471,896 Members | 1,844 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,896 software developers and data experts.

Patterns And Practices Security Checklists

A.M
Hi,

In Architecture and Design Review Security Checklist at following link:

http://msdn.microsoft.com/library/en...rame=true&_r=1

I don't underestand following two items:

1) Session state is protected from unauthorized access.
2) Session identifiers are not passed in query strings.

How an unauthorized access to session state can happen and why would i pass
session identifier in query string ?

Thanks,
Ali
Nov 18 '05 #1
2 1920
there are only a couple of ways to pass a session key

1) in a cookie (asp.net)
2) in the url
3) hidden field (though a url is often required for bootstrap)

your worried about how easy it is to hijack someone's session. in all the
above techinques the session key can be discovered by a network sniffer. so
now that i have the key, how easy is to use. a sample of a bad session key,
is an incrementing number, these are easy to hijack.
-- bruce (sqlwork.com)

"A.M" <IH*******@sapm123.com> wrote in message
news:#F**************@TK2MSFTNGP11.phx.gbl...
Hi,

In Architecture and Design Review Security Checklist at following link:

http://msdn.microsoft.com/library/en...es.asp?frame=t
rue&_r=1
I don't underestand following two items:

1) Session state is protected from unauthorized access.
2) Session identifiers are not passed in query strings.

How an unauthorized access to session state can happen and why would i pass session identifier in query string ?

Thanks,
Ali

Nov 18 '05 #2
Hello Ali,

I noticed that you posted the same question in
microsoft.public.dotnet.framework.aspnet.security too. I have replied you
there. If you have free time, please check my reply in that group.

If you have any more concerns on it, please feel free to post there. Thanks
very much.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Nov 18 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.