How do you change the ASPSessionID during a web session? I have an ASP
application in SSL. The first screen is a login screen, which requests user
id and password. An ASPSessionID is assigned for this page. Once the user
is authenticated by valid id/pwd, the second page starts the real
applicaiton. I want to change the ASPSessionID to be different from the
first login page, which was issued to an unauthenticated user. How do I do
that in ASP?
Thanks.
Joseph
Jul 22 '05
27 12337
> Thanks, Tim. Your description is mostly correct. One clarificaiton: when PC2 is able to get to the protected page of PC1 using the same SessionID, the session variable "logged in" would be yes for PC2, as seen by PC1.
I am not sure I understand how you expect a user on PC2 to be able to
install some javascript bookmarklet thing on PC1 or on your server in order
to find out his sessionID. If the user of PC2 has access to PC1, couldn't
he just use that access to find out the user's password (which he probably
has in a file somewhere, or on a sticky note on his monitor) or just take
over his session from there? There is nothing you can do in ASP to make a
user's workstation more secure. Of course it's easy to emulate this when
you're in control of both PC1 and PC2, as well as the web server. I don't
think it's even remotely likely in the real world. But I can't tell you
what to focus your energy on.
"Tim Williams" wrote in message
news:u%******** ********@TK2MSF TNGP09.phx.gbl. ..
: alert (document.cooki e);
:
: works if I remember correctly. The cookie can be set in similar
: fashion (eg) using a js bookmarklet. Since you would then have the
: "correct" SessionId why couldn't you access the other session?
You remember correctly but it gives you access to YOUR session ID, not
someone else's Is it possible that you could be compromised and an attacker
could get this info? Sure, it's possible but if that is the case, they
don't need your session ID, they'll just install a keylogger and call it a
day.
Could a man in the middle attack exploit this? Sure but critical
information is generally transmitted encrypted using SSL so the man in the
middle doesn't get anything. Even if you had an encrypted connection, if
your system is compromised it doesn't matter what you security measures are
between you and the web site. At that point the game's over.
--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp
Aaron Bertrand [SQL Server MVP] wrote: Thanks, Tim. Your description is mostly correct. One clarificaiton: when PC2 is able to get to the protected page of PC1 using the same SessionID, the session variable "logged in" would be yes for PC2, as seen by PC1. I am not sure I understand how you expect a user on PC2 to be able to install some javascript bookmarklet thing on PC1 or on your server in order to find out his sessionID. If the user of PC2 has access to PC1, couldn't he just use that access to find out the user's password (which he probably has in a file somewhere, or on a sticky note on his monitor) or just take over his session from there? There is nothing you can do in ASP to make a user's workstation more secure. Of course it's easy to emulate this when you're in control of both PC1 and PC2, as well as the web server. I don't think it's even remotely likely in the real world. But I can't tell you what to focus your energy on.
I agree with Aaron.
If a third party can get the ASPSessionid, then they can get a second
one later, or a third, and so on. Also if a third party can get the
ASPSessionid, then they can also get a cookie or any other saved item
on the client. All data passes through the browser and is visible
there.
Your question can be paraphrased as
"How do I transfer data to the user without passing it through a client browser where my mysterious secrets will be compromised."
This makes no sense: you're chasing your own ignorance but it has
outsmarted you. You are like the man who tries to catch a fart in a
butterfly net.
I'm "mostly correct" ? I think just "correct" would do fine. PC2
does not "get to the protected page of PC1" - it can access any
protected page *on the server*, but has no access to PC1 at all.
Maybe my original summary was unclear....
Tim.
"Joseph Shoe" <Jo********@dis cussions.micros oft.com> wrote in message
news:C0******** *************** ***********@mic rosoft.com... Thanks, Tim. Your description is mostly correct. One clarificaiton: when PC2 is able to get to the protected page of PC1 using the same SessionID, the session variable "logged in" would be yes for PC2, as seen by PC1. PC2 will not be redirected to the login page.
Your suggestion of using a second session cookie is a sound one. I was merely looking for a shortcut. Afterall, it shouldn't be much difficult for ASP to provide an API to change the SessionID.
"Tim Williams" wrote:
So said so done. Exactly as described.
Opened login page on PC1, copied sessionid cookie name/value to text file. Then logged in on PC1 using a known UN/PW.
Few minutes later on PC2, used an "edit cookie" bookmarklet to create the session cookie from PC1, and was able to bypass the login page and go directly to a "protected" page. This page would normally (on seeing there is no "logged in=yes" session variable) redirect me to the login page but in this case the session from PC1 is referenced due to the copied cookie.
Bookmarklet for editing the session cookie was from here: http://visitjesper.homeip.net/bookmarklets.html
However unlikely the scenario, it has to be admitted to be possible (and not that difficult either). That is the only point I'm trying to make here. Easy to prevent just by adding another session cookie on login and checking for both that *and* the session variable, rather than relying only on the session variable.
Tim.
"Aaron Bertrand [SQL Server MVP]" <te*****@dnartr eb.noraa> wrote in message news:uU******** ******@TK2MSFTN GP14.phx.gbl... >> works if I remember correctly. The cookie can be set in >> similar >> fashion (eg) using a js bookmarklet. Since you would then have >> the >> "correct" SessionId > > Well, let me know exactly how you plan to do it. See if you can > set > a session variable for a browser on one machine, get the cookie > without having access to the ASP file(s) directly, then use > another > machine and fiddle with the cookie however you see fit, and see > if > you can retrieve the session variable on machine B that was set > for > the user on machine A. > > My experiments in the past have proved to me that it will not > work. > > In any case, even if the above were to work, a malicious user > would > have to have access to the first user's session to get their > sessionID at all, and if they can do that, why not just continue > their session? >
"Tim Williams" wrote in message
news:eG******** ******@TK2MSFTN GP09.phx.gbl...
: I'm "mostly correct" ? I think just "correct" would do fine. PC2
: does not "get to the protected page of PC1" - it can access any
: protected page *on the server*, but has no access to PC1 at all.
:
: Maybe my original summary was unclear....
Nah, everything you've said is. This is where the term script kiddie comes
from.
--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp
Tim Williams wrote:
<snipped> Easy to prevent just by adding another session cookie on login and checking for both that *and* the session variable, rather than relying only on the session variable. Tim.
But it can't be just _any_ cookie! We must test the _contents_ of the
cookie and not merely its presence.
The cookie's contents should not be predictable by the attacker. Storing
the username or SSN in a cookie would be ineffective because an attacker
(who already has my ASPSessionID) might then easily mimic my cookie too.
And the serverside code must check the cookie's contents on each page.
So the cookie value must also be stored somewhere on the server (Session
variable, database, file, or Application variable(s), etc.).
So it seems a relatively easy method to thwart the "session fixation
attack" would be, immediately after the user is authenticated, to
- set a cookie to some random value XXXXX,
- set a Session variable to the same value XXXXX,
[From a security standpoint, the cookie is a "client key" and the
Session variable is a "server key"]. Then, on every page, check that the
cookie and Session variable match.
Kudos
- to Joseph Shoe (Joe Hsu) for bringing this problem to the table and
- to Tim for presenting tools and ways to manifest the problem
and to both of you for showing how to solve the problem:
I found no mention of session fixation attacks on the Microsoft
newsgroups prior to Joseph's. Nor could a quick search find anything on
Microsoft's site.
Here's a discussion, with diagrams, of the "session fixation attack": http://shiflett.org/articles/security-corner-feb2004
I am curious whether ASP.NET is vulnerable to this attack.
Google search shows that knowledge about such attacks has been present
since at least 2001. http://www.tisc2001.com/newsletters/53.html
shows how a session fixation attack is set up [hint: the scenario we've
been discussing isn't the important one]. I don't believe that this
older paper explicitly considers the case of a legitimate user who
wishes to mimic another legitimate user and thereby gain illegitimate
access. And here's an update and PDF paper by the same authors: http://www.acrossecurity.com/papers.htm
Here's another article: http://archives.neohapsis.com/archiv...2-q4/0117.html
IMO this "session fixation attack" is both interesting and a serious
problem for ASP applications. It seems especially pertinent to intranets
where secure information is maintained internally and where security
must not be breached. That is the most common scenario for stealing
information.
We need to talk about this more.
Michael,
Thanks for the links. This was not something I was aware of until
this thread, so it's been a useful exercise all round.
Off to read your references....
Cheers,
Tim
"Michael D. Kersey" <md******@hal-pc.org> wrote in message
news:uT******** ******@tk2msftn gp13.phx.gbl... Tim Williams wrote:
<snipped> Easy to prevent just by adding another session cookie on login and checking for both that *and* the session variable, rather than relying only on the session variable. Tim.
But it can't be just _any_ cookie! We must test the _contents_ of the cookie and not merely its presence.
The cookie's contents should not be predictable by the attacker. Storing the username or SSN in a cookie would be ineffective because an attacker (who already has my ASPSessionID) might then easily mimic my cookie too.
And the serverside code must check the cookie's contents on each page. So the cookie value must also be stored somewhere on the server (Session variable, database, file, or Application variable(s), etc.).
So it seems a relatively easy method to thwart the "session fixation attack" would be, immediately after the user is authenticated, to - set a cookie to some random value XXXXX, - set a Session variable to the same value XXXXX, [From a security standpoint, the cookie is a "client key" and the Session variable is a "server key"]. Then, on every page, check that the cookie and Session variable match.
Kudos - to Joseph Shoe (Joe Hsu) for bringing this problem to the table and - to Tim for presenting tools and ways to manifest the problem and to both of you for showing how to solve the problem: I found no mention of session fixation attacks on the Microsoft newsgroups prior to Joseph's. Nor could a quick search find anything on Microsoft's site.
Here's a discussion, with diagrams, of the "session fixation attack": http://shiflett.org/articles/security-corner-feb2004
I am curious whether ASP.NET is vulnerable to this attack.
Google search shows that knowledge about such attacks has been present since at least 2001. http://www.tisc2001.com/newsletters/53.html shows how a session fixation attack is set up [hint: the scenario we've been discussing isn't the important one]. I don't believe that this older paper explicitly considers the case of a legitimate user who wishes to mimic another legitimate user and thereby gain illegitimate access. And here's an update and PDF paper by the same authors: http://www.acrossecurity.com/papers.htm
Here's another article: http://archives.neohapsis.com/archiv...2-q4/0117.html
IMO this "session fixation attack" is both interesting and a serious problem for ASP applications. It seems especially pertinent to intranets where secure information is maintained internally and where security must not be breached. That is the most common scenario for stealing information.
We need to talk about this more. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: J.C. Flores |
last post by:
Hello all,
First of all, I must state that I'm new to SQL Server, but have been a
long-time software guy for quite some time. Please excuse the potential
simplicity of the solution to my problem.
I create a blank database (TestDB) under my server machine (SQL Server 2000
Standard)... I then create a new table (Run_Number) with only one record in
it.
|
by: Spike |
last post by:
Hello!
Im going to make a javascript for changing alot of images. But im not
sure how to do it., where to start..
Ok, first.. this is the isue.
I have 3 images(I call them 1a-3a).
when u click on image 1a u change" image x" to image 1a
when u click on image 2a u change" image x" to image 2a
when u click on image 3a u change" image x" to image 3a
|
by: beanweed |
last post by:
BACKGROUND
----------
I have an ASP.NET application having two panels. In one panel, an XML
document, transformed using xsl, is displayed. In the other panel are some
controls that allow a user to change the xml. For example, each "l_item"
element appears as a row in a table labelled with a "label"; so if I have
<l_item id="1">
<label>blah</label>
...
|
by: Hank |
last post by:
My Access 2000 code has been running for several years in our main
plant. Now we need to install it, as a stand-along application, at
remote sites, some of which are out of state.
My problem is the printer destination for special reports such as
stickers and mailing labels. The Mailing Label report is, of course,
designed here for a specific printer (Mailing Label). At another site,
the name could be completely different. Other than...
|
by: Fabrizio |
last post by:
(Sorry for the crosspost, but I really don't know which is the right
newsgroup!)
Hi all,
I try to change the password to a user that as to change the password at
first logon:
try
{
| |
by: active |
last post by:
It appears to me that if I change the Control's client size the controls
size does not change to agree with the new size.
Does it work like the VB6 ScaleWidth and ScaleHeight?
That is after I change the Clientsize does the display stay the same but the
number of units required to reference a given point changes?
Anyway, it appears to me that If I want to change to size of the control so
that the client size is some value, I need to...
|
by: mike.biang |
last post by:
I am using the XMLHTTP object to request a page from within another ASP
page. For my scenario, the two pages should operate in the same
session. However, when I request the second page, a new session is
created. This makes sense since it is coming from a different client
(the XMLHTTP object as opposed to my browser).
I've tried to pass the ASPSESSIONID cookie along with the XMLHTTP post,
but every time I pass the valid cookie, the...
|
by: Simon |
last post by:
Dear reader,
The syntax for the VBA code to change the RowSource of a Master Report is:
Me.RowSource = "TableOrQueryName"
|
by: monkey1001 |
last post by:
my program is suppose to show my due change and i got it working but my change and coins are wrong how can i improve it thank you..(its supposed to be in java)
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |