Security :: Prevent Session Identifier In Application?
Mar 4, 2010Hacker's attack the session ID in asp.net application. How can we protect the session identifier from hackers.
View 1 RepliesHacker's attack the session ID in asp.net application. How can we protect the session identifier from hackers.
View 1 RepliesI managed to user to perform multiple log on from other IE window session in my web application if the same log on is currently being used.Unfortunately I have problem to control multiple log on if the user is logging in using tab browsing in the same session. I know this is due to the same session Id but is there any way to trace down to the tab level within the same session?
View 2 RepliesI have an ASP.NET 3.5 Web Site.The application has to pass the IBM Rational AppScan before we can push to production.
I am getting the error:
Severity: High
Test Type: Application
Vulnerable URL: http://mytestserver/myapp/login.aspx
Issue: session identifiers is not updated
What can I do to fix this?
what is this error and how to solve
a different object with the same identifier value was already associated with the session:Â
First of all here is my code chunk.
[Code]....
Right now I am creating this session with the session key "PhonePart" which is also the name of object I am passing in as a parameter in first method. In subsequent methods, I use the the same name to retreive and clear session value. My problem is, this approach works fine If I instantiate a single object of the class where these methods are defined and using that object call the methods, but when I create another instance of the same class and calls for instance method AddToSession and pass that instance, it overwrites the session value stored by the first instance of the class as the session key is the same that is "PhonePart".
Considering this scenario, is it possible that I somehow grab the name of the object as string in the calling method say "AddToSession" and create a session with that name? If Yes, then I can do the same in subsequent methods and retreive session value and also clear the session specific to that instance name without affecting the other session values stored by other instances.
I realize that user names are unique, but is there another identifier associated with the username? If there is, how do I find out what it is for the user who is currently logged in?
View 2 Repliesi have a web application with form identification agains ActiveDirectory. The user is added to the aspnetdb and then we add his roles and profile.heres my question. If you have a user with "abcdef" for his sAMAccountName and then this user quit the job and someone else came in and we give him the SAME sAMAccountName, how aspnet will react? i guest it will see that the sAMAccountName already exist in the aspnetdb and will use it? if its true, then i will have a problem that the new user will inherit the old user access and profile!how can i solve this? i know theres a objectGUID attribute in AD that i can use but how can i use it with aspnetdb?
View 2 RepliesI am developing a web application. This application is fully customised based on the user settings. Suppose, application hosted on [URL] and user can signup on the website and it will get the domain like [URL] and for user2 will be [URL] so and so forth. so in this case how would I maintain the session for each user? each user will be representing a single website along with public interface and admin pages.
what I am thinking is to store all the setting (for each user) in the database and then when ever server received request then get the user info from the URL (first time only and after get it from the session) and get user details but I am not very much satisfied with this approach.
I built a small ASP.NET application. It has a global.asax and sets some session variables on Session_Start(...).What could prevent (all) session variables from not being set? Would a session time out do it? What if JavaScript turned off? What else can do it?
View 2 RepliesI am using microsoft visual web developer 2010 to build and publish my website, I am facing a security problem. My website has authentication service for my clients, each one he has his own user name and password. After I introduced a new member, my database collapsed, may be this last member is a hacker. Is their a way to improve security vulnerabilities to prevent future attacks. May be through web.config, could be encrypted.
View 11 RepliesDoes somebody now a good way to make session not transferable, so an user can't move/copy the session token ID from one machine to another?
View 2 RepliesOur intranet has a custom membership system (not asp membership) which puts values in the session information to identify users. As the intranet is constantly evolving, I often have to publish changes to the live server several times every day. Each time I do, the users who are logged in's sessions end and they have to log in again. This causes various issues which I won't bore anybody with here.
My question - is there anyway to prevent this, or do I just have to live with it? Have spent the last 3 hours Goggling and can find no solution.
I have a .Net 3.5 website which uses windows authentication and expires the session using a meta tag on the prerender of my base masterpage class.
protected override void OnPreRender(EventArgs e)
{
base.OnPreRender(e);
if (Response.ContentType == "text/html")
this.Page.Header.Controls.Add(new LiteralControl(
String.Format("<meta http-equiv='refresh' content='{0};url={1}'>",
SessionLengthMinutes * 60, SessionExpireDestinationUrl)));
}
This works well for pages that do full post backs. However there are a few pages in my application where the user does a lot of work that is inside of an update panel. My company's policy is a timeout of 15 minutes. Which means, after 15 minutes of working inside of an update panel page, the user gets redirected to the application splash page.
Is there a way to reset or extend the meta tag on an async postback? Or perhaps a better way to accomplish this entirely?
i'm using session variables for send variables between aspx page and it works fine ...but after some time of inctivity(user) in the page the sessions is los...how can i resolve this issue ? this is my code below how to send session :
protected void Lst_Interv(object sender, EventArgs e)
{
Session["Id"] = gdMedical.SelectedRow.Cells[0].Text.Trim();
Session["Service"] = gdMedical.SelectedRow.Cells[6].Text.Trim();
Session["Nom"] = gdMedical.SelectedRow.Cells[2].Text.Trim();
string pageurl = "LstIntervention.aspx";
Response.Write("<script> window.open('" + pageurl + "','_blank'); </script>");
}
how to prevent the two session on a single browser ie: first i opening a site on mozilla then login after logged in . I am opening a new table with the same url login using different user after that suppose there is one link called view my profile on user home page if if click the link on first tab browser, it showing the user details on second tab browser user details ie: previous session.how to prevent or avoid this ?
View 6 RepliesI'm new to asp world, and I have to keep my new job :)Switching form php to asp.net 3.5 (never used before). What would be the best practice for storing a SESSION variable in my project ?How can I prevent my SESSION to be overwritten if my initialisation code is in the onPageLoad method of my MasterPage ?My variables keeps beeing overwritten, please someone help me and tell me if there is any other solution than dealing with this pageLoad problem.
View 3 RepliesI'm researched how about prevent session timeout, I tested the solutions links bellow and it works great.
http://www.primaryobjects.com/CMS/Article86.aspx
http://www.codeproject.com/KB/session/Reconnect.aspx
But my Website has one thing that still causing problems... the Website calls an ActiveX. Some time in the user navigation the user clicks in a button and a JavaScript loads an ActiveX with the code bellow.
var objDownload = new ActiveXObject('XXXXXX');
objDownload.ActiveXMethod();
This ActiveX makes a huge processing and this is why I'm want the trick to avoid the session expires. I tested the both above solutions but when the ActiveX is running no refresh happens. Can anyone help with this problem? How the ActiveX can be running and the IE makes the refresh?
How to distroySession in asp.net(vb). When I Distroy the session if i click to the back button it will not redirected to previous page.I used
Session.Abandon()Response.Redirect("Default.aspx")
on the click of logout_linkbutton.but when i click back button in browser its go back to previous page. But when i click on any control it will redirected to Default.aspx.
I have a problem with all multiple tab browsers due to session object. I have a requirement that whenever user opens a new browser I need to show different values, so I thought of using Session as in IE 6 every browser creates a new session. But all other multiple tab browsers IE 8 and FF shares the session(If user has already open the browser and try to open different browser). How can I create new session whenever user opens a new browser window. My application is basically in ASP.NET and server side we have C#.
View 1 RepliesI have ASP.net application that is basically a data entry screen for a physical inspection process. The users want to be able to have multiple browser windows open and enter data from multiple inspections concurrently. At first I was using cookie based sessions, and obviously this blew up.I switched to using cookie-less sessions, which stores the session in the URL and in testing this seemed to resolve the problem. Each browser window/tab had a different session ID, and data entered in one did not clobber data entered in the other.
However my users are more efficient at breaking things than I expected and it seems that they're still managing to get the same session between browsers sometimes. I think that they're copying/pasting the address from one tab to the other in order to open the application, but I haven't been able to verify this yet (they're at another location so I can't easily ask them).Other than telling them don't copy and paste, or convince them to only enter one at a time, how can I prevent this situation from occurring?
How to prevent Session.Timeout extension on certain event from codebehind?
What I do - I have Session Timeout configured in Web.config file for 10 minutes. Also, I have in my webpage1.aspx, an ASP.NET AJAX control ModalPopup which shows into the page 9 minutes after the user stopped sending requests to webpage1.aspx. I did this with this code:
[Code]....
[Code]....
So, my initial calculations was that 1 minute before the session ends, i'll inform the user something with the ModalPopup. The problem is that when this Timer1_Tick event triggers, the session.timeout renew ( or extends ) and the session ends 10 minutes later (if user still don't send any request from his browser).
Can I write code in Timer1_Tick event which prevent session extension?
since a have an app, that makes heavy use of AJAX (jQuery), I faced a problem of session timeout.
After a little bit of googling I found something like :
[Code]....
In the refresh page I have just this code :
[code]....
jQuery indeed calls refresh page, writes "success", however- session times out.
Am I doing wrong something? Is there a better way to prevent session time out?
Preventing user to open duplicate web application,while it is running .....
View 1 RepliesIs it possible to renew an application session by just shaking the mouse?
View 8 Repliesi am using a multi selecting file upload control which is postBack free.
I am using session timeout.
My problem is that during files uploading my session got expired. Bcoz my uploader not being postback so i can't enhance session timeout. and while uploading my session got expired and process was not ompleted, causes some imp files could not uploaded.