Avoid Session Hijacking For Web Applications?
Aug 18, 2010
I read about Session Hijacking articles and would like to some more information related to it. Currently my web application which is developed in ASP.NET , is using Cookieless =true mode for sessionstate. We are using HTTPS which is a secure connection which will reduce session hijacking. I know when we using Cookieless the session id is embedded in URL which can be dangerous sometimes if user pass this URL to somebody and other user will be able to log in if session is still alive. So just want to know is HTTPS is more than enough or i should do something to secure my web app.
View 4 Replies
Similar Messages:
Feb 24, 2011
I recently read an article on making ASP.NET sessions more secure here and at first it seems really useful.
Previously I had been storing the user's IP address in the session, then making sure in every subsequent request that the requesting IP was equal to the stored IP.
The code in the article also protects the session by checking the IP address, except it stores a hashed message authentication code containing the user's IP as part of the session cookie. It creates a hashed MAC twice every request, which I imagine would slow things down a little.
I can already see a potential flaw in their code: if you were to somehow get a hold of the key used to generate the MAC, you could then generate a valid MAC with your own IP - you wouldn't even have to fake the IP the session was started on.
It seems like an overly-complex solution to a simple problem which not only incurs a larger overhead but also is more susceptible to attack than the trivial method - unless I'm completely missing the point.
So, why would this approach be any more secure than the more simple approach that I had been using?
As a slight aside, the author also states that you shouldn't use the whole IP address in the comparison, as some user's IPs change every request if they are behind a proxy. Is this still the case if you check X_FORWARDED_FOR?
View 1 Replies
Feb 17, 2010
We all know that we should only be publishing our ASP.NET Web Applications with release build type, so why do I not get a warning when I trigger the "Publish" command in Visual Studio 2008, for a project configured to build in debug mode? Sure, there might be cases where I need to publish a debug build to a development or test environment, but answering yes in a confirmation dialog would be acceptable in these cases. Is there an option that I have overlooked, forcing Visual Studio to warn me every time I try to publish a debug build? Yes, we could just ban using the "Publish" command and use a more solid build management tool, but this involves a change of process and right not be an option in this particular case.
View 3 Replies
Mar 18, 2011
what should i write in web config file in asp.net so that my session time is extended. the exact location where should i place the code in web config
View 6 Replies
Jul 9, 2010
I have two identical applications setup on IIS on different virtual directories (I have done some workaround to ensure that they both have the same application name). Is there a way to share session id across two asp.net web applications?
Since I'm storing the session in StateServer, they should both be getting the same session data, however, a different session id is created everytime I go from application a to applicatino b. Wouldn't this happen in a load balancing scenario as well? Where when I go to www.test.com, it would redirect that request to server a, and then if I hit it again, it would go to server b, but since it's a different web application, it would create a new session id?
View 3 Replies
Mar 7, 2011
It's not explicitly written somewhere but I felt so after reading few blogs on ASP.NET MVC. Just got curious and thought of asking it here.
UPDATE: I'm not asking about memory/storage/RAM concerns on server. For them, there is a solution to store session out of process. I know that. I'm curious that, are there any scenarios where we had to use Session in WebForms but we can avoid it now in MVC taking benefit of the nice structured way offered by MVC?
View 6 Replies
Oct 25, 2013
In my website, the session is expired after 5 minutes. I need to extend the seesion state to minimum 4 hours. Currently, in web.config file I used the following code.
<sessionstate cookieless="false" timeout="1440"></sessionstate>
But its expired after just 5 minutes.
View 1 Replies
Oct 18, 2010
I would like to share the session variables between 2 applications. basically I have a website and in there I have 2 applications and want to share the session object betwen the two. Is there a way to set something in web.config to enable this?
View 2 Replies
Jun 15, 2010
I've two application ASP.NET (once is Mojo Portal). I can navigate from one to other using an URL token id.
To this way, by token, I create a new session and save the relative auth cookie.
But, sometimes, the asp web application don't keep the session and put me down. When this happen I can't login until the session cookies is not deleted.
Both the two application are behind an reverse proxy.
View 3 Replies
Oct 29, 2010
How do I avoid ASP.NET session timeout from a httphandler?
View 1 Replies
Feb 8, 2011
If I change web.config or update dll files, all the current users in a web application lose their session and one may lost all their input.
How can I avoid this issue? How do you deal with this issue?
View 3 Replies
Jan 8, 2010
How do you work-around the fact that sessions are dropped every time you deploy certain code files to an ASP.NET website? Sometimes we need to deploy a crucial fix in the middle of the day but don't want to boot off all our users for it.
View 3 Replies
May 20, 2010
I am trying to use a transaction scope in a transaction-per-request pattern. So I have a http module that do (simplified):
private void Application_BeginRequest(object sender, EventArgs e)
{
var scope = new TransactionScope(TransactionScopeOption.RequiresNew);
PutScopeInHttpContext(scope);
}
private void Application_EndRequest(object sender, EventArgs e)
{
var scope = GetScopeFromHttpContext();
try
{
if (HttpContext.Current.Error == null)
{
scope.Complete();
}
}
finally
{
scope.Dispose();
}
}
Then, in my web.config, I have:
<httpModules>
<clear/>
<add name="OutputCache" type="System.Web.Caching.OutputCacheModule"/>
<add name="Session" type="System.Web.SessionState.SessionStateModule"/>
<add name="Profile" type="System.Web.Profile.ProfileModule"/>
<add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add name="UrlRoutingModule" type="System.Web.Routing.UrlRoutingModule, System.Web.Routing, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add name="TransactionPerRequestWebModule" type="Acme.Web.TransactionPerRequestWebModule, Acme.Web"/>
</httpModules>
<sessionState mode="SQLServer" sqlConnectionString="Data Source=localhostSQLEXPRESS;Integrated Security=SSPI;" cookieless="false" timeout="360"/>
Now, at what seem like randomly rate, roughly 1 page out of ten gives me the following error:
[SqlException (0x80131904): Distributed transaction completed. Either enlist this session in a new transaction or the NULL transaction.]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +1951450
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +4849003
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) +194
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +2394
System.Data.SqlClient.SqlDataReader.ConsumeMetaData() +33
System.Data.SqlClient.SqlDataReader.get_MetaData() +83
System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) +297
System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) +954
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) +162
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) +32
System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) +141
System.Data.SqlClient.SqlCommand.ExecuteReader() +89
System.Web.SessionState.SqlSessionStateStore.DoGet(HttpContext context, String id, Boolean getExclusive, Boolean& locked, TimeSpan& lockAge, Object& lockId, SessionStateActions& actionFlags) +516
[HttpException (0x80004005): Unable to connect to SQL Server session database.]
System.Web.SessionState.SqlSessionStateStore.ThrowSqlConnectionException(SqlConnection conn, Exception e) +229
System.Web.SessionState.SqlSessionStateStore.DoGet(HttpContext context, String id, Boolean getExclusive, Boolean& locked, TimeSpan& lockAge, Object& lockId, SessionStateActions& actionFlags) +649
System.Web.SessionState.SqlSessionStateStore.GetItemExclusive(HttpContext context, String id, Boolean& locked, TimeSpan& lockAge, Object& lockId, SessionStateActions& actionFlags) +48
System.Web.SessionState.SessionStateModule.GetSessionStateItem() +117
System.Web.SessionState.SessionStateModule.BeginAcquireState(Object source, EventArgs e, AsyncCallback cb, Object extraData) +487
System.Web.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +66
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
What I (think I) understand is that the connection to the ASP.NET session database is sometimes enlisted in my business transaction, and I get this error when my business transaction is completing first.
There is a couple of problem with that:
I don't think the transaction for the session state should be the same as my business one. These are 2 separate concerns.
It makes the transaction automatically escalate to a distributed (MSDTC) one, which impacts my performance.
How do I decouple my business transaction from the ASP.NET session one?
View 1 Replies
Sep 29, 2010
I have created custom a MembershipProvider, SessionIDManager, and SessionStateStore since I need to use custom legacy sessions and logins.. When the Application is ran, it runs the GetSessionID in the SessionIDManager(which is correct) The problem then is if there is no session meaning the GetSessionID method returns null, it tries to create a new session using CreateSessionID.. I want it to redirect to the login application(another application). We only create and store session information for logged in users and the "session id numbers" come from a file that is pre-populated with "session id numbers"(I didnt design this and its out of my control).. So its not feasable to give everyone who visits the site one of the "session id" numbers. I also need for users with an "invalid" session(when checked through Validate()) to be redirected to the login page.
View 4 Replies
Apr 22, 2010
i have two applications hosted on two different domains and both use a single login info so my question is how can i use / share same session across two application.
View 8 Replies
Aug 9, 2010
I am currently using the brinkster hosting (Pro Package) but recently they change my hosting to the new one and after that I got an error for sometimes and my session also expired very fast. Below is the feedback from Brinkster.
Thank you for letting us know about your recent experience with your application. From what we are able to find regarding your application problems, they appear to be related to your ms access database. Due to limitations of ms access, you may want to consider updating the database running your website to mysql. A Mysql database is available to your account at no additional charge.
MS access begins to experience issues like database locks (which is what appears to be happening to your application) when there are more than 3 or 4 concurrent connections to the database for reads. MS access is also only able to have one write connection open at any given moment. MS access databases are more susceptible to corruption and data loss than database application built for large application use and Enterprise or corporate use.
When you were hosted on the previous server, your IIS application pool was getting reset many times per day. This action was in effect unlocking your ms access database from its locked state. After we moved you to the new system and raised your memory utilization limit, your application does not receive resets more than one or two times a week. I have lowered your memory utilization from 200 to 100 in an effort to have your application reset more often, unlocking your database if it has began to cause issues.
My question is, do i have a choice to avoid change my database from MS Access to MySQL? Is MS Access database really have such problem as they mension or somethingelse happen on their server?
View 7 Replies
Mar 27, 2010
is session state must get destroyed each time we are building our project in web applications? this is really annoying because i have to re-log and get to the page i'm currently working on each time i need to build my project...
View 7 Replies
Jul 14, 2010
I have 2 applications App1 and App2 on same domain, both with Forms authentication, each using a different database instance for authentication.
First, I open a browser with application www.mydomain.com/App1 and log on.
After that, when I open another instance of the same browser with application www.mydomain.com/App2 and log on, first browser loses session and goes back to login page.
I need each application on same domain to have its own session so that both can stay logged on.
View 2 Replies
Mar 7, 2011
We're using ASP.NET and IIS 6.0. I realise that the definitions of applications, websites and virtual directories are ill-defined in IIS 6, and changed a lot in IIS 7. However, I'm stuck with IIS 6.0 for now.
We have a single web site defined in IIS, and a number of separate sub-sites in Virtual Directories.
The scheme looks like this:-
[URL]
[URL]
site1, site2, ... are virtual directories in IIS 6.0, under the "Default Web Site".
I need to use ASP.NET sessions and forms authentication in most of these sites, and I don't want them to share authentication data or session information at all.
Both the mechanisms currently depend on cookies. However, the cookies created by default use the same name, and have a path of "/" in the browser, meaning the sites' cookies will clash with each other.
Without changing the default name for each cookie, how can I enforce separation between my sub-sites? Do I need to change the virtual directories for IIS 6 "Applications"? Or is there some way in code to enforce a more limited scope for the cookies?
View 1 Replies
Sep 18, 2010
I have two different IIS applications within the same domain(let us say www.mydomain.com) , both of these applications use the same database instance(same connectionstring), now what I want is that both of applications can see each sessions variables , can SQL Server session state mode helps in this case? Did someone try that before? Is there any other way to share the session variables?
View 3 Replies
Mar 24, 2011
Is there any sample or guideline shows how to properly handle session timeout in MVC applications?
View 4 Replies
Jan 8, 2010
I am wondering how I can implement so that later login session logout former login session to avoid concurrent login. I know how to check whether the user is online (by Membership.IsOnline()) and logout the current user (by FormsAuthentication.SignOut()). But I don't know how to logout the previous login session.
View 2 Replies
Jun 7, 2010
I've been worked with web services so far, and I'm interested in expanding my services to console applications as well so I started digging up with WCF but I'm conserned that I won't be able to use the HttpContext collection that I've been used to do with web services one important thing which is to generate a random value from HttpContext.Current.Request.ServerVariables["ALL_HTTP"] that I need to reckon if it's the same or at least near what machine that is calling my service. How can I overcome this problem?
I need to know what machine is calling to count the number of attempts to login into my system for example. So must do it inside of the svc code otherwise if I let the client inform what ip address or what computer he is using, anyone could forge this argument and surpass by another machine. May be I'm approaching this matter wrongly. And I should count the number of attempts per state session, but how is it done?
View 1 Replies
Apr 22, 2010
Our corporate intranet is designed so that each web application is a child application in the primary application.. Everything has worked fine with Visual Studio 2008 and even in 2010 running the website locally works great, the output directory for the child apps is ..in and the ProjectName.dll copies to that directory.. When I do a publish however it does not and I have to manually copy the dll from the bin folder in the project folder to the parent bin folder, this isn't hard of course but more of a pain in the butt each time I need to publish something. I made sure the output directory is correct for both debug and release yet on publish is just copies it to the child bin and not the parent bin as needed.
View 2 Replies
Jul 8, 2010
I recently noticed that I had a big hole in my application because I had done something like:
<input type="text" value="<%= value%>" />
I know that I should have used Html.Encode, but is there any way to do that for all values, without having to do it explicitly?
View 3 Replies