I'm using asp, not asp.net. I've got some open ended questions that I
was really hoping someone in here could answer, or direct me to some
resources that will help me answer them on my own.
First, the session object. When a new user comes to my site, asp
creates a session object, and a session id on that object. That
session id is sent back to the client and stored as a cookie(?) that
can be used to identify a single user across multiple browser
requests. Is that right?
Second, can that sessionid be sniffed? I'm assuming it can be. But
if Bob comes to my site, gets assigned a session id of 1234, and then
logs in (via username and password that I validate on the server, all
behind an SSL certificate, I guess), I could store the correct
username "bobsmith" in a session variable. Is that session variable
also sent to the client? Does Bob, even though he can easily lookup
the session id of 1234 in his cookies, know that I stored another
session variable that identifies him? So Bob can't ever log in as
Bob, but then try to impersonate Jane after he is validated? Does
this even make sense?
In another scenario, Bob gets sessionid 1234. I store his username
bobsmith in a session variable. Should I also store his referring IP
and some other things (user agent, etc) and compare those with every
page request? If something changes in those things, does that mean
that it is possible I'm being felt out/attacked? Is it conceivable
that Bob's IP address might change but that the session is still the
same session id?
As far as SSL goes, when developing a site I don't have a
certificate. When I am ready to go live with this, do I just find a
webhost that will get a certificate for me, and the webserver handles
whether or not all traffic goes over https? I mean, do I have to do
anything special with my code, or is that all web server configuration
stuff?
What is a good way to secure a site? I'm really talking academically
here, but I may develop a real world site in the future that needs
this kind of security.
If anyone has read this far and understands my incoherent and confused
brain, I would be very appreciative of some pointers!
Matt
8  4165 
YYZ wrote:
I'm using asp, not asp.net. I've got some open ended questions that I
was really hoping someone in here could answer, or direct me to some
resources that will help me answer them on my own.
First, the session object. When a new user comes to my site, asp
creates a session object, and a session id on that object. That
session id is sent back to the client and stored as a cookie(?)
Yes, it's called a session cookie and is different from normal cookies.
that
can be used to identify a single user across multiple browser
requests. Is that right?
Sort of. A session cookie persists only as long as the browser windows
that were open when the cookie was created
>
Second, can that sessionid be sniffed? I'm assuming it can be. But
if Bob comes to my site, gets assigned a session id of 1234, and then
logs in (via username and password that I validate on the server, all
behind an SSL certificate, I guess), I could store the correct
username "bobsmith" in a session variable. Is that session variable
also sent to the client? Does Bob, even though he can easily lookup
the session id of 1234 in his cookies, know that I stored another
session variable that identifies him? So Bob can't ever log in as
Bob, but then try to impersonate Jane after he is validated? Does
this even make sense?
In another scenario, Bob gets sessionid 1234. I store his username
bobsmith in a session variable. Should I also store his referring IP
and some other things (user agent, etc) and compare those with every
page request? If something changes in those things, does that mean
that it is possible I'm being felt out/attacked? Is it conceivable
that Bob's IP address might change but that the session is still the
same session id?
As far as SSL goes, when developing a site I don't have a
certificate. When I am ready to go live with this, do I just find a
webhost that will get a certificate for me, and the webserver handles
whether or not all traffic goes over https? I mean, do I have to do
anything special with my code, or is that all web server configuration
stuff?
What is a good way to secure a site? I'm really talking academically
here, but I may develop a real world site in the future that needs
this kind of security.
If anyone has read this far and understands my incoherent and confused
brain, I would be very appreciative of some pointers!
There are plenty of resources here: http://www.google.com/search?sourcei...session+hijack
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Hey Matt,
Here is my understanding of it: When someone comes to your site, you create
a session variable with (for example) id of 1234, then set the cookie with
value 1234. If you discover the person's name is Bob, you write that to your
database under record id 1234.
Naturally, if someone tries to access something of a sensitive nature
(passwords, credit cards, email addresses, etc.), you would challenge that
person by asking them to supply a password.
I worked once in the past with SSL. The company purchased a certificate
through the ISP, and they applied the certificate to the company's website.
For me, all I had to do to access the SSL was to direct my pages to https
instead of http. The rest was transparent to me.
I know this is a very simple answer to your elaborate question, but
sometimes simple helps you see through the trees.
~Joe
>A session cookie persists only as long as the browser windows that were
open when the cookie was created
Is that right? I thought session cookies were kept in memory on the server,
and timed out in the amount of time set for sessions.
Bob Lehmann
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcomwrote in message
news:OX****************@TK2MSFTNGP06.phx.gbl...
YYZ wrote:
I'm using asp, not asp.net. I've got some open ended questions that I
was really hoping someone in here could answer, or direct me to some
resources that will help me answer them on my own.
First, the session object. When a new user comes to my site, asp
creates a session object, and a session id on that object. That
session id is sent back to the client and stored as a cookie(?)
Yes, it's called a session cookie and is different from normal cookies.
that
can be used to identify a single user across multiple browser
requests. Is that right?
Sort of. A session cookie persists only as long as the browser windows
that were open when the cookie was created
Second, can that sessionid be sniffed? I'm assuming it can be. But
if Bob comes to my site, gets assigned a session id of 1234, and then
logs in (via username and password that I validate on the server, all
behind an SSL certificate, I guess), I could store the correct
username "bobsmith" in a session variable. Is that session variable
also sent to the client? Does Bob, even though he can easily lookup
the session id of 1234 in his cookies, know that I stored another
session variable that identifies him? So Bob can't ever log in as
Bob, but then try to impersonate Jane after he is validated? Does
this even make sense?
In another scenario, Bob gets sessionid 1234. I store his username
bobsmith in a session variable. Should I also store his referring IP
and some other things (user agent, etc) and compare those with every
page request? If something changes in those things, does that mean
that it is possible I'm being felt out/attacked? Is it conceivable
that Bob's IP address might change but that the session is still the
same session id?
As far as SSL goes, when developing a site I don't have a
certificate. When I am ready to go live with this, do I just find a
webhost that will get a certificate for me, and the webserver handles
whether or not all traffic goes over https? I mean, do I have to do
anything special with my code, or is that all web server configuration
stuff?
What is a good way to secure a site? I'm really talking academically
here, but I may develop a real world site in the future that needs
this kind of security.
If anyone has read this far and understands my incoherent and confused
brain, I would be very appreciative of some pointers!
There are plenty of resources here:
http://www.google.com/search?sourcei...session+hijack
>
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
I worked once in the past with SSL. The company purchased a certificate
through the ISP, and they applied the certificate to the company's website.
For me, all I had to do to access the SSL was to direct my pages to https
instead of http. The rest was transparent to me.
Excellent! I thought it was that easy from a programming standpoint,
but it was hard to find definite information on that.
I know this is a very simple answer to your elaborate question, but
sometimes simple helps you see through the trees.
The helped, Joe. Thanks.
Bob Lehmann wrote:
>>A session cookie persists only as long as the browser windows that
were
open when the cookie was created
Is that right?
Sort of.
According to this: http://msdn2.microsoft.com/en-us/lib...aspx#ac_topic5
session cookies are sent in the HTTP headers for every browser request.
This page makes it a little clearer: http://palisade.plynt.com/issues/200...ssion-cookies/
To the OP's question about SSL, from the msdn page:
SSL Encryption
Encrypting all communications between the browser and the server will
prevent hackers from capturing the session cookie. Using SSL, all
traffic—including the session cookies—are encrypted. A hacker sniffing or
monitoring the network will not be able to see the private cookies in use.
When using SSL encryption, remember that all browser requests to the Web
application directory will include the session ID cookie. Even requests for
static HTML content in the same directory tree as the ASP pages will include
the session ID cookie. All requests to the virtual directory, not just for
ASP files, must be encrypted.
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
On Sep 19, 6:31 pm, "Bob Barrows [MVP]" <reb01...@NOyahoo.SPAMcom>
wrote:
Bob Lehmann wrote:
>A session cookie persists only as long as the browser windows that
were
open when the cookie was created
Is that right?
Sort of.
According to this:http://msdn2.microsoft.com/en-us/lib...aspx#ac_topic5
session cookies are sent in the HTTP headers for every browser request.
Thanks Bob(s). I checked out a bunch of those links on that search,
and thanks for that. The helped me understand a little more of the
process that takes place with the session object.
I'll keep reading up on it, but thanks.
Matt
"YYZ" <ma********@gmail.comwrote in message
news:11**********************@k79g2000hse.googlegr oups.com...
I'm using asp, not asp.net. I've got some open ended questions that I
was really hoping someone in here could answer, or direct me to some
resources that will help me answer them on my own.
First, the session object. When a new user comes to my site, asp
creates a session object, and a session id on that object. That
session id is sent back to the client and stored as a cookie(?) that
can be used to identify a single user across multiple browser
requests. Is that right?
Second, can that sessionid be sniffed? I'm assuming it can be. But
if Bob comes to my site, gets assigned a session id of 1234, and then
logs in (via username and password that I validate on the server, all
behind an SSL certificate, I guess), I could store the correct
username "bobsmith" in a session variable. Is that session variable
also sent to the client? Does Bob, even though he can easily lookup
the session id of 1234 in his cookies, know that I stored another
session variable that identifies him? So Bob can't ever log in as
Bob, but then try to impersonate Jane after he is validated? Does
this even make sense?
In another scenario, Bob gets sessionid 1234. I store his username
bobsmith in a session variable. Should I also store his referring IP
and some other things (user agent, etc) and compare those with every
page request? If something changes in those things, does that mean
that it is possible I'm being felt out/attacked? Is it conceivable
that Bob's IP address might change but that the session is still the
same session id?
As far as SSL goes, when developing a site I don't have a
certificate. When I am ready to go live with this, do I just find a
webhost that will get a certificate for me, and the webserver handles
whether or not all traffic goes over https? I mean, do I have to do
anything special with my code, or is that all web server configuration
stuff?
What is a good way to secure a site? I'm really talking academically
here, but I may develop a real world site in the future that needs
this kind of security.
If anyone has read this far and understands my incoherent and confused
brain, I would be very appreciative of some pointers!
Matt
Whilst the following probably duplicates what has been said in other
responses or is present it the links provided I'll just summarise the how
session operates and the risks.
As soon as client visits an ASP page in your application for the first time
a session object is created. This object has an ID which is returned to the
client in the ASPSESSIONxxxx cookie. The cookie is temporary in that the
client is not expected to record it to disk but just to keep in the browser
process memory. When the browser process ends so will the cookie.
Subsequent requests to the site will carry this session cookie. When a
request is made for an ASP page the cookie is used to find the appropriate
Session object and this object is added the script context. If a session
object is not found matching the ID then a new Session object is created and
a Set-Cookie header is added to the Response.
If an ASP request releated to a session is not made for a period of time
then the session object on the server is destroyed.
Note therefore that the only data send to the client in this case is the ID
of the session the contents of the session object remain on the server.
What are the risks?
It is possible for a man-in-the-middle attack to harvest the session ID from
a request and then be able to use the ID to masquerade as that session.
To cut a long examination of the various scenarios short the only way to
'properly' secure a site is run the whole lot over SSL. The questions is
would you really want to? SSL is somewhat heavy from both a CPU and a
bandwith point of view.
How likely is it that a Man-in-the-middle attack will target your site?
Does all the content need to be secure or just some sensitive parts?
--
Anthony Jones - MVP ASP/ASP.NET
"Bob Lehmann" wrote:
>A session cookie persists only as long as the browser windows
that were open when the cookie was created
Is that right? I thought session cookies were kept in memory on
the server, and timed out in the amount of time set for sessions.
That would be session variables. The cookie is stored in memory by the
browser (it has no expiration date and is thus transient), and is sent to
the server with every subsequent request.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Pack Fan |
last post by:
I've noticed that session variables will persist on Mac IE even after all
browser windows have been closed. One must quit the program to clear the
session variables. This presents a security risk...
|
by: Scott Wickham |
last post by:
I'm having a problem saving session information on one form and retrieving it
on a subsequent form...for only one out of a number of users. Actually, I'm
not absolutely certain it's a session...
|
by: Paul Yanzick |
last post by:
Hello,
I am trying to develop a book tracking application for my capstone in
school, and am running into a problem.
The application is an ASP.Net application written in C#. The first page you...
|
by: dale zhang |
last post by:
Hi groups,
Can anyone give me the equivalent C# sharp code for this VB.ET code,
:: VB.NET ::
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) _
Handles...
|
by: ASP.Confused |
last post by:
As you can tell from my previous posts on this issue...I'm really confused
:-/
I have a few ASP.NET web applications on my web host's "https" server. Our
web host has a single "bin" folder for...
|
by: Martin Walke |
last post by:
Hi all,
Is there any limit to the number of session variables a site can have? And
is that affected by global.asa at all?
The reason why i ask is that i have a relatively simple site that...
|
by: Don Miller |
last post by:
I am using a Session variable to hold a class object between ASP.NET pages
(in VB). In my constructor I check to see if the Session variable exists,
and if it doesn't, I create one and populate it...
|
by: Gordon Burditt |
last post by:
I had this idea about preventing session fixation, and I'm wondering
what anyone else thinks about it. The idea is, essentially, don't
allow session ids that YOUR PHP didn't generate (and aren't...
|
by: sheldonlg |
last post by:
I have come across this problem before but never really resolved it. It
is probably something so obvious that I should be embarrassed to even
ask in this forum.
The problem is one of losing the...
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| | |
