473,849 Members | 1,757 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Securing ASP app with session

I have been working on internal, intranet apps in the past few years, so I
haven't needed to secure apps with a login/password and sessions like I did
8 or so years ago (I use Windows Auth now, which makes it easier)... Is
using sessions still a practical, safe way to secure the backend of the
apps? Or should I just bite the bullet and move to ASP.NET to build a
secure backend?

I have researched session hijacking and there seems to be a lot of
information out there about that type of attack... what are your thoughts?

Thanks,
Drew
Jun 27 '08 #1
2 2328
Drew wrote:
I have been working on internal, intranet apps in the past few years,
so I haven't needed to secure apps with a login/password and sessions
like I did 8 or so years ago (I use Windows Auth now, which makes it
easier)... Is using sessions still a practical, safe way to secure
the backend of the apps?
It's as safe as the developer makes it.
Or should I just bite the bullet and move
to ASP.NET to build a secure backend?
Huh? There are reasons to move to ASP.Net. AFAIK, this is not one of
them.
I have researched session hijacking and there seems to be a lot of
information out there about that type of attack... what are your
thoughts?
I am not sure where you are coming from (or going): ASP.Net has the
same vulnerability to session-hijacking as classic ASP. It is up to the
developer to properly secure the site to prevent these types of
exploits. Since you've seen the information, you must have seen the
steps needed to prevent these exploits.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jun 27 '08 #2
Bob,

I was under the wrong assumption... After looking into the session variables
again I see where I was screwing up.

Drew

"Bob Barrows [MVP]" <re******@NOyah oo.SPAMcomwrote in message
news:Oo******** ******@TK2MSFTN GP03.phx.gbl...
Drew wrote:
>I have been working on internal, intranet apps in the past few years,
so I haven't needed to secure apps with a login/password and sessions
like I did 8 or so years ago (I use Windows Auth now, which makes it
easier)... Is using sessions still a practical, safe way to secure
the backend of the apps?

It's as safe as the developer makes it.
> Or should I just bite the bullet and move
to ASP.NET to build a secure backend?
Huh? There are reasons to move to ASP.Net. AFAIK, this is not one of
them.
>I have researched session hijacking and there seems to be a lot of
information out there about that type of attack... what are your
thoughts?
I am not sure where you are coming from (or going): ASP.Net has the
same vulnerability to session-hijacking as classic ASP. It is up to the
developer to properly secure the site to prevent these types of
exploits. Since you've seen the information, you must have seen the
steps needed to prevent these exploits.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


Jun 27 '08 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

11
1920
by: Steve | last post by:
I have a pretty nice php web site, that's also reasonably secure. However, I wrote some php code to create some dynamic images based on database data, but I can't figure out how to secure this script? when I reference the php code via img src="myimage.php", none of my session variables are available for use in the script. So, without my session variables, how am I suppose to ensure that the script is only run by a valid user, rather...
17
4774
by: David McNab | last post by:
Hi, I'm writing a web app framework which stores pickles in client cookies. The obvious security risk is that some 5cr1p7 X1ddi35 will inevitably try tampering with the cookie and malforming it in an attempt to get the server-side python code to run arbitrary code, or something similarly undesirable. To protect against this, I've subclassed pickle.Unpickler, and added
2
1613
by: James | last post by:
What's the best way of securing online databases and web services? At present I am using a database password, which of course is not hard-coded into the web service, but this means re-submitting it with every function call from my windows client. Any alternatives?
7
2220
by: Tom | last post by:
Can anyone give me any advice on how to secure a folder on a network server so that documents in the folder can only be opened through an Access database or by the database admin. I need to store MS Word docs in a folder on a network server. The database admin will save the docs to the folder. The docs must be available to Word automation out of a specific Access database and available to the database admin out of MS Word. Only users of...
11
3444
by: Wm. Scott Miller | last post by:
Hello all! We are building applications here and have hashing algorithms to secure secrets (e.g passwords) by producing one way hashes. Now, I've read alot and I've followed most of the advice that made sense. One comment I've seen alot about is "securing the hashing routine" but no-one explains how to accomplish this. So how do I secure my hashing routine? Do I use code access security, role based security, ACLs, etc or combination?...
4
1249
by: BARTKO Zoltan | last post by:
Hello folks, First a question and then the rest: Does the PostgreSQL log contain the stored function calls with all parameters? Or is this something that could be set? I would appreciate anyone wiser than me to comment on the following: I am making an app for PostgreSQL (the server). The clients are connecting through the same single user. There is a model of the user organization inside (position hierarchy), each person (virtual...
5
2482
by: rug | last post by:
Hello, I want to use a MySQL Heap table (server load isn't an issue) for session management considering that I use a shared server and don't want anyone who has access to /tmp to be able to read session data and possibly hijack a session. I've got no clue how to use a table for session management. I've started off by creating a table that will store the following: Session ID (will create this using dechex with a random number)...
5
1111
by: darrel | last post by:
This is an issue I brought up probably a year or so ago, got some advice, then was sidetracked on the project until now. So, here I am again. ;o) The situation is that we have an older chunk of code I've been tasked to maintain 'as-is'. It's a CMS we wrote in ASP.net 1.1 about 4 years ago. It works. But we have one major issue and that's when people log in, maybe 5% of the time, the end up with someone elses credentials. There's...
5
3179
by: AeonOfTime | last post by:
Let's assume a web application (in this case a browser-based game) with a custom HTTP server built on PHP, and a client also built on PHP. The client uses the server to access and change data. Even if the client server communication is not directly visible to the user (who logs into the client), the fact that the server is publicly accessible (a port sniffer would be enough to find it) means the communication has to be secured. How...
0
9893
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
11005
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10665
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
7894
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
7070
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5735
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
5921
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4544
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
4139
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.