Re: Is the sessionState cookie a security risk.

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 06/02/05

  • Next message: Rob Smeets: "Response splitting" 
    Date: Thu, 2 Jun 2005 01:05:30 -0700

    IIS does not have a session state feature nor session state cookie.

    The concept of a "session" is at the application layer, not HTTP layer where
    IIS runs, so IIS does not have a session state feature and hence cannot have
    a session state security risk.

    Your question completely depends on the application framework you run on top
    of IIS. I am guessing that you are talking about an ASP.Net application, and
    if so, you should consult the Forums at www.asp.net or
    microsoft.public.dotnet.framework.aspnet for better support for your
    question.

    My understanding is that ASP.Net Sessions are configurable to be as secure
    as you define. Security is never an absolute yes/no -- it is a inherently a
    tradeoff between risk and cost. You need to first define your own tradeoff
    point, and then configure technology to meet your needs. 

    -- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"RobAbbott@ElementK" <RobAbbott@ElementK@discussions.microsoft.com> wrote in
message news:FE209C45-559D-4F12-A933-29C3E6BCEF71@microsoft.com...
  We had an outside security analysis done and they doscoverd the session
cookie set by the session state feature.  Business/Marketing does not want
us
to use the cookieless option where the sessionid is moved into the URL.
   Are we at risk of session hijacking?  The people that performed the
security audit recomend encrypting the session cookie, but I don't think
that
is an option.
   Any advice would be gretaly appreciated
  • Next message: Rob Smeets: "Response splitting"

    Relevant Pages

    • Re: session wont timeout
      ... Maybe this is a session cookie issue? ... client browser there is this one: WSS_KeepSessionAuthenticated Expires: At ... If I kill the session cookie using IE Developer Toolbar, ... possible and IIS would throw another challenge. ...
      (microsoft.public.sharepoint.windowsservices)
    • Re: IIS 6 Session_Start Inconsistency???
      ... want to upgrade all my clients to IIS 6.0, but this issue is a deal killer ... >>> settings into Session from the database. ... >>> a valid cookie, an exception may trigger the recycling ... > of a worker ...
      (microsoft.public.inetserver.iis)
    • Re: Wont save session object
      ... URL: http://localhost/program.aspx it runs the session objects fine, ... Here is the session state object in my web.config file: ... > client machine's cookie setting. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: How do I cancel a lengthy process on server side?
      ... I see your point on Session state. ... > request timeout that is defaulted to 90 seconds and the thread will be ... > There are no problems with IIS calling the thread abort on a request ...
      (microsoft.public.dotnet.framework.aspnet)
    • RE: Trouble with huge amount of State Server Sessions Timed out
      ... "Unable to serialize the session state. ... > State Service or SQL Server can be memory intensive depending on the types ...
      (microsoft.public.dotnet.framework.aspnet)
    • Quantcast