By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,780 Members | 1,126 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,780 IT Pros & Developers. It's quick & easy.

preventing Session ID replay attack

P: n/a
Hello,
I am developing a Simple ASP Website with a login page. I want to
know how can I change Session ID after login and also Close the current
Session after User closes the Window or gets logged out of the Website. So
that every time user logs in into the website, Session ID will be unique.

Thank you.
Apr 16 '07 #1
Share this Question
Share on Google+
2 Replies


P: n/a
=?Utf-8?B?YW5vb3A=?= wrote on 16 apr 2007 in
microsoft.public.inetserver.asp.general:
I am developing a Simple ASP Website with a login page. I want to
know how can I change Session ID after login
You cnnot, simply because changing the session.id would end the session per
definition.
and also Close the
current Session after User closes the Window or gets logged out of the
Website.
Use session.abandon if you have to, or empty the
session("login") value if so designed.

.... however you cannot reliably trust the closing of window to be reported.
It depends on the browser used, the closing of the computer, or if someone
trips over the mains connection or internet connection.
So that every time user logs in into the website, Session ID
will be unique.
The session.id is unique as delivered by the system, better than once in a
lifetime at least.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Apr 16 '07 #2

P: n/a
to release all used sessions
session.abandon()
http://msdn.microsoft.com/library/de...b92ebbbc31.asp
but this wont reset the session id ... (as far as i know)

On Apr 16, 10:09 am, "Evertjan." <exjxw.hannivo...@interxnl.net>
wrote:
=?Utf-8?B?YW5vb3A=?= wrote on 16 apr 2007 in
microsoft.public.inetserver.asp.general:
I am developing a Simple ASP Website with a login page. I want to
know how can I change Session ID after login

You cnnot, simply because changing the session.id would end the session per
definition.
and also Close the
current Session after User closes the Window or gets logged out of the
Website.

Use session.abandon if you have to, or empty the
session("login") value if so designed.

... however you cannot reliably trust the closing of window to be reported.
It depends on the browser used, the closing of the computer, or if someone
trips over the mains connection or internet connection.
So that every time user logs in into the website, Session ID
will be unique.

The session.id is unique as delivered by the system, better than once in a
lifetime at least.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Apr 17 '07 #3

This discussion thread is closed

Replies have been disabled for this discussion.