469,270 Members | 1,510 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,270 developers. It's quick & easy.

Patterns And Practices Security Checklists

A.M
Hi,

In Architecture and Design Review Security Checklist at following link:

http://msdn.microsoft.com/library/en...rame=true&_r=1

I don't underestand following two items:

1) Session state is protected from unauthorized access.
2) Session identifiers are not passed in query strings.

How an unauthorized access to session state can happen and why would i pass
session identifier in query string ?

Thanks,
Ali
Nov 18 '05 #1
2 1667
there are only a couple of ways to pass a session key

1) in a cookie (asp.net)
2) in the url
3) hidden field (though a url is often required for bootstrap)

your worried about how easy it is to hijack someone's session. in all the
above techinques the session key can be discovered by a network sniffer. so
now that i have the key, how easy is to use. a sample of a bad session key,
is an incrementing number, these are easy to hijack.
-- bruce (sqlwork.com)

"A.M" <IH*******@sapm123.com> wrote in message
news:#F**************@TK2MSFTNGP11.phx.gbl...
Hi,

In Architecture and Design Review Security Checklist at following link:

http://msdn.microsoft.com/library/en...es.asp?frame=t
rue&_r=1
I don't underestand following two items:

1) Session state is protected from unauthorized access.
2) Session identifiers are not passed in query strings.

How an unauthorized access to session state can happen and why would i pass session identifier in query string ?

Thanks,
Ali

Nov 18 '05 #2
Hello Ali,

I noticed that you posted the same question in
microsoft.public.dotnet.framework.aspnet.security too. I have replied you
there. If you have free time, please check my reply in that group.

If you have any more concerns on it, please feel free to post there. Thanks
very much.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Nov 18 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

By using this site, you agree to our Privacy Policy and Terms of Use.