RE: Security and cookieless sessions

From: Stefan Schachner[MS] (sschac@online.microsoft.com)
Date: 10/25/02 

From: sschac@online.microsoft.com (Stefan Schachner[MS])
Date: Fri, 25 Oct 2002 02:00:26 GMT

Cookieless sessions are designed to support certain protocols which don’t
support cookies (wireless phone, browsing, for example) or for users who
for personal reasons turn cookie persistence off in their browsers. Since
the
cookieless URL contains the session key, if someone were to obtain that
value
surreptiously while the session was active, they could use it to spoof the
real customer. The workaround is to use SSL or some other encryption
technology for your communications so that the URL is never sent in the
clear.
You also need to have reasonable timeouts for ending the session so it
doesn’t
remain open long enough to make that tactic realistic.

I hope this helps

Stefan B. Schachner MCSE MCP MCP +I
IIS Newsgroup Support

Please do not send email directly to this alias. This is our online account
name for newsgroup participation only.

If you would like to open a support incident with Microsoft, call
1-800-936-5800

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved.

Relevant Pages

  • RE: cookieless session, "~" operator and client-side cashing problems
    ... As for the Session State, if you're using cookieless mode, the id is ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Oracle Directconnect (ODC) Security - is it ok?
    ... The following information about session security for Expertcity's ... DesktopStreaming allows a support agent to see the end user's screen ... > and select the appropriate engineer from a dropdown list. ...
    (comp.security.misc)
  • RE: ASPX page cant see Session created by WCF with XBAP client
    ... As for the setup ASP.NET seesion in WCF, ... Also, based on my understanding, you're using ASP.NET session to store ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: Win32_NetworkConnection closes connectios in remote monitoring?
    ... There's also a difference between hacking into a session that's already established and creating a new one. ... I've reproduced the issue on my side that the mapped driver shows "Unavailable" status when it's queried from a remote computer with the Win32_NetworkConnection class. ... In "computer 2", query the local mapped drivers' status with wbemtest, and it returns the "OK" status for the newly created mapped driver. ... We welcome your comments and suggestions about how we can improve the support we provide to you. ...
    (microsoft.public.win32.programmer.wmi)
  • RE: Session not set.
    ... If so, it will never work properly, as the session cookie is never set. ... Checking Sessionfor login is an ASP model, ... If you TRULY want cookieless (setting session vars is not ... the Framework to handle your authentication needs, ...
    (microsoft.public.dotnet.framework.aspnet)