Saving Sessions In SSL Encrypted Cookies Vs. Client Certificates?
Dec 10, 2010
Background: From a desktop application, users will navigate to an SSL-encrypted web portal where they will have to enter a username / password if it's their first time logging in. I want to be able to securely persist their user session. I was thinking of using encrypted cookies, storing their username and a unique session token / key, but was wondering what benefits client certificates offered in terms of security.
The way I see understand it currently:
Encrypted cookies:
Saved on the user's machine just like any other cookie Since the entire site is SSL, the contents of the cookie cnnot be tampered withEasily implementableWhen a user logs in again, invalidate the token / key and issue a new one
Problems:
Anyone attempting to access the web portal on the computer with a saved session will be able to, but this is a problem with any persisted session, right?
How do I know that computer A is computer A and not just computer B that copied computer A's cookie?
Client Certificates:
A pain in the ass to install Will uniquely identify that person's computer (or can it be restricted to the user account) to the web portal If the client certificate is stolen, then the account is compromised
Question: For persisting user sessions with the utmost security, would encrypted cookies be sufficient or would I need to install client certificates? How do they differ?
View 1 Replies
Similar Messages:
Nov 17, 2010
My site uses cookies. I need to have it use sessions instead. The reason for this is because there is a third party that needs to connect to it, and it's always requiring 3rd party cookies to be enable in the browser and that is annoying my customers. Is there any other way around this other than switching to sessions?
View 4 Replies
Oct 28, 2010
In my project I have configured .NET's sessions to go into database.
I also have a global.asax which implements Session_Start().
In Session_Start() I write three things to the session:
The time the session started.
The user's host address.
A serializable device object wrapping the user's agent.
The problem is now that users which don't allow cookies won't allow session cookies either.
(Easily reproducable by putting the site URL to the restricted sites of IE).
If I keep on refreshing (put finger on F5) a new session is created for every request (-> no session cookie). Shortly, the web server process grows to some hundred megabytes.
It does not matter if you use IIS7 or Cassini Local Webserver.
The issue is now: the memory does not get released until the sessions time out. What is the logic here if sessions should really go to database? How long will .NET keep them in memory? Eventually, you'll even get Out Of Memory exceptions!
Anybody know? How to detect and prevent such (almost malicious) "attacks"?
View 2 Replies
May 6, 2010
The document http://msdn.microsoft.com/en-us/library/ms178581.aspx states the following about expired sessions:Regenerating Expired Session Identifiers By default,the session ID values that are used in cookieless sessions are recycled.That is,if a request is made with a session ID that has expired, a new session is started by using the SessionID value that is supplied with the request.This can result in a session unintentionally being shared when a link that contains a cookieless SessionID value is used by multiple browsers.As you can see it talks about "cookieless sessions" but,what is the behavior for sessions based on cookies? Does it apply to .NET Framework 3.5?
View 2 Replies
Nov 19, 2010
I have a internal site used by employees of my company that uses ASP.Net 3.5, Ajax and the Ajax Control Toolkit and is secured using https and requires a client certificate to gain access to the site. We are getting the following error when updating drop down lists on the very first page of an application wizard we have built. The page uses an UpdatePanel with PartialPagePostbacks enabled.
Sys.WebForms.PageRequestManagerServerErrorException:
An unknown error occurred while processing the request on the server. The status code returned from the server was: 413
ScriptResource.axd Line: 5
Code: 0 Char: 62099.
I have increased the maxRequestLength value to 8192Kb (which is way overkill), the readAheadBuffer to 4096Kb, set all the timeouts I can find, and this problem keeps showing up for my users. I can reproduce the error if I let the initial page site idle for 2-3 minutes before doing the partial page postback to move to the next segment. I have been chasing this now for a couple of weeks, and keep coming back to the same sites with the same answers.
View 4 Replies
Oct 30, 2010
I have an asp.net site. Its a mixture of web forms and MVC2.
I have this on 2 different servers which I get to via different urls.
On one server authentication works fine via all browsers (IE 8, FF 3.6, Chrome)
On the other IE 8 fails, it doesn't send back the cookie on the request to the page after authenticating.
Using Fiddler I have seen that both sites attempt to set the cookie, in the response from the login page.
Response Header I see from both servers
Set-Cookie: DemandLaunch=CCA4...E79C2D1; path=/; HttpOnly
Both sites are in the internet zone of IE.
I'm at a loose for what to check now.
I also have a page that sets a cookie via c# code and that cookie fails in IE as well.
The IE issue is not on a single computer either. I see this failure on 4 different computers Internet Explorer.
My urls which I should have included were:
beta.[site].com - works
beta_[company].[site].com - fails
View 1 Replies
Mar 5, 2011
So, I am working on a demo web dashboard. Previously, I had been using Session to store settings about the dashboard, but I would like to move it to a more persistent means of saving settings.It seems to me that using cookies would be my best bet. I'm not entirely positive I have the time to work everything out for writing to/from a database properly.That being said, I might be in over my head on some assumptions I had made about the similarities between Session and Cookies. Currently, I have some code like this:
public Dictionary<string, RadPageViewSetting> PageViewStates
{
get
[code]...
View 2 Replies
Sep 14, 2010
Here is how my system is set up:
A web service using ASP.Net web service The web service has a web method with EnableSession=true
A client which refers to the web service using "Service References" (note: not "Web References")
The app.config of the client has allowCookies=true
[Code].....
The call to AppendUpload returns false, because of the mismatching session ids. Why is that?
As far as I can see, I have the right attributes for the web method, the client has the correct config, and the same instance of the proxy is used.
View 1 Replies
Feb 7, 2011
I am using Logi Reports for creating reports in my application. I am passing cookies from web application to these logi reports. Cookies were workign correctly before, but after the release of this version. Cookies are not working in these logi reports.
View 1 Replies
Apr 3, 2011
This thing has just came to my head and I wanna share it.Note : I could easily test it but I am being lazy here to see if anybody has ever experienced something like that before.Let's assume that I have a web site which built-in membership structure of asp.net has been implemented on. What will happen to asp.net membership if the client browser blocks cookies? Does framework throw an exception when a user tries to log in or do something else?
View 3 Replies
Oct 28, 2010
I'm currently work on a Mobile Web project.Here is the thing i must do ;
Suppose that i've a web page that gets username from client .
When client enter a username and hit the button ; if there's a connection between IIS and client , username shall be sent to IIS.
but if there is no connection between IIS and client , username shall be stored at client side.
View 6 Replies
Mar 21, 2011
saving a static HTML page on the client, so that I can then upload it back to the server? I'm building a Gantt style page, then allowing the user to "draw" on it using VML (This will change to SVG once we are off IE6). I need to be able to save the page (including the VML) to temp and then upload it back to the server as a static HTML file.
View 2 Replies
Oct 5, 2010
developed an application in Asp.net. It is a receipting system. I have deployed the system in a company which runs with various networks. The company uses VPN, LAN and so many. When I deployed the system they complain the speed is very slow when accessing through network. Specially in the receipt page where i have used Update Panels and AJAX Comboboxes, they complain that it takes time to load the combo boxes. Also they say that when the selected index is changed in the combo box, it takes time to post the data in the other relevant controls.
View 5 Replies
Mar 31, 2011
I need to save a text file on the client side possibly without permission. The case is that I need to save this text file in a shared folder in this or in another machine in the lan. This text file is going to be read automatically by the fiscal printer which will print the fiscal invoice. I have a asp .net web application and the server is not on the same lan with the fiscal printer, so I have to write it on the client-side. how to do this without asking to the user every time for the security issue.
I can accept a solution like, the client is asked only one time a the first printing, but not every time he wants to print a bill. Some kind of asking permission to the client for allowing this website, in order to not repeat the permission asking.
View 4 Replies
Aug 17, 2010
I'm handling cookies using JavaScript to store some values in my asp.net web application.I use document.cookie to save some values (converted into a lengthy string). But i want that value to be accessible across all the pages in my application.When i try to get that value from a different page, i get the values pertaining to the document in the current URL.
In short i save the value in the cookie in http://myapp/doc1.aspx and want to retrieve it in http://myapp/doc2.aspx
So is document.cookie is pertaining to a single document scope? How can i save/read cookies across the site?
Update.This is how i get and set cookies
function getCookie(c_name)
{
try{ [code]...
But i'm getting different values for the cookies in different pages.
View 2 Replies
Oct 1, 2010
I am trying to open my homepage with HTTPS in my test server. Is there a way i can create Self signed certifcates and see if https works. some links or any ideas with how to do Its an ASP.Net project and IIS V6.0
View 3 Replies
Jun 8, 2010
I've noticed that it is possible SQL Server 2005/2008 to authenticate replication accounts using certificates. Is it possible to authenticate .NET SqlConnection in the same manor?
Ideally, I'd like to do away with password authentication completely and have the aspnet user connect using a certificate stored against its account.
View 2 Replies
Jun 20, 2010
I would like to do login to the website using certificates.
I want to have a secure login.
How to create certificates for login?
How certification process?
View 1 Replies
Apr 9, 2010
Is it possible to read the certificate(s) in a clients browser through code? The situation I have is, someone is going to access my website with a certificate installed. In that certificate, there will be specific information related to my application. I will be pulling that specific peice of info out, and then doing what I need to with it.
I can already read certificates from my local machine (using the X509Certificate2 class), and using string manipulation, traverse out the information needed. The only part I can't do, is pull certificates from the browser.
I have tried using the '.IsPresent' function on an HttpClientCertificate object, but that always returns false (even though I have four certificates installed on my machine).
View 4 Replies
Mar 16, 2011
I am trying to decrypt using an X509 certificate private key. I am using the following function:
[Code]....
View 3 Replies
Mar 29, 2011
Is anyone using digital certificates in project ?I have created a digital certificate using Microsoft certificate services.I have installed this certificate on my website.When I access website over https I get digital certificate error in browser.Most common cause for this error is incorrect date/time settings on client machine. This is not the issue in my case.
View 1 Replies
Sep 3, 2010
I am fairly new to web development and have never used Digital Certificates before. I assume using a digital certificate on a silverlight web page is the same as using one on any other web page, but i thought i should check. There are a few example of digitally signing the .xap file on the internet, would it then be a case of simply buying the certificate (from verisign or somewhere similar) and distributing it to customers?
View 1 Replies
Oct 21, 2010
I need it for the test purposes.. (don't want to see „The remote certificate is invalid..." Exception.. )
View 3 Replies
Mar 9, 2011
I am not sure whether I posted the question at the right place, But I don know how to start approaching the problem ,
I need to open a .cer cirtificate from the server side. The .cer cirtificate will be stored in the client browser.
I tried locally putting the cirtificate in my hard drive and I could open it and get the info I want using
X509Certificate2 certificate = new X509Certificate2("C:\OCX\abc.cer");
But what will I do when I need it to open it from client browser?
View 13 Replies
Sep 12, 2011
There is an existing classic ASP application that uses CAPICOM to encrypt a file's content using a certificate. A new file is created with the encrypted content and put on a location from where another 3rd party web application picks up the file (with encrypted content). They use the certificate to decrypt the encrypted data .
I am re-writing this piece of the software in ASP.Net and have read a bit about the encryption algos in .Net. But I am unable to come to a solution I am aiming for.
My questions:
a.) CAPICOM and .Net encryption? Any resource that has some sort of method mapping between the two?
b.) How to encrypt the content of a file using a certificate's private key? The reason I'm looking for this is this statement
The Sign method creates a digital signature on the content to be signed. A digital signature consists of a hash of the content to be signed that is encrypted by using the private key of the signer.
Source: [URL] ....
View 3 Replies