Security :: Best Way To Connect A Cookie To A Session?
Sep 3, 2010
I usually like to do it the hard way,just to get a feel of what you can do!In ASP.net there is probably a really simple way Forms authentication etc.but this is what I have.I know from previous experience that you should never save a Cookie that contains a password,so how to connect a session to a cookie when the user accesses the website,with saved cookies information.
I though about using a Guid,in the cookie,and then check the database to see if that guid is available,but this could be a sort of password like effect.
How can I transfer the login session of a user into a Cookie that would expire in 12 hours? I have a problem with Internet Explorer where whenever the user closes the window it would log them out automatically (which is by default what it is supposed to do). I am using VB.NET
I need to make my asp.net session cookie as secure but whenever i check user authentication and after that i am trying to set cookie to true then my session lost my user information and so it always redirect login page. I am settings user to HttpContext.Current.Session["user"] and check every time, is user is valid and if valid then move ahead. but before that i make my asp.net session cookie as true.
[Code]....
but after that i observe that somehow "Session_Start" event gets called.
Is it possible to use mixed cookieless sessions with cookie sessions? I've an application that captured user details and then redirect for payment to an ssl page. I was wondering if this is possible? [URL] redirects to [URL] Note: the session Id in the latter url. So in essence, we use the standard cookie session for the majority of the application but when we transfer to an ssl page we pass the SessionId to the https url to pick up the session. I've tried this locally but it starts a new session.
Which gave me a compile error so i dont know if the user checked his code before posting. And the other was to set the expire date to 1 day ago which my gut says is wrong. How do i do this?
I say until you log out, session times out or you close the browser. But am I right?
I had an interview today and the interviewer wanted to know if I log into a page and closes the browser (without logging off), what happens to the session.
I said that the session will be orphaned. He says no - because their users are able to connect back to the session by just opening up the browser (using a cookie only). I told him that's a persistent cookie - not a session cookie. And I said that if that's the cause, there is nothing preventing the user from exporting the [persistent] cookie to a another computer and starting the session on that computer.
At first he said you can;t export a cookie but when I explained how, he said that he'll look but since many many people including 2 architects came up with the design, it is unlikely they are all wrong.
The default cookie name for the Session Id in ASP.NET is ASP.NET_SessionId. It's also possible to change this name to something else like <sessionState cookieName="FooBar" />.
Is there a member to easily access this name like with FormsAuthentication.FormsCookieName?
In web development, when session state is enabled, a session id is stored in cookie(in cookieless mode, query string will be used instead). In asp.net, the session id is encrypted automatically. There are plenty of topics on the internet regarding how you should encrypt your cookie, including session id. I can understand why you want to encrypt private info such as DOB, but any private info should not be stored in cookie at first place. So for other cookie values such as session id, what is the purpose encryption? Does it add security at all? no matter how you secure it, it will be sent back to server for decryption.
Be be more specific, For authentication purpose, turn off session, i don't want to deal with session time out any more store some sort of id value in the cookie, on the server side, check if the id value exists and matches, if it is, authenticate user. let the cookie value expire when browser session is ended, this way. vs Asp.net form authentication mechanism (it relies on session or session id, i think) does latter one offer better security?
We have a local homepage, which connect to our production security environment. When I need to test my site in test environment, I need to get fresh cookie (not the one that was sent to me via production security service, when I opened IE with local homepage).
I am getting fresh cookie fine in Mozilla; but in IE I always have production cookie, and this disables my testing. What I should fix here?
Is it possible to get session cookie name in medium trust level? The code below works in full trust, but throws a security exception in medium trust level.
I'm using ASP.NET Session State to keep track of logged in users on my site. However, one problem I'm running into is that by default ASP.NET session cookies are set to expire when the browser closes. I've tried setting my own ASP.NET_SessionId cookie and modifying the cookie's expiry using something similar to the following code:
I would like to change ASP.NET session cookie name "ASP.NET_Sessionid" to some other name. I specified <sessionState cookieName="MyCookieName" />. When I use fiddler to view response header, I can see "MyCookieName" with random generated number under cookie section, however, ASP.NET_SessionId also exist there.
I have a .net webapplication with the following domains:
www.domain.com sub.domain.com files.domain.com
When a user is logged on to domain.com or sub.domain.com, I'd like them to share session state (i.e. be logged into both domains at once). This is possible to do by setting the domain on the session coookie to be ".domain.com". However, my problem is that the domain "files.domain.com" should not have session state due to security issues (xss attacks from user-made files hosted on that domain is an issue).
Is it possible in ASP.NET to use the same asp.net session id for these two domains, but not the third one?
I have an application running ASP.NET. I have different domains and different sub-domains. I want the domains to share session with their sub domains.
For Example, the following domains access this application:
[URL]
If a user goes to www.example1.com and print.example1.com, I want it to use the same session. If the user were to go to www.example2.com and print.example2.com, I would want it to use a different session than the *.example1.com.
The way I used to handle it was a hack in page_load that works perfectly in IIS6:
(SiteUtility.GetCookieDomain would return .example1.com or .example2.com depending on the url of the request) Unfortunately, this no longer seems to work for iis7. Each subdomain/domain a user goes to, the user gets a new session cookie.
I then found the web.config entry: '<httpCookies domain=".example1.com" />. This works great for sharing session cookie between example1.com subdomains. Unfortunately, this completely screws up session state for *.example2.com.
I'm going to ask a user to login first, then when I'm going to save information I'm going to have to save the information and associate it with the logged in user.How should I handle this with session?
I thought the .ASPXAUTH was for user authentication? Can anyone confirm if this cookie is indeed a security risk and/or contains session information? Is it even suppose to be used or is it some debug thing?
Anything I have tried didn't work. Currenly I have following code to change asp.net session cookie expiration date and path, but asp doesn't want to listen to me. I sends same cookie in Set-Cookie header two times sometimes, sometimes it sends it's default cookie ignoring path and expiration date, sometimes it sends everything as expected, and sometimes it doesn't send Set-Cookie at all. What should I do.
My code in Global.asax
protected void Application_PreRequestHandlerExecute(Object sender, EventArgs e) { /// only apply session cookie persistence to requests requiring session information if (Context.Handler is IRequiresSessionState || Context.Handler is IReadOnlySessionState) { var sessionState = ConfigurationManager.GetSection("system.web/sessionState") as SessionStateSection; var cookieName = sessionState != null && !string.IsNullOrEmpty(sessionState.CookieName) ? sessionState.CookieName : "ASP.NET_SessionId"; var timeout = sessionState != null ? sessionState.Timeout : TimeSpan.FromMinutes(20); /// Ensure ASP.NET Session Cookies are accessible throughout the subdomains. if (Request.Cookies[cookieName] != null && Session != null && Session.SessionID != null) { Response.Cookies[cookieName].Value = Session.SessionID; Response.Cookies[cookieName].Path = Request.ApplicationPath; Response.Cookies[cookieName].Expires = DateTime.Now.Add(timeout); } } }
I have an ASP.NET 2.0 site that stores a user's ID in session to indicate that they are logged in. In some situations, the user doesn't appear to stay logged in. I've been monitoring traffic in Fiddler, and some details I've found: The problem is 100% repeatable on an older laptop of mine when running IE7 and the project manager's laptop when running IE7. The problem does not ever occur on my current laptop running IE7, or any of these laptops when running FF. The problem occurs only in production--not on development, internal staging, or client staging. Production is the only load balanced environment, but the repeatability noted above makes me question load balancing as a factor.
When the page which sets Session("ID") = 1 sends a response back to the client, I can see a "Set-Cookie" header in all cases, which is creating the ASP.Net_Session_Id cookie (and it's HttpOnly). Subsequent requests to the server will send that cookie in the header on machines which are not exhibiting the problem, but not on machines that are, so either the cookie is getting deleted or the "Set-Cookie" header is being ignored.
The way logging in works is as follows: a page on [URL] has an iframe. The source of that iframe is a page on [URL]. A variety of pages served from [URL] take the user through the login/register process. The final step of [URL] is to redirect to a page back on [URL], including the user's ID in the querystring. This page on [URL] typically stores the ID in session, and then runs some JS to redirect the top level document to a new page, thus taking the user out of the iframe. This is a process that has worked for several years, with several values of [URL]. The one thing that may be different here is that in this case, the JS is simply destroying the iframe and some containing div's.
Another difference I see between scenarios where the problem occurs and where it doesn't is in the Google Analytics cookies. There is a difference when [URL] does its redirect to [URL] inside the iframe. When the problem does not occur, the request for SaveTheID.aspx includes a variety of Google Analytics cookies (__utma, __utmz, etc). When the problem does occur, this request does not include all the GA cookies (it's missing __utma, __utmz and __utmb). Production is the only environment where [URL] runs under SSL, so I thought that may be related. But we temporarily set up our staging copy of [URL] to use SSL, and that had no effect.
I need to write asp.net funtion to display countdown timer to user when they log on to the site.
And I need to log them off once the session/cookie expires. Bigger problem for me is I need to pass the timer even when they browser through site, keeping count down timer alive and log them off after it expiers.
