473,473 Members | 2,255 Online
Bytes | Software Development & Data Engineering Community
Create Post

Home Posts Topics Members FAQ

Are there drawbacks to Cookieless Sessions

I am working with cookieless sessions and I cant see any disadvantages
especially if HTTP cookies are also used if the browser can support
them.

Several sites, eg groups.google.com require HTTP cookies and I am
unsure why that is.

Can anyone throw any light on this?

Nov 19 '05 #1
6 2356
They can be a security risk particularly if you allow posting
of links on your web site. If someone were to click one
of those links, that web site could retrieve the session id
from the HTTP_REFERER and use it to "take over"
an active session.

I have tested this myself and it is incredibly easy
to duplicate successfully.

--
Robbe Morris - 2004/2005 Microsoft MVP C#
Free Source Code for ADO.NET Object Mapper To DataBase Tables And Stored
Procedures
http://www.eggheadcafe.com/articles/..._generator.asp


"Logician" <sa***@logicians.com> wrote in message
news:11**********************@g14g2000cwa.googlegr oups.com...
I am working with cookieless sessions and I cant see any disadvantages
especially if HTTP cookies are also used if the browser can support
them.

Several sites, eg groups.google.com require HTTP cookies and I am
unsure why that is.

Can anyone throw any light on this?

Nov 19 '05 #2
WJ

"Robbe Morris [C# MVP]" <in**@eggheadcafe.com> wrote in message
news:eR**************@tk2msftngp13.phx.gbl...

I have tested this myself and it is incredibly easy to duplicate
successfully.


You may be able to avoid this so called "session hijack" by allowing only
one (1) location per sessionID (whoever gets on 1st will be considered
legit).

John
Nov 19 '05 #3
John,

But what identifies a single location? So many people are behind proxy
servers that one user may easily look like another. At work their are over
one thousand of us and to a website it looks like we're all at the exact
same address...

--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche
"WJ" <Jo*******@HotMail.Com> wrote in message
news:OH**************@tk2msftngp13.phx.gbl...

"Robbe Morris [C# MVP]" <in**@eggheadcafe.com> wrote in message
news:eR**************@tk2msftngp13.phx.gbl...

I have tested this myself and it is incredibly easy to duplicate
successfully.


You may be able to avoid this so called "session hijack" by allowing only
one (1) location per sessionID (whoever gets on 1st will be considered
legit).

John

Nov 19 '05 #4
WJ
"S. Justin Gengo" <sjgengo@[no_spam_please]aboutfortunate.com> wrote in
message news:uf**************@TK2MSFTNGP15.phx.gbl...
John,

But what identifies a single location? So many people are behind proxy
servers that one user may easily look like another. At work their are over
one thousand of us and to a website it looks like we're all at the exact
same address...


I did say "may be" in the previous reply. In your case, it may not be
possible because your company my have NAT (?) or something similar to fake
or disguise the client IP. However, in my case, I know each client is
assigned a unique IP address by DHCP. In summary, as long as you can find a
unique identifier to identify who your clients are, it is not impossible to
implement.

John
Nov 19 '05 #5

Robbe Morris [C# MVP] wrote:
They can be a security risk particularly if you allow posting
of links on your web site. If someone were to click one
of those links, that web site could retrieve the session id
from the HTTP_REFERER and use it to "take over"
an active session.

I have tested this myself and it is incredibly easy
to duplicate successfully.


I have read that Microsoft solutions are littered with security issues,
and maybe this is an example.

I do get a lot of complaints from my customers regarding my CPI link
(payment link to Barclaycard requiring Javascript at the EDPQ site),
and they complain it wont work due to firewalls.

The figure for me is about 10-20% of customers. I contacted Barclaycard
and I was told:"If you dont like it, write your own software - this is
the MPI service also offered."

I see a lot of websites making strong assumptions about client systems,
which are not valid in many cases. I find it incredible that large
companies will ignore so many Web visitors by coding for only certain
client systems.

I was trying to find a solution to handle all clients.

Nov 19 '05 #6
John,

Ok, I agree, if the situation warrants it that may be a solution. I wasn't
trying to say you're idea was a bad one. I just wanted logician to know the
possible ramifications if the site being worked on is public...

--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche
"WJ" <Jo*******@HotMail.Com> wrote in message
news:OX**************@TK2MSFTNGP09.phx.gbl...
"S. Justin Gengo" <sjgengo@[no_spam_please]aboutfortunate.com> wrote in
message news:uf**************@TK2MSFTNGP15.phx.gbl...
John,

But what identifies a single location? So many people are behind proxy
servers that one user may easily look like another. At work their are
over one thousand of us and to a website it looks like we're all at the
exact same address...


I did say "may be" in the previous reply. In your case, it may not be
possible because your company my have NAT (?) or something similar to fake
or disguise the client IP. However, in my case, I know each client is
assigned a unique IP address by DHCP. In summary, as long as you can find
a unique identifier to identify who your clients are, it is not impossible
to implement.

John

Nov 19 '05 #7
Create Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
6
Cookieless ASP Sessions
by: JJ | last post by:
Hi, I really need to use cookieless ASP sessions with ASP 3 (IIS5) Can I find out the session ID from the first page, then post it or send it with the url to the next page, then at the start...
Latest Bytes
0
ASP.net cookieless sessions
by: djluker | last post by:
Does anyone know of a way to implement cookieless sessions in ASP.net by tacking on the session ID to the querystring, rather than setting cookieless="true" in the web.config file? I see that some...
Latest Bytes
3
Cookieless session problems
by: Scott | last post by:
Hello, we are having problems displaying non-aspx files (images, style sheets) since we have upgraded to the 1.1 framework when using a cookieless session (sessionID in the url). Check out...
Latest Bytes
2
cookieless session? Who has it working?
by: Tom Pester | last post by:
I experimented/researched cookieless sessions and tried it on my website. I expected the switch to cookieless sessions to be transparent but this isn' t the case at all: 1) Forms based...
Latest Bytes
2
Possible to turn on/off cookieless sessions dynamically on a case by case basis at run-time?
by: Steve Franks | last post by:
According to the docs you tell ASP.NET to use cookieless sessions by setting a value in the config.web file. However, what if I wanted to determine at run time whether or not I wanted to use...
Latest Bytes
10
BUG: Response.Redirect causes premature session expiration when using cookieless sessions (.NET 1.1.4322)
by: Anthony Williams | last post by:
Hi gang, This one looks like a bug :o( As you may or may not know, setting session management in web.config to use cookieless sessions causes the ASP.NET runtime to munge a session ID into...
Latest Bytes
0
Custom URLs for Cookieless Sessions
by: Jerad Rose | last post by:
I have an odd scenario. I am working on a hybrid site that uses various development platforms, namely traditional ASP and Lasso (a Mac scripting language). The site uses its own custom sessions...
Latest Bytes
2
turning cookieless mode false for client browsers that do not accept cookies
by: rk325 | last post by:
I have a question about cookies & browser permissions and turning off cookies when creating a web site (cookieless mode in web.config). I have a web site that of course uses Session variables....
Latest Bytes
0
Cookieless sessions
by: David H. | last post by:
Is there any way to have a user use cookieless sessions at runtime on a case-by-case basis? Or do cookieless sessions have to be turned on globally in the web.config for all users of the web...
Latest Bytes
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
Latest Bytes
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
Latest Bytes
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Latest Bytes
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Latest Bytes
1
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Latest Bytes
0
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
Latest Bytes
0
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The...
Latest Bytes
0
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
Latest Bytes
0
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
Latest Bytes

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us