Re: Is the way i do, secure enought to avoid session hijacking

Hi Hope,

Your method looks pretty sound to me. The client's IP address cannot change
between requests. It is, after all, the "return address" for the client's
HTTP messages.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Sometimes you eat the elephant.
Sometimes the elephant eats you.

"Hope Paka" <utezduyar@xxxxxxxxxxx> wrote in message
news:esEDt7gYFHA.2684@xxxxxxxxxxxxxxxxxxxxxxx
>I am storing user login information (not password) in the session. I also
>use, cookieless session. I realized that, if someone copy-pastes the URL
>after he/she logged in to the system to another person, the other person's
>browser opens as if the sender logged in.
>
> 1) Person A Logins to the system. (login information is stored in SQL
> Session state)
>
> 2) Person A copy-paster the url and sends it to person B (format of
> the url is http://domain/(sessionid)/XYZ.aspx)
>
> 3) When person B opens the URL, its window opens as if person A was
> logged in to the system.
>
> This is a security threat. I have overcome this by doing the following.
>
> When user logins to the system, a login ticket is generated and
> it is stored in the session. This login ticket contains two things, one is
> client ip address, the other one is user-agent.
>
> Then at the each request, I validate if the registered login ticket
> information is same.
>
> If person A sends URL to person B, then I assumed that, person Bs ip
> address should be different than person A.
>
> I found an article on MSND,
> http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/ (Foiling
> Session Hijacking Attempts). The way Jeff have done is similar to the one
> that i have done. Is this relaible. The only think i wonder is if the
> users IP address changes at each request!
>
>


.

Relevant Pages

  • Re: how to time out the web asp.net application when not in use for 15 minutes
    ... fires outside of a Request into your system I can't use Response.Redirect. ... Regards ... > upon the next request to see if your Session data is gone, ... > to a login page if they're not currently logged in. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Is the way i do, secure enought to avoid session hijacking
    ... If you make sure that the only way users navigate from page to page is via ... Or alternatively you can store some GUID in session, ... >I am storing user login information in the session. ... >browser opens as if the sender logged in. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Concurrent script-access
    ... that provides jobs to the user. ... Do you use a session maybe that blocks access to the same session? ... Server receives request for jobs.php, and opens the session ... Server receives request for jobs.php, tries to open the session and blocks untill 3) ends. ...
    (comp.lang.php)
  • Re: how to time out the web asp.net application when not in use for 15 minutes
    ... > fires outside of a Request into your system I can't use Response.Redirect. ... > How do I redirect now? ... >> upon the next request to see if your Session data is gone, ... >> Now, since you've mentioned a login page, why are you using Session ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: preventing multiple logins in asp.net
    ... userID as key and the session ID as the value, on each request you have to ... session for that login, if not just logoff, if no such login exist in the ... > if a user logs in, i want other logged in user with the same credentials ...
    (microsoft.public.dotnet.languages.csharp)
Loading