Re: Major ASP.Net Security Issue?

From: Ray at <%=sLocation%> [MVP] (%=sLocation%)
Date: 02/01/04

• Next message: Keith: "Using ASPNET_SETREG.exe"
• Previous message: Keith: "Forms-based authentication expires before timeout"
• In reply to: Keith: "Major ASP.Net Security Issue?"
• Next in thread: Paul Glavich: "Re: Major ASP.Net Security Issue?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 1 Feb 2004 00:00:38 -0500

It seems to me that this would be listed as a predictable downside to using
cookieless sessions. Verifying IPs and/or user agents wouldn't be any real
way to avoid this, so it makes sense to me that this wouldn't be the default
behavior for asp.net to check that. And if it were to check it, where would
it store this info? In session variables? Hmmph.

-- 
Ray at home
Microsoft ASP MVP
"Keith" <keith@keithadler.com> wrote in message
news:77b601c3e87d$1c5144f0$a101280a@phx.gbl...
> I have found what I believe to be a serious security
> issue in ASP.Net.  If you have:
>
> 1. Your website configured for anonymous access
> 2. Elect under web.config to set the sessionstate
> attribute of cookieless to true
>
> Anyone from any IP address or across another browser can
> copy the URL and work within the session. My question
> is "Why doesn't ASP.Net provide an option around ensuring
> all requests for a user session originate from the same
> IP address and/or same useragent?"  I know that some
> people sit behind firewalls, proxies and layer 4 devices
> that could load balance and affect HTTP traffic, but it
> honestly escapes me why I can access my web application
> on any machine inside or outside of my network with just
> the sessionid in the URL from even different browsers.
> There must be a way to control this in the
> configuration.  Am I alone in find this troubling?

---

• Next message: Keith: "Using ASPNET_SETREG.exe"
• Previous message: Keith: "Forms-based authentication expires before timeout"
• In reply to: Keith: "Major ASP.Net Security Issue?"
• Next in thread: Paul Glavich: "Re: Major ASP.Net Security Issue?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: The session and session ID is being reused between multiple browsers ... use cookieless sessions. ... each user can open multiple browser window and use the application. ... The problem is when users open the second browser window, the session ID is same as the 1st browser. ... (microsoft.public.dotnet.framework.aspnet) Re: Major security issue? ... cookieless sessions. ... Verifying IPs and/or user agents wouldn't be any real ... > Anyone from any IP address or across another browser can ... > copy the URL and work within the session. ... (microsoft.public.dotnet.framework.aspnet) Re: Creating a new session using window.open and server-side code ... One way is to use cookieless sessions instead, ... new sessions from within the browser. ... My client has requested that there be a "New Window" link on each page so ... (microsoft.public.dotnet.general) Re: Major security issue? ... loops thru until it enters another user's session. ... ASP.NET web sites that use cookieless sessions, ... Your website configured for anonymous access ... > Anyone from any IP address or across another browser can ... (microsoft.public.dotnet.framework.aspnet) Re: Sessions and clients ... This entrance page gives out a random session URL. ... you get the login page. ... user gets a *different* username. ... closes the browser, or the browser, computer, or Internet connection ... (comp.lang.php)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.framework.aspnet.security  > 2004-02