ASP.Net 1.1 cookieless session security issue?

From: Stefan Hoffmann (s.hoffmann_at_d-s-a-g.de)
Date: 09/28/05


Date: Wed, 28 Sep 2005 11:45:25 +0200

Hello everyone!

We are developing a webshop in asp.net. We did not want to use cookies
for session management, so we tried cookieless sessions.

This changes the URL requested to something like

http://.../WebApplication3/(xwa4n4a3cr45h2idog25v355)/WebForm1.aspx

Well, this -> (xwa4n4a3cr45h2idog25v355) is the session id. Someone
sniffing on the net can easily obtain this request and use it from
another computer. As long as the session still exists this someone will
have full access to all the users information at this moment. I thought
at least it should be bound to a IP to prevent such attacks from other
networks than the one the user is using at the moment.

Another not really nice behaviour of the cookieless session management
is, that you can reuse(or maybe better:inject?) session ids. When the
session has already expired and you use a link with a session id,
asp.net will create a new session - but use the old id.
Now - you can imagine what happens if someone posts such link into a
forum or something (to e.g. show all his friends that there is a
wonderful cheap and extremly useful article in the webshop). They will
be shopping in a group (hey - nice feature :/)...
Additionally I don't have a clue how to prevent these ids from being
bookmarked. I don't really want every user in the shop have his or her
own private session id.

Any proposals how to circumvent these problems?
Maybe i just configured something really wrong?

Thanks in advance,
    Stefan Hoffmann
PS: If you don't understand my english, ask and i will try to explain.



Relevant Pages

  • Re: Creating a new session using window.open and server-side code
    ... One way is to use cookieless sessions instead, ... new sessions from within the browser. ... My client has requested that there be a "New Window" link on each page so ...
    (microsoft.public.dotnet.general)
  • Re: Two user sessions
    ... this can be done with cookieless sessions, but not with cookie based sessions. ... this is because opening a new browser window from a link or javascript shares the same cookies as the opener. ... with cookieless session, just don't include the sessionid in the link url. ... able to automatically login as a different user ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Major security issue?
    ... cookieless sessions. ... Verifying IPs and/or user agents wouldn't be any real ... > Anyone from any IP address or across another browser can ... > copy the URL and work within the session. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Major ASP.Net Security Issue?
    ... cookieless sessions. ... Verifying IPs and/or user agents wouldn't be any real ... > Anyone from any IP address or across another browser can ... > copy the URL and work within the session. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Major ASP.Net Security Issue?
    ... We have used cookieless sessions and what you say is true, but we used SSL ... client/server (ie. if connection broken, then the SSL session is invalid) so ...
    (microsoft.public.dotnet.framework.aspnet.security)