I am storing user login information (not password) in the session. I also
use, cookieless session. I realized that, if someone copy-pastes the URL
after he/she logged in to the system to another person, the other person's
browser opens as if the sender logged in.
1) Person A Logins to the system. (login information is stored in SQL
Session state)
2) Person A copy-paster the url and sends it to person B (format of the
url is http://domain/(sessionid)/XYZ.aspx)
3) When person B opens the URL, its window opens as if person A was
logged in to the system.
This is a security threat. I have overcome this by doing the following.
When user logins to the system, a login ticket is generated and
it is stored in the session. This login ticket contains two things, one is
client ip address, the other one is user-agent.
Then at the each request, I validate if the registered login ticket
information is same.
If person A sends URL to person B, then I assumed that, person Bs ip address
should be different than person A.
I found an article on MSND, http://msdn.microsoft.com/msdnmag/is...08/WickedCode/ (Foiling Session
Hijacking Attempts). The way Jeff have done is similar to the one that i
have done. Is this relaible. The only think i wonder is if the users IP
address changes at each request! 13  3818 
Hi Hope,
Your method looks pretty sound to me. The client's IP address cannot change
between requests. It is, after all, the "return address" for the client's
HTTP messages.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
Sometimes you eat the elephant.
Sometimes the elephant eats you.
"Hope Paka" <ut*******@hotm ail.com> wrote in message
news:es******** ******@TK2MSFTN GP09.phx.gbl... I am storing user login information (not password) in the session. I also
use, cookieless session. I realized that, if someone copy-pastes the URL
after he/she logged in to the system to another person, the other person's
browser opens as if the sender logged in.
1) Person A Logins to the system. (login information is stored in SQL
Session state)
2) Person A copy-paster the url and sends it to person B (format of
the url is http://domain/(sessionid)/XYZ.aspx)
3) When person B opens the URL, its window opens as if person A was
logged in to the system.
This is a security threat. I have overcome this by doing the following.
When user logins to the system, a login ticket is generated and
it is stored in the session. This login ticket contains two things, one is
client ip address, the other one is user-agent.
Then at the each request, I validate if the registered login ticket
information is same.
If person A sends URL to person B, then I assumed that, person Bs ip
address should be different than person A.
I found an article on MSND,
http://msdn.microsoft.com/msdnmag/is...08/WickedCode/ (Foiling
Session Hijacking Attempts). The way Jeff have done is similar to the one
that i have done. Is this relaible. The only think i wonder is if the
users IP address changes at each request!
Have you considered routers that do NAT? If I'm not mistaken, requests
from different computers here on our corporate network will appear to
come from the same IP, so if I email a link to a co-worker, they might
end up with my session.
Just a thought.
-Phil
You are exactly right Philip?
Then the only remaining part is the validation of the user-agent. But
probably, your co-worker have a same browser and machine configuration with
you. This is a real problem but this couldn't be only my problem. How this
stateless word can be done more secure??
I thought only IP and user-agents are specific to clients, are there any
other third parameter?
"Phillip Ian" <ph****@comcast .net> wrote in message
news:11******** ************@g4 4g2000cwa.googl egroups.com... Have you considered routers that do NAT? If I'm not mistaken, requests
from different computers here on our corporate network will appear to
come from the same IP, so if I email a link to a co-worker, they might
end up with my session.
Just a thought.
-Phil
Good thinking, Phil. I hadn't considered that. Still, I believe the NAT must
keep track of the IP address of the originating computer as well, but I'm
starting to venture outside of my area of expertise here.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
Sometimes you eat the elephant.
Sometimes the elephant eats you.
"Phillip Ian" <ph****@comcast .net> wrote in message
news:11******** ************@g4 4g2000cwa.googl egroups.com... Have you considered routers that do NAT? If I'm not mistaken, requests
from different computers here on our corporate network will appear to
come from the same IP, so if I email a link to a co-worker, they might
end up with my session.
Just a thought.
-Phil
are you sure about that ?
from what I have read about AOL proxies and what i see in my IIS logs - it
seems that this is not true and that there can be multiple ip's for a single
client within a session.
i don't have the asp.net session id in the log files so i can't be 100%
certain.
Gerry
"Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message
news:OL******** ******@TK2MSFTN GP15.phx.gbl... Hi Hope,
Your method looks pretty sound to me. The client's IP address cannot
change between requests. It is, after all, the "return address" for the client's
HTTP messages.
--
HTH,
Kevin Spencer
Microsoft MVP
.Net Developer
Sometimes you eat the elephant.
Sometimes the elephant eats you.
"Hope Paka" <ut*******@hotm ail.com> wrote in message
news:es******** ******@TK2MSFTN GP09.phx.gbl...I am storing user login information (not password) in the session. I also
use, cookieless session. I realized that, if someone copy-pastes the URL
after he/she logged in to the system to another person, the other
person'sbrowser opens as if the sender logged in.
1) Person A Logins to the system. (login information is stored in
SQL Session state)
2) Person A copy-paster the url and sends it to person B (format of
the url is http://domain/(sessionid)/XYZ.aspx)
3) When person B opens the URL, its window opens as if person A was
logged in to the system.
This is a security threat. I have overcome this by doing the following.
When user logins to the system, a login ticket is generated
and it is stored in the session. This login ticket contains two things, one
is client ip address, the other one is user-agent.
Then at the each request, I validate if the registered login ticket
information is same.
If person A sends URL to person B, then I assumed that, person Bs ip
address should be different than person A.
I found an article on MSND,
http://msdn.microsoft.com/msdnmag/is...08/WickedCode/ (Foiling
Session Hijacking Attempts). The way Jeff have done is similar to the
one that i have done. Is this relaible. The only think i wonder is if the
users IP address changes at each request!
Like Kevin, I'm stepping just outside my realm of knowledge, but
perhaps someone else can confirm this for us...
I understand that the way NAT works is to send all the requests from
one IP address, but using different port #s, so that it can tel that
responses on port 6346 are really meant for the machine at IP such and
such on port such and such.
At the server, we must know what port we are responding to, no? Then,
requests from two machines on the same network with the same IP will
still have to have different ports. According to what I see, it is in
Request.ServerV ariables("REMOT E_PORT")
Within the AOL LAN, IP addresses are assigned on a per-client-session basis,
if I'm not mistaken (at least with dial-up connections). But again, this is
not my area of expertise. Still, I understand quite a bit about networks,
and I can't imagine why an IP address of a machine inside a network would
change within the same client session. It is, again, the "return address" of
the computer on the network.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
Sometimes you eat the elephant.
Sometimes the elephant eats you.
"gerry" <ge**@hotmail.c om> wrote in message
news:Oc******** ******@TK2MSFTN GP14.phx.gbl... are you sure about that ?
from what I have read about AOL proxies and what i see in my IIS logs - it
seems that this is not true and that there can be multiple ip's for a
single
client within a session.
i don't have the asp.net session id in the log files so i can't be 100%
certain.
Gerry
"Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message
news:OL******** ******@TK2MSFTN GP15.phx.gbl... Hi Hope,
Your method looks pretty sound to me. The client's IP address cannot
change between requests. It is, after all, the "return address" for the client's
HTTP messages.
--
HTH,
Kevin Spencer
Microsoft MVP
.Net Developer
Sometimes you eat the elephant.
Sometimes the elephant eats you.
"Hope Paka" <ut*******@hotm ail.com> wrote in message
news:es******** ******@TK2MSFTN GP09.phx.gbl... >I am storing user login information (not password) in the session. I
>also
>use, cookieless session. I realized that, if someone copy-pastes the URL
>after he/she logged in to the system to another person, the other person's >browser opens as if the sender logged in.
>
> 1) Person A Logins to the system. (login information is stored in SQL > Session state)
>
> 2) Person A copy-paster the url and sends it to person B (format
> of
> the url is http://domain/(sessionid)/XYZ.aspx)
>
> 3) When person B opens the URL, its window opens as if person A
> was
> logged in to the system.
>
> This is a security threat. I have overcome this by doing the following.
>
> When user logins to the system, a login ticket is generated and > it is stored in the session. This login ticket contains two things, one is > client ip address, the other one is user-agent.
>
> Then at the each request, I validate if the registered login ticket
> information is same.
>
> If person A sends URL to person B, then I assumed that, person Bs ip
> address should be different than person A.
>
> I found an article on MSND,
> http://msdn.microsoft.com/msdnmag/is...08/WickedCode/ (Foiling
> Session Hijacking Attempts). The way Jeff have done is similar to the one > that i have done. Is this relaible. The only think i wonder is if the
> users IP address changes at each request!
>
>
What about this:
If you make sure that the only way users navigate from page to page is via
posts, then you can require that all your pages send the sessionid as a post
variable. So just check that.
Or alternatively you can store some GUID in session, and also pass it around
as a post variable. And then check that what got posted, is the same thing
you are storing in session.
The person who cut and pasted the URL, is going to be getting the URL as a
GET, not a POST, so you will know it is someone else.
I know it's not an ideal solution, as you have to change the mechanism of
the way navigation takes place on your site, but I think it may work.
"Hope Paka" <ut*******@hotm ail.com> wrote in message
news:es******** ******@TK2MSFTN GP09.phx.gbl... I am storing user login information (not password) in the session. I also
use, cookieless session. I realized that, if someone copy-pastes the URL
after he/she logged in to the system to another person, the other person's
browser opens as if the sender logged in.
1) Person A Logins to the system. (login information is stored in SQL
Session state)
2) Person A copy-paster the url and sends it to person B (format of
the url is http://domain/(sessionid)/XYZ.aspx)
3) When person B opens the URL, its window opens as if person A was
logged in to the system.
This is a security threat. I have overcome this by doing the following.
When user logins to the system, a login ticket is generated and
it is stored in the session. This login ticket contains two things, one is
client ip address, the other one is user-agent.
Then at the each request, I validate if the registered login ticket
information is same.
If person A sends URL to person B, then I assumed that, person Bs ip
address should be different than person A.
I found an article on MSND,
http://msdn.microsoft.com/msdnmag/is...08/WickedCode/ (Foiling
Session Hijacking Attempts). The way Jeff have done is similar to the one
that i have done. Is this relaible. The only think i wonder is if the
users IP address changes at each request!
Well, that just blows using IP address in any form right out of the
water. :)
Too bad they don't pass us the processor serial number or somesuch on a
request.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: opt_inf_env |
last post by:
Hello,
I have a page such that each user can see only a corresponding
(personal) part of the page. In the beginning I wanted to perform
initialization of users (by asking there names and passwords and
comparing them with names and passwords stored in database), than I
planed (if comparison was successful) to set a corresponding value of...
|
by: Gurra |
last post by:
Hi ive seen alot of communites that use the session("") cookie to assaign
the userid after the login
Since this is a cookie, isnt it easy to modifie it and become which user you
want at the current community ?
|
by: ehendrikd |
last post by:
hi all
i need some clarification on how the php session work in relation to
cookies.
we have a web site where users need to log in. a few of our users were
having troubles with their browser clients having different levels of
cookie security settings. i assumed a solution would be to have the php
site use the session only, and set...
|
by: Stefan |
last post by:
Hi!
I just want to know if it's common to decrypt a Session-Object in a
ASP.NET application.
My collegue says that I have not do this because the information is
stored on the server.
Any suggestions?
|
by: Daniel Malcolm |
last post by:
Hi
I have a site where I would like some pages to be accessed via SSL (login
and payment etc) and others via regular http. However I'm not sure whether
Session state can be maintained between the 2 protocols.
We have SSL set up on the site so that it can be accessed via the same
domain:
http://www.mydomain.com/login.aspx
| | |
by: knal |
last post by:
Hi there,
I'm looking for a secure login script for a sort-of-community site...
(PHP, MySQL, sessions, or maybe something else ... )
I know there are a lot of scripts out there, but none of them really
seem secure, or have other kind of flaws (like IP based login etc.).
Why i'm asking here, is because there's experience out there, and i...
|
by: =?Utf-8?B?YW5vb3A=?= |
last post by:
Hello,
I am developing a Simple ASP Application with a Login page. I
want to know how session ID can be generated after User has authenticated
instead of generation along with the Login page request. Also Session ID must
be unique each time the user logs in. This is required so that Session
Hijacking and Session Fixation could be prevented....
|
by: Dave |
last post by:
Hello,
Not sure if this is php related or not, but i'd like to have certain
users who have the ability to upload files to my site, and others to
download files.
I thought about .htaccess and basic authentication, but then i thought
that's not very secure i was wondering if there was a php solution,
something that splits user uploads and...
|
by: Harris Kosmidhs |
last post by:
Hello,
while I'm developing sites for some time I never coded a login form with
security in mind.
I was wondering what guidelines there are.
For my point of view I'm thinking of using md5 passwords (it's an one
way function right?) in db. Is this a correct approach?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
| | |
