RE: XSS - Session hijacking

Hi Rob,

As for the SessionID cookie, it is generated internally by the default
sessionIdManager. You can find the internal code logic through reflector.
Here is the code snippet extract from it:

======default SessionIdManager class======

private static HttpCookie CreateSessionCookie(string id)
{
HttpCookie cookie = new HttpCookie(Config.CookieName, id);
cookie.Path = "/";
cookie.HttpOnly = true;
return cookie;
}

=================

As you can see, it explicitly set HttpOnly to true. Also, I've tested the
session cookie via some javascript, and the javascript code cannot retrieve
it, that also indicate the cookie is httpOnly and protected from
client-script.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

--------------------
From: =?Utf-8?B?Um9iZXJ0IFNsYW5leQ==?= <Robert Slaney@xxxxxxxxxxxxx>
References: <7201D671-3F80-4311-BF98-A180FFF9ED9F@xxxxxxxxxxxxx>
Subject: RE: XSS - Session hijacking
Date: Wed, 4 Feb 2009 18:40:46 -0800


I think that it is set already, FireBug with firecookie shows the HttpOnly
attribute is on for ASPNET_SessionID.

"Robert Slaney" wrote:

note - using ASP.NET 2.0

I would like to set the httponly cookie flag on the asp.net sessionid
cookie. I know I can set this via the httpCookies element in
web.config, but
I don't want to set all cookies to have this flag.

I have some cached static pages that use values from the cookies in
javascript so until I can reengineer these pages to remove this I cannot
set
the web.config in this way.

Does the default asp.net session provider have the ability to set it's
cookie to HttpOnly ?

Cheers...

Rob


.

Relevant Pages

  • Re: Sessions vs Cookies
    ... There is a session cookie which simply allows the server to identify the client and retrieve relevant session data for it. ... If cookies can be read or forged, it makes little odds whether you have the master key or all the little keys,. ... Suppose you only send the PHPSESSID: Now you cannot change a thing on the server, even if you have the 'master key'. ...
    (comp.lang.php)
  • Re: session wont timeout
    ... Maybe this is a session cookie issue? ... client browser there is this one: WSS_KeepSessionAuthenticated Expires: At ... If I kill the session cookie using IE Developer Toolbar, ... possible and IIS would throw another challenge. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Is it safe to store user_id in Session?
    ... What I was wondering is how safe it is to store user_id or username or ... session so I do not need to search the database all the time. ... OVERRIDING BASIC SESSION COOKIE AUTHENTICATION ... So what is described in the article only works for bad php scripts. ...
    (comp.lang.php)
  • Chicken and egg issue with Cookie based login?
    ... I have few questions I hope someone can clear up for me with the cookie ... private web server. ... It also says this about the secret key: ... Second, would be an example of the "Session ID" or more general, what is an ...
    (comp.security.misc)
  • Re: [PHP] Question about authenticating people...
    ... Would I be better to store that in a cookie rather then a session variable? ... The search variable is not sensitive data, there's no need to keep it on the server so it's an ideal candidate for a cookie. ... Also bear in mind that the client can change the contents of a cookie at any time so you need to re-validate them on every page request. ... If you need to verify the contents of a cookie from request to request you can a) encrypt it, or b) add a checksum to it. ...
    (php.general)