I have been working on internal, intranet apps in the past few years, so I
haven't needed to secure apps with a login/password and sessions like I did
8 or so years ago (I use Windows Auth now, which makes it easier)... Is
using sessions still a practical, safe way to secure the backend of the
apps? Or should I just bite the bullet and move to ASP.NET to build a
secure backend?
I have researched session hijacking and there seems to be a lot of
information out there about that type of attack... what are your thoughts?
Thanks,
Drew
2  2324 
Drew wrote:
I have been working on internal, intranet apps in the past few years,
so I haven't needed to secure apps with a login/password and sessions
like I did 8 or so years ago (I use Windows Auth now, which makes it
easier)... Is using sessions still a practical, safe way to secure
the backend of the apps?
It's as safe as the developer makes it.
Or should I just bite the bullet and move
to ASP.NET to build a secure backend?
Huh? There are reasons to move to ASP.Net. AFAIK, this is not one of
them.
I have researched session hijacking and there seems to be a lot of
information out there about that type of attack... what are your
thoughts?
I am not sure where you are coming from (or going): ASP.Net has the
same vulnerability to session-hijacking as classic ASP. It is up to the
developer to properly secure the site to prevent these types of
exploits. Since you've seen the information, you must have seen the
steps needed to prevent these exploits.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Bob,
I was under the wrong assumption... After looking into the session variables
again I see where I was screwing up.
Drew
"Bob Barrows [MVP]" <re******@NOyah oo.SPAMcomwrote in message
news:Oo******** ******@TK2MSFTN GP03.phx.gbl...
Drew wrote:
>I have been working on internal, intranet apps in the past few years,
so I haven't needed to secure apps with a login/password and sessions
like I did 8 or so years ago (I use Windows Auth now, which makes it
easier)... Is using sessions still a practical, safe way to secure
the backend of the apps?
It's as safe as the developer makes it.
> Or should I just bite the bullet and move
to ASP.NET to build a secure backend?
Huh? There are reasons to move to ASP.Net. AFAIK, this is not one of
them.
>I have researched session hijacking and there seems to be a lot of
information out there about that type of attack... what are your
thoughts?
I am not sure where you are coming from (or going): ASP.Net has the
same vulnerability to session-hijacking as classic ASP. It is up to the
developer to properly secure the site to prevent these types of
exploits. Since you've seen the information, you must have seen the
steps needed to prevent these exploits.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Steve |
last post by:
I have a pretty nice php web site, that's also reasonably secure.
However, I wrote some php code to create some dynamic images based on
database data, but I can't figure out how to secure this script?
when I reference the php code via img src="myimage.php", none of my
session variables are available for use in the script. So, without my
session variables, how am I suppose to ensure that the script is only
run by a valid user, rather...
|
by: David McNab |
last post by:
Hi,
I'm writing a web app framework which stores pickles in client cookies.
The obvious security risk is that some 5cr1p7 X1ddi35 will inevitably try
tampering with the cookie and malforming it in an attempt to get the
server-side python code to run arbitrary code, or something similarly
undesirable.
To protect against this, I've subclassed pickle.Unpickler, and added
|
by: James |
last post by:
What's the best way of securing online databases and web services? At present I am using a database password, which of course is not hard-coded into the web service, but this means re-submitting it with every function call from my windows client. Any alternatives?
|
by: Tom |
last post by:
Can anyone give me any advice on how to secure a folder on a network server
so that documents in the folder can only be opened through an Access
database or by the database admin. I need to store MS Word docs in a folder
on a network server. The database admin will save the docs to the folder.
The docs must be available to Word automation out of a specific Access
database and available to the database admin out of MS Word. Only users of...
|
by: Wm. Scott Miller |
last post by:
Hello all!
We are building applications here and have hashing algorithms to secure
secrets (e.g passwords) by producing one way hashes. Now, I've read alot
and I've followed most of the advice that made sense. One comment I've seen
alot about is "securing the hashing routine" but no-one explains how to
accomplish this. So how do I secure my hashing routine? Do I use code
access security, role based security, ACLs, etc or combination?...
| | |
by: BARTKO Zoltan |
last post by:
Hello folks,
First a question and then the rest:
Does the PostgreSQL log contain the stored function calls with all parameters? Or is this something that could be set?
I would appreciate anyone wiser than me to comment on the following:
I am making an app for PostgreSQL (the server). The clients are connecting through the same single user. There is a model of the user organization inside (position hierarchy), each person (virtual...
|
by: rug |
last post by:
Hello,
I want to use a MySQL Heap table (server load isn't an issue) for session management considering that I use a shared server and don't want anyone who has access to /tmp to be able to read session data and possibly hijack a session.
I've got no clue how to use a table for session management.
I've started off by creating a table that will store the following:
Session ID (will create this using dechex with a random number)...
|
by: darrel |
last post by:
This is an issue I brought up probably a year or so ago, got some advice,
then was sidetracked on the project until now. So, here I am again. ;o)
The situation is that we have an older chunk of code I've been tasked to
maintain 'as-is'. It's a CMS we wrote in ASP.net 1.1 about 4 years ago.
It works.
But we have one major issue and that's when people log in, maybe 5% of the
time, the end up with someone elses credentials. There's...
|
by: AeonOfTime |
last post by:
Let's assume a web application (in this case a browser-based game)
with a custom HTTP server built on PHP, and a client also built on
PHP. The client uses the server to access and change data. Even if the
client server communication is not directly visible to the user (who
logs into the client), the fact that the server is publicly accessible
(a port sniffer would be enough to find it) means the communication
has to be secured.
How...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
| | |
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
