Re: Hijack Session
From: Chris Jackson (chrisjATmvpsDOTorgNOSPAM)
Date: 01/08/04
- Previous message: Guogang: "HTML Text encoding of web controls"
- In reply to: Dave: "Hijack Session"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 8 Jan 2004 16:08:46 -0500
Well, the only way to really do this is to prevent somebody from gettng the
session id in the first place - this is the danger of cookieless session
state, where it is in the URL for all to see. Once somebody has the ID,
there isn't anything you can do to differentiate that person from the
legitimate user. If information is extremely senstive, then don't use
persistent cookies (so they won't be sitting on disk) and use HTTPS so it's
encrypted over the wire. Require authentication again when you get to
something particularly sensitive.
-- Chris Jackson Software Engineer Microsoft MVP - Windows Client Windows XP Associate Expert -- More people read the newsgroups than read my email. Reply to the newsgroup for a faster response. (Control-G using Outlook Express) -- "Dave" <anonymous@discussions.microsoft.com> wrote in message news:014e01c3d60d$9ca9abb0$a301280a@phx.gbl... > Has anyone seen any good examples of how to stop someone > from stealing the session id to hijack the session? > > Thanks...
- Previous message: Guogang: "HTML Text encoding of web controls"
- In reply to: Dave: "Hijack Session"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
