471,595 Members | 1,546 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,595 software developers and data experts.

asp.net cookie security

In ASP, when we authenticate a user we insert a record in a table
containing data such as the client ip address and session id, the
session id representing this record in the database is appended to the
query string for each request. When a request is processed the session
data in the database is compared to the clients session id and ip
address and if it does not match then its access denied. This approach
prevents cookies being stolen or sessions hijacked from another
computer.

This solution seems to be implemented in many classic ASP sites, but I
have not seen a single asp.net site that has some kind of sessionID
appended in the query string for all requests. Does asp.net have some
extra security that makes this idea obsolete?

Nov 1 '06 #1
2 1253
You can use the coookieless sessions, which will append SessionID to the
URL, but that does not sound like what you are talking about.

As far as the second question goes, ASP.NET is more secure than ASP., but
there is nothing to stop hijacked session cookies. It is a rare hack,
however, as there are far too many houses that have the doors wide open.
Instituting SSL will eliminate the need, as well, as the session cookie is
part of an encrypted stream.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
http://gregorybeamer.spaces.live.com

*************************************************
Think outside of the box!
*************************************************
"smurph" <sm******@hotmail.comwrote in message
news:11**********************@f16g2000cwb.googlegr oups.com...
In ASP, when we authenticate a user we insert a record in a table
containing data such as the client ip address and session id, the
session id representing this record in the database is appended to the
query string for each request. When a request is processed the session
data in the database is compared to the clients session id and ip
address and if it does not match then its access denied. This approach
prevents cookies being stolen or sessions hijacked from another
computer.

This solution seems to be implemented in many classic ASP sites, but I
have not seen a single asp.net site that has some kind of sessionID
appended in the query string for all requests. Does asp.net have some
extra security that makes this idea obsolete?

Nov 1 '06 #2
also storing the client ipaddress only works on local lans with no
proxy/firewalls. with proxy servers (and nat translation), several users
will have the same ipaddress, or the clients ipaddress may change on
different requests.

-- bruce (sqlwork.com)
"Cowboy (Gregory A. Beamer)" <No************@comcast.netNoSpamMwrote in
message news:Oa**************@TK2MSFTNGP04.phx.gbl...
You can use the coookieless sessions, which will append SessionID to the
URL, but that does not sound like what you are talking about.

As far as the second question goes, ASP.NET is more secure than ASP., but
there is nothing to stop hijacked session cookies. It is a rare hack,
however, as there are far too many houses that have the doors wide open.
Instituting SSL will eliminate the need, as well, as the session cookie is
part of an encrypted stream.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
http://gregorybeamer.spaces.live.com

*************************************************
Think outside of the box!
*************************************************
"smurph" <sm******@hotmail.comwrote in message
news:11**********************@f16g2000cwb.googlegr oups.com...
>In ASP, when we authenticate a user we insert a record in a table
containing data such as the client ip address and session id, the
session id representing this record in the database is appended to the
query string for each request. When a request is processed the session
data in the database is compared to the clients session id and ip
address and if it does not match then its access denied. This approach
prevents cookies being stolen or sessions hijacked from another
computer.

This solution seems to be implemented in many classic ASP sites, but I
have not seen a single asp.net site that has some kind of sessionID
appended in the query string for all requests. Does asp.net have some
extra security that makes this idea obsolete?


Nov 1 '06 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

6 posts views Thread by Mark | last post: by
2 posts views Thread by marshalli | last post: by
4 posts views Thread by Alex | last post: by
4 posts views Thread by craigkenisston | last post: by
15 posts views Thread by Edwin Knoppert | last post: by
17 posts views Thread by Bruno | last post: by
1 post views Thread by ticmanis | last post: by
29 posts views Thread by Jerim79 | last post: by
reply views Thread by leo001 | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.