prevent just by adding another session cookie on login and checking for both that *and* the session variable, rather than relying only on the session variable.
Tim.
"Aaron Bertrand [SQL Server MVP]" <te*****@dnartr eb.noraa> wrote in message news:uU******** ******@TK2MSFTN GP14.phx.gbl... works if I remember correctly. The cookie can be set in similar fashion (eg) using a js bookmarklet. Since you would then have the "correct" SessionId
Well, let me know exactly how you plan to do it. See if you can set a session variable for a browser on one machine, get the cookie without having access to the ASP file(s) directly, then use another machine and fiddle with the cookie however you see fit, and see if you can retrieve the session variable on machine B that was set for the user on machine A.
My experiments in the past have proved to me that it will not work.
In any case, even if the above were to work, a malicious user would have to have access to the first user's session to get their sessionID at all, and if they can do that, why not just continue their session?
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: J.C. Flores |
last post by:
Hello all,
First of all, I must state that I'm new to SQL Server, but have been a
long-time software guy for quite some time. Please excuse the potential
simplicity of the solution to my problem.
I create a blank database (TestDB) under my server machine (SQL Server 2000
Standard)... I then create a new table (Run_Number) with only one record in
it.
|
by: Spike |
last post by:
Hello!
Im going to make a javascript for changing alot of images. But im not
sure how to do it., where to start..
Ok, first.. this is the isue.
I have 3 images(I call them 1a-3a).
when u click on image 1a u change" image x" to image 1a
when u click on image 2a u change" image x" to image 2a
when u click on image 3a u change" image x" to image 3a
|
by: beanweed |
last post by:
BACKGROUND
----------
I have an ASP.NET application having two panels. In one panel, an XML
document, transformed using xsl, is displayed. In the other panel are some
controls that allow a user to change the xml. For example, each "l_item"
element appears as a row in a table labelled with a "label"; so if I have
<l_item id="1">
<label>blah</label>
...
|
by: Hank |
last post by:
My Access 2000 code has been running for several years in our main
plant. Now we need to install it, as a stand-along application, at
remote sites, some of which are out of state.
My problem is the printer destination for special reports such as
stickers and mailing labels. The Mailing Label report is, of course,
designed here for a specific printer (Mailing Label). At another site,
the name could be completely different. Other than...
|
by: Fabrizio |
last post by:
(Sorry for the crosspost, but I really don't know which is the right
newsgroup!)
Hi all,
I try to change the password to a user that as to change the password at
first logon:
try
{
| |
by: active |
last post by:
It appears to me that if I change the Control's client size the controls
size does not change to agree with the new size.
Does it work like the VB6 ScaleWidth and ScaleHeight?
That is after I change the Clientsize does the display stay the same but the
number of units required to reference a given point changes?
Anyway, it appears to me that If I want to change to size of the control so
that the client size is some value, I need to...
|
by: mike.biang |
last post by:
I am using the XMLHTTP object to request a page from within another ASP
page. For my scenario, the two pages should operate in the same
session. However, when I request the second page, a new session is
created. This makes sense since it is coming from a different client
(the XMLHTTP object as opposed to my browser).
I've tried to pass the ASPSESSIONID cookie along with the XMLHTTP post,
but every time I pass the valid cookie, the...
|
by: Simon |
last post by:
Dear reader,
The syntax for the VBA code to change the RowSource of a Master Report is:
Me.RowSource = "TableOrQueryName"
|
by: monkey1001 |
last post by:
my program is suppose to show my due change and i got it working but my change and coins are wrong how can i improve it thank you..(its supposed to be in java)
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |