Re: Querystring hash?

From: Kim Bach Petersen (msnews@kensho.dk)
Date: 02/13/03


From: "Kim Bach Petersen" <msnews@kensho.dk>
Date: Thu, 13 Feb 2003 10:33:57 +0100


> You can
> then generate an encryption-key based on the username and/or
> sessionid to make sure, that the link/querystring is only valid for
> the current user in the current session.

I forgot the sample code: this will make a 256-bit key from username and
SessionId (or any other string):

Dim Hasher As New SHA256Managed()
Dim arrKeystring() As Byte
Dim strKeybase As String = Page.User.Identity.Name & Session.SessionId
arrKeystring = New System.Text.UTF8Encoding().GetBytes(strKeybase)
clientRijndael.Key = Hasher.ComputeHash(arrKeystring)

Just to make the picture complete: Some browsers re-uses a sessionid, that
is you can sign out and back in and the sessionid doesn't change. In our
scenario that means that if the key is based on sessionid only, all users of
the same browser instance will get access. To avoid this one could make a
key based on both username and sessionid (as above) or simply force a new
sessionid by deleting the old one at signout:

Response.Cookies("ASP.NET_SessionId").Value = Nothing

Kim :o)



Relevant Pages

  • API to get getting sessionid from server+username...? (might be OT?)
    ... To be able to remote control a specific user i must know the sessionid of the user. ... However, the API in windows does not allow me to query a server for a single username, i must enumerate ALL users and thereafter compare EACH enumerated user to see if this user has the correct username.... ... __in DWORD Reserved, ...
    (microsoft.public.windows.terminal_services)
  • Re: Anmeldename
    ... Arno Garrels wrote: ... DWORD): BOOL; stdcall; ... SessionID: DWORD; ... UserName: PChar; ...
    (de.comp.lang.delphi.misc)
  • PHP 4 SESSION ONLY COOKIE - 1 attachment
    ... the server NEVER set a cookie with the sessionID on my ... client... ... username = '$loginname'"; ...
    (php.general)
  • Session only cookies???
    ... I want the script to save the SessionID in a cookie @ the cients pc... ... to save the sessionID ONLY in a cookie at client. ... WHERE username = '$loginname'"; ...
    (php.general)
  • Ho wo check for Value of node
    ... Since, I need to copy the value of SessionID in my next function, ... Private Function ParseLoginResponse(ByRef loginDom As XmlDocument) As Boolean ... ' See if the login was successful. ... Dim filterDoc As New XmlDocument ...
    (microsoft.public.dotnet.xml)