Re: Null Sessions

From: Bhavna Chauhan[MSFT] (
Date: 02/26/04

Date: Thu, 26 Feb 2004 11:38:33 -0800

A null session is how Windows represents an anonymous user
For example, if a client A authenticates to B and allows B to imprersonate
A. Later on if B has to authenticate to C using A's credentials, it will
authenticate to C impersonating as A (because A allows impersonation to B).
When it connects to C, it establishes a null session on that machine,
instead of establishing a logon for A.
The good thing about this is that B cannot misuse A's credentials on the

By granting access to 'Everyone', you are granting access to all users, both
authenticated and anonymous (null session tokens come under this)

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
"A.M" <> wrote in message
> Hi,
> What exactly are "Null sessions" or anonymous logons to windoes 2000 ?
> My guess is Access to shares that are available for everyone group. Am I
> correct?
> Thanks,
> Ali

Relevant Pages

  • Re: [PHP] Back to security
    ... Think of HTTPS as like a bank vault in the basement of a branch bank. ... If you authenticate users outside the steel wall, ... sessionID is compared with the one in DB, ... Compare the output of on the two pages, ...
  • Refuse Relay to certain authenticated sessions
    ... Currently my sendmail server relays email for my users when they ... connect from their home (Access table allows IP based relaying) and it ... authenticated session. ... should refuse to relay the mails for, even if they authenticate ...
  • Re: how to re-use existing session?
    ... but I had to authenticate to forward the port. ... a session running, although it's in the background. ... I can also remove the -N switch to the initial SSH command, ...
  • Re: Read session data of all users
    ... I'm trying to come up with a better way to authenticate a user across ... different web applications from a central place. ... and app3 will be redirected to authenticate with app1 if their session ... or at least get a reference to a HttpSessionState objects ...
  • VisualStudio 2003 question
    ... I'm relatively new to VisualStudio 2003 and have to create an application ... that uses Web Services to authenticate a user. ... Login page instantiates an object which can also be used to authenticate ... my user (Store the object in Session) ...