Re: Major security issue?
From: Ray at <%=sLocation%> [MVP] (%=sLocation%)
Date: 02/01/04
- Next message: Ed: "ASP session vs. ASP.NET session"
- Next in thread: Keith: "Re: Major security issue?"
- Reply: Keith: "Re: Major security issue?"
- Maybe reply: Max: "Re: Major security issue?"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 31 Jan 2004 23:45:08 -0500
It seems to me that this would be listed as a predictable downside to using
cookieless sessions. Verifying IPs and/or user agents wouldn't be any real
way to avoid this, so it makes sense to me that this wouldn't be the default
behavior for asp.net to check that. And if it were to check it, where would
it store this info? In session variables? Hmmph.
-- Ray at home Microsoft ASP MVP "Keith" <keith@keithadler.com> wrote in message news:77b301c3e87d$0ff55c00$a101280a@phx.gbl... > I have found what I believe to be a serious security > issue in ASP.Net. If you have: > > 1. Your website configured for anonymous access > 2. Elect under web.config to set the sessionstate > attribute of cookieless to true > > Anyone from any IP address or across another browser can > copy the URL and work within the session. My question > is "Why doesn't ASP.Net provide an option around ensuring > all requests for a user session originate from the same > IP address and/or same useragent?" I know that some > people sit behind firewalls, proxies and layer 4 devices > that could load balance and affect HTTP traffic, but it > honestly escapes me why I can access my web application > on any machine inside or outside of my network with just > the sessionid in the URL from even different browsers. > There must be a way to control this in the > configuration. Am I alone in find this troubling?
- Next message: Ed: "ASP session vs. ASP.NET session"
- Next in thread: Keith: "Re: Major security issue?"
- Reply: Keith: "Re: Major security issue?"
- Maybe reply: Max: "Re: Major security issue?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
