473,396 Members | 2,108 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,396 software developers and data experts.

asp.net cookie security

In ASP, when we authenticate a user we insert a record in a table
containing data such as the client ip address and session id, the
session id representing this record in the database is appended to the
query string for each request. When a request is processed the session
data in the database is compared to the clients session id and ip
address and if it does not match then its access denied. This approach
prevents cookies being stolen or sessions hijacked from another
computer.

This solution seems to be implemented in many classic ASP sites, but I
have not seen a single asp.net site that has some kind of sessionID
appended in the query string for all requests. Does asp.net have some
extra security that makes this idea obsolete?

Nov 1 '06 #1
2 1286
You can use the coookieless sessions, which will append SessionID to the
URL, but that does not sound like what you are talking about.

As far as the second question goes, ASP.NET is more secure than ASP., but
there is nothing to stop hijacked session cookies. It is a rare hack,
however, as there are far too many houses that have the doors wide open.
Instituting SSL will eliminate the need, as well, as the session cookie is
part of an encrypted stream.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
http://gregorybeamer.spaces.live.com

*************************************************
Think outside of the box!
*************************************************
"smurph" <sm******@hotmail.comwrote in message
news:11**********************@f16g2000cwb.googlegr oups.com...
In ASP, when we authenticate a user we insert a record in a table
containing data such as the client ip address and session id, the
session id representing this record in the database is appended to the
query string for each request. When a request is processed the session
data in the database is compared to the clients session id and ip
address and if it does not match then its access denied. This approach
prevents cookies being stolen or sessions hijacked from another
computer.

This solution seems to be implemented in many classic ASP sites, but I
have not seen a single asp.net site that has some kind of sessionID
appended in the query string for all requests. Does asp.net have some
extra security that makes this idea obsolete?

Nov 1 '06 #2
also storing the client ipaddress only works on local lans with no
proxy/firewalls. with proxy servers (and nat translation), several users
will have the same ipaddress, or the clients ipaddress may change on
different requests.

-- bruce (sqlwork.com)
"Cowboy (Gregory A. Beamer)" <No************@comcast.netNoSpamMwrote in
message news:Oa**************@TK2MSFTNGP04.phx.gbl...
You can use the coookieless sessions, which will append SessionID to the
URL, but that does not sound like what you are talking about.

As far as the second question goes, ASP.NET is more secure than ASP., but
there is nothing to stop hijacked session cookies. It is a rare hack,
however, as there are far too many houses that have the doors wide open.
Instituting SSL will eliminate the need, as well, as the session cookie is
part of an encrypted stream.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
http://gregorybeamer.spaces.live.com

*************************************************
Think outside of the box!
*************************************************
"smurph" <sm******@hotmail.comwrote in message
news:11**********************@f16g2000cwb.googlegr oups.com...
>In ASP, when we authenticate a user we insert a record in a table
containing data such as the client ip address and session id, the
session id representing this record in the database is appended to the
query string for each request. When a request is processed the session
data in the database is compared to the clients session id and ip
address and if it does not match then its access denied. This approach
prevents cookies being stolen or sessions hijacked from another
computer.

This solution seems to be implemented in many classic ASP sites, but I
have not seen a single asp.net site that has some kind of sessionID
appended in the query string for all requests. Does asp.net have some
extra security that makes this idea obsolete?


Nov 1 '06 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: HorseGeek | last post by:
I can't find a cookie that my code is writing. The behavior of my webpages indicates that the cookie IS being written SOMEPLACE. However, I can't find it. My client does not want the code going...
6
by: Mark | last post by:
I am designing a game for a forum. When the user has finished playing I need to save their data to a cookie then navigate to a page which holds their score data (I can't have both sets of data on...
2
by: marshalli | last post by:
Hi: I have a problem with writing cookie from Jacascript. My problem is that I have two server, one is A, and the other is B. (1) I call a aaa.html from A. In aaa.html : ... <iframe...
4
by: Alex | last post by:
hi, I have implemented forms authentication and it is woking well however I am experiencing a slightly frustrating problem. The "Admin" directory of my site is password protected, however if a...
4
by: 23s | last post by:
I had this problem in the past, after a server reformat it went away, and now after another server reformat it's back again - no clue what's doing it. Here's the flow: Website root is public, no...
4
by: craigkenisston | last post by:
I have an asp.net application in which I sometimes store a persistent cookie once the user has logged in and this has been working great. However, I now add some user information like, username,...
15
by: Edwin Knoppert | last post by:
I have searched but info is limitted. In my test app i used a non persistant cookie for forms authentication. slidingExpiration is set to true On run and close and rerun the login remains ok....
17
by: Bruno | last post by:
I have a feature that is hosted on a different domain from the primary one in a frame, and need to retain values in a cookie. example: A web page at one.com contains a frame which has a page...
1
by: ticmanis | last post by:
Hello, I'm having trouble getting MSIE 6.0 (running on XP SP2) to accept a cookie which works fine in both Firefox and wget. The web server is Boa 0.94.13 (a small embedded server) using PHP...
29
by: Jerim79 | last post by:
I did try to find the answer to this before posting, so this isn't a knee jerk reaction. What I am trying to accomplish is to have a script that opens a cookie, reads a value, and then use a...
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
1
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
1
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
0
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
0
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
0
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
0
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
0
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
0
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.