By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
428,631 Members | 892 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 428,631 IT Pros & Developers. It's quick & easy.

Securing ASP app with session

P: n/a
I have been working on internal, intranet apps in the past few years, so I
haven't needed to secure apps with a login/password and sessions like I did
8 or so years ago (I use Windows Auth now, which makes it easier)... Is
using sessions still a practical, safe way to secure the backend of the
apps? Or should I just bite the bullet and move to ASP.NET to build a
secure backend?

I have researched session hijacking and there seems to be a lot of
information out there about that type of attack... what are your thoughts?

Thanks,
Drew
Jun 27 '08 #1
Share this Question
Share on Google+
2 Replies


P: n/a
Drew wrote:
I have been working on internal, intranet apps in the past few years,
so I haven't needed to secure apps with a login/password and sessions
like I did 8 or so years ago (I use Windows Auth now, which makes it
easier)... Is using sessions still a practical, safe way to secure
the backend of the apps?
It's as safe as the developer makes it.
Or should I just bite the bullet and move
to ASP.NET to build a secure backend?
Huh? There are reasons to move to ASP.Net. AFAIK, this is not one of
them.
I have researched session hijacking and there seems to be a lot of
information out there about that type of attack... what are your
thoughts?
I am not sure where you are coming from (or going): ASP.Net has the
same vulnerability to session-hijacking as classic ASP. It is up to the
developer to properly secure the site to prevent these types of
exploits. Since you've seen the information, you must have seen the
steps needed to prevent these exploits.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jun 27 '08 #2

P: n/a
Bob,

I was under the wrong assumption... After looking into the session variables
again I see where I was screwing up.

Drew

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcomwrote in message
news:Oo**************@TK2MSFTNGP03.phx.gbl...
Drew wrote:
>I have been working on internal, intranet apps in the past few years,
so I haven't needed to secure apps with a login/password and sessions
like I did 8 or so years ago (I use Windows Auth now, which makes it
easier)... Is using sessions still a practical, safe way to secure
the backend of the apps?

It's as safe as the developer makes it.
> Or should I just bite the bullet and move
to ASP.NET to build a secure backend?
Huh? There are reasons to move to ASP.Net. AFAIK, this is not one of
them.
>I have researched session hijacking and there seems to be a lot of
information out there about that type of attack... what are your
thoughts?
I am not sure where you are coming from (or going): ASP.Net has the
same vulnerability to session-hijacking as classic ASP. It is up to the
developer to properly secure the site to prevent these types of
exploits. Since you've seen the information, you must have seen the
steps needed to prevent these exploits.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


Jun 27 '08 #3

This discussion thread is closed

Replies have been disabled for this discussion.