473,387 Members | 1,891 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > how to prevent users from sharing their cookieless session id?

Join Bytes to post your question to a community of 473,387 software developers and data experts.

how to prevent users from sharing their cookieless session id?

We are using cookieless sessions, and so the URL shows the session id,
e.g. http://ourdomain.com(ixbradnm5qmdfwi.../somepage.aspx.

When a user comes to our main page, they have to provide a username and
password. We authenticate the username and password against our
database, and if they match, we let the user in the door, so to speak,
by assigning session variables with a new visitid, and a unique
visitorid, and then redirecting the user to our internal pages.
We want each user's session to be unique to the user.

How can we stop the practice where a user, who has made it through the
door, pastes an inner page's URL into an email message and sends it to
his or her colleagues (when they find something they'd like to share,
for example)? If the session hasn't timed out, the colleagues who
receive the email and click on the link get access to the original
user's session and personal information, such as last 10 items viewed,
email address, interests, and so forth, etc.
Thanks
Liam
Mar 10 '06 #1
3 2204
DWS
Rule one of security don't make your own security.
go to another group.

"Liam" wrote:
We are using cookieless sessions, and so the URL shows the session id,
e.g. http://ourdomain.com(ixbradnm5qmdfwi.../somepage.aspx.

When a user comes to our main page, they have to provide a username and
password. We authenticate the username and password against our
database, and if they match, we let the user in the door, so to speak,
by assigning session variables with a new visitid, and a unique
visitorid, and then redirecting the user to our internal pages.
We want each user's session to be unique to the user.

How can we stop the practice where a user, who has made it through the
door, pastes an inner page's URL into an email message and sends it to
his or her colleagues (when they find something they'd like to share,
for example)? If the session hasn't timed out, the colleagues who
receive the email and click on the link get access to the original
user's session and personal information, such as last 10 items viewed,
email address, interests, and so forth, etc.
Thanks
Liam

Mar 10 '06 #2
this is the main disadvantage of using the url for session id. there are no
easy fixes. you can change the url session id on every page flip, and not
honor old session ids. this has the side effect if the users refreshes, they
have to login again. a better approach is to store session id in a hidden
field, and avoid redirects.

-- bruce (sqlwork.com)

"Liam" <Li**@zzzz.net> wrote in message
news:OZ**************@TK2MSFTNGP09.phx.gbl...
We are using cookieless sessions, and so the URL shows the session id,
e.g. http://ourdomain.com(ixbradnm5qmdfwi.../somepage.aspx.

When a user comes to our main page, they have to provide a username and
password. We authenticate the username and password against our database,
and if they match, we let the user in the door, so to speak, by assigning
session variables with a new visitid, and a unique visitorid, and then
redirecting the user to our internal pages.
We want each user's session to be unique to the user.

How can we stop the practice where a user, who has made it through the
door, pastes an inner page's URL into an email message and sends it to his
or her colleagues (when they find something they'd like to share, for
example)? If the session hasn't timed out, the colleagues who receive the
email and click on the link get access to the original user's session and
personal information, such as last 10 items viewed, email address,
interests, and so forth, etc.
Thanks
Liam

Mar 10 '06 #3
Thanks, DWS. I hadn't noticed that there's an asp.net security ng.
Moving along :-)

DWS wrote:
Rule one of security don't make your own security.
go to another group.

Mar 10 '06 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
Problem with Session State being shared between users!
by: Philip Tepedino | last post by:
I'm having an odd problem. My website's session state is getting shared between users! This problem only happens when a user tries to access the site from inside our corporate LAN. The user,...
ASP.NET
2
Sessions - cookieless for non-cookie users only
by: Daniel Malcolm | last post by:
Hi I just wanted to confirm that the "cookieless" attribute of the session section of the web.config file is an "all or nothing" setting. For some reason I thought that the following was the...
ASP.NET
2
How do I prevent new window from sharing session vars?
by: Guy | last post by:
Is there a way to prevent new browsers windows from sharing session variables with the original window? Our team has an ASP.Net app that lets users analyze portfolio risk given certain portfolio...
ASP.NET
18
REQ Been racking my brain trying to figure out how to prevent multiple login with same username
by: Gleep | last post by:
I've searched google intensely on this topic and it seems noone really knows how to approch this. The goal I don't want clients to give out their usernames and passwords to friends, since the site...
PHP
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!