Re: ASP.Net 1.1 cookieless session security issue?
From: Dennis Vroegop (dvroegop_at_detrio.nl)
Date: 09/28/05
- Next message: scsharma: "RE: Using WMI to grant permissions to new users on folder.."
- Previous message: Dominick Baier [DevelopMentor]: "Re: Prevent access to advapi32.dll RevertToSelf()"
- In reply to: Stefan Hoffmann: "ASP.Net 1.1 cookieless session security issue?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 Sep 2005 19:39:16 +0200
In article <ej4nbFBxFHA.1456@TK2MSFTNGP11.phx.gbl>, s.hoffmann@d-s-a-
g.de says...
> Hello everyone!
>
> We are developing a webshop in asp.net. We did not want to use cookies
> for session management, so we tried cookieless sessions.
>
>
This is a well-known shortcoming. At the last PDC in Los Angeles this
was demonstrated by Microsoft Employees themselves. It's very easy for
someone to fake a session-id and suddenly find himself in someone elses
session. That's not what we want!
There is a good article on this at
http://www.developer.com/net/vb/article.php/2216431 where you can find
more information about this and how to prevent this from happening. It's
a good article so I won't try to replicate it here. Just read it :) (No,
I am not the author of that article nor do I get payed for advertising
it)
Good luck!
- Next message: scsharma: "RE: Using WMI to grant permissions to new users on folder.."
- Previous message: Dominick Baier [DevelopMentor]: "Re: Prevent access to advapi32.dll RevertToSelf()"
- In reply to: Stefan Hoffmann: "ASP.Net 1.1 cookieless session security issue?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
