Security - Avoiding Session Hijacking?
Feb 24, 2011
I recently read an article on making ASP.NET sessions more secure here and at first it seems really useful.
Previously I had been storing the user's IP address in the session, then making sure in every subsequent request that the requesting IP was equal to the stored IP.
The code in the article also protects the session by checking the IP address, except it stores a hashed message authentication code containing the user's IP as part of the session cookie. It creates a hashed MAC twice every request, which I imagine would slow things down a little.
I can already see a potential flaw in their code: if you were to somehow get a hold of the key used to generate the MAC, you could then generate a valid MAC with your own IP - you wouldn't even have to fake the IP the session was started on.
It seems like an overly-complex solution to a simple problem which not only incurs a larger overhead but also is more susceptible to attack than the trivial method - unless I'm completely missing the point.
So, why would this approach be any more secure than the more simple approach that I had been using?
As a slight aside, the author also states that you shouldn't use the whole IP address in the comparison, as some user's IPs change every request if they are behind a proxy. Is this still the case if you check X_FORWARDED_FOR?
View 1 Replies
Similar Messages:
Aug 18, 2010
I read about Session Hijacking articles and would like to some more information related to it. Currently my web application which is developed in ASP.NET , is using Cookieless =true mode for sessionstate. We are using HTTPS which is a secure connection which will reduce session hijacking. I know when we using Cookieless the session id is embedded in URL which can be dangerous sometimes if user pass this URL to somebody and other user will be able to log in if session is still alive. So just want to know is HTTPS is more than enough or i should do something to secure my web app.
View 4 Replies
Feb 3, 2011
I created a user control for my web application that checks for Session Timeout. If the criteria are met for Timeout, I use Response.Redirect to send the user back to the login page. I include this user control in my Master page, and run the SessionTimeoutcode in the user control's Page_Init event. That all works great. However, once the user logs in again after time-out (and I have verified that the OnLoggedIn event does fire) the user is redirected to the DestinationPageUrl. That page runs the Session Timeout check when it loads (as it should) and the Session Timeout code "says" that the session is still timed-out.
View 1 Replies
May 20, 2010
I would like to check if someone tries to access the application with the same username from a different browser/pc/etc. All usernames and passwords are stored in a MSSQL db.
What I am doing at the moment is: In the global.asax-file in Application_start(..) I initialize [Code]....
Now with every user that logs in I can check whether he is allready in ( in that case, he won't be able to log in, he'll be redirected to the login page ). Let's say it's the same user who wants to login but for some reason he wants to start the application from a different pc, maybe in a different building. Unless he hasn't forget to logout, he won't be able to login on this different computer. So he would has to go back and logout or wait for the timeout.
Now wouldn't it be more convenient to abandon the first session and let the same user login to the pc where he is right now?
The question is, is it possible to end the first session without beeing in it? Or is there any other solution for that problem? Since I have the SessionID stored in Application["UserList"] is there any possibility to end that specific session?
View 3 Replies
Jan 18, 2011
I am generating an output on a webpage in a format like this
({"1":"Jeff","2":"Tom","3":"Michael",})
For this, basically this is the code I am using
Response.Write("(" + "{");
//
for (Int32 i = 0; i < k.Length; i++)
{
Response.Write(Convert.ToString(k.GetValue(i)) + ",");
}
//
Response.Write("}" + ")");
Notice my output, after Michael" there is a comma which I do not want since this is the last vaue but this is appearing since , is in the for loop. How to prevent this/remove this last comma from appearing?
My output should be ({"1":"Jeff","2":"Tom","3":"Michael"}) (There's no comma after last value here)
View 8 Replies
Jan 31, 2011
I'm having issues with an ASP.net site (framework 3.5, IIS6 ) having very slow 'first hit' response times. I'm guessing that the issue is to do with the app pool recycling and having to warm up.
I got to thinking. As part of the site I have a HTTP module that spins up a 'never ending loop' on a separate thread which periodically (every 5 seconds) calls an sproc on SQL to make sure the database is still there. I'm wondering if a similar approach might work to get the site to make an HTTP request to "itself" as a keep alive.
My question is, before I go and do this, can anyone think of any reason why it won't work? For example, something like "oh no... ASP.Net will figure out that you're playing with yourself and not go through the whole page lifecycle... etc etc".
View 1 Replies
Sep 24, 2010
avoiding postback using updatepanel
View 4 Replies
Feb 19, 2010
I have a button in my page. If i click enter in the page the button click event is getting fired. How can i avoid this?
View 9 Replies
May 1, 2010
I'm hoping this is a simple configuration setting that I have incorrectly defined. I have an application that has a secure (members) area. If a customer tries to browse directly to the secured page (http://www.mysite/members/memberpage.aspx) asp.net loads up my login.aspx page. When the user successfully authenticates from the login.aspx page in they are taken to the secured page they originally requested (so far so good!).The problem I have is that I run some SQL using the User.Identity.Name on the secured page as a reference to who the logged in user is. This way I can show some customer specific information. When I take the login route outlined above, the SQL doesn't seem to run (or the Session Variables aren't loaded yet?)... my page loads up with no customer information in it. If I browse to another page and then back the customer information shows up and all is well.
View 1 Replies
Jul 29, 2010
I have a web parts page in which each web part has its own personalization data(list of DB table primary keys). At startup, I want to get thecombined data stored in each web part to make a query in the background. Is it possible ? Currently I have to wait for IPersonalizationData.Load for each web part to get what keys are stored by each. Is there a way to store personalization data for the whole page ? I can't use profile as this data is not per user. Worst case is write to a file which I want to avoid if possible.
View 2 Replies
Mar 23, 2011
I have 2 points for today I. I have a controller in which i have a public static method for getting the details for a checkbox like
[code]....
is it ok for me to use this same function like this one in the view, so that I do not need to use the viewdata object,
<%: Html.DropDownList("country", new SelectList(UserController.GetCountryLists(), "value", "countryname", "0"))%>
Also i have another query, when i use the same id & name for the radiobuttons, validation at the client side is working fine.If I use the same condition for a group of checkboxes, i get do not get the checkboxes highlighted during client validation and only during server validation, i get the error message, but the controls [checkboxes] do not have a red border indicating the error.I have used my own html helper to generate the checkboxlist as per [URL].
View 1 Replies
May 31, 2010
I just did an audit of one of my web application page (built using ASP.Net and running on development server) using Google chrome's developer tool. One particular warning caught my eyes:
Serve static content from a cookieless domain (5)!
Here is my screen shot [URL] as well. I would like to know is it possible to avoid cookies for these kind of requests. I see that there is no cookie requests for javascript files as well. I it possible to avoid cookies in the header for these files as well? and why didn't the browser attach cookies for javascript files and attach for CSS and image?
View 1 Replies
Sep 9, 2010
Like many people using ASP.NET MVC, I've implemented my own custom 404 error handling scheme using an approach similar to the one described here: [URL]
(I actually discovered that post after implementing my own solution, but what I came up with is virtually identical.)
However, I ran into one issue I'm not sure how to properly handle. Here's what my 404 action in my ErrorController class looks like:
[Code]....
The part that's different from the answer in the other StackOverflow question I referenced above is how the 'retry loop' is prevented. In other other answer, the code that prevents the retry loop simply sets properties on a ViewModel, which doesn't seem to actually prevent the loop. Since the action is sending back a response code of 404, then accessing the action directly (by typing "/Error/NotFound" in the browser) causes an infinite loop.
So here's my question: Did I miss another, more obvious way to handle the retry loop issue, or is my approach a decent way to do this?
View 1 Replies
Nov 29, 2010
I'm building a page in asp.net that will use tiny mce to provide a rich text editor on the page. Tiny mce outputs the rich text as html which I would like to save to a database. Then at a later date, I want to pull the HTML from the database and display it in a page.
I'm concerned about allowing malicious html, js tags into my database that would later be output.
I should html encode/decode etc. to prevent a persistent xss attack and or sql injection attack?
View 4 Replies
Dec 21, 2010
I have a website I am working on and I am using the following code quite often to access the database:
[Code]....
I have a few buttons on one page that use something similar like this in the code behind. I have heard to look into ADO.NET but I was wondering if there was a quicker way then creating model and business layers etc.
View 2 Replies
Apr 5, 2010
i am using simple form in that i put 3 upload option when i click the upload button the 3 files are stored in to unique directory. but when i refresh the page once again again it store the file once again to the directory . how to fix this problemin asp.net C#
View 5 Replies
Oct 31, 2010
Various tutorials and articles describing the N-tier architecture use the "Open Late Close Early" methodology for Connection objects. The connection is just opened before a "ExecuteNonQuery or ExecuteReader" command, and closed immediately
This means that inside a transaction where a number of business objects have to be updated (using different DAL classes), the connection can be opened and closed many times.
In that case the transaction will be escalated to a distributed transaction. Now we can’t assume that MSDTC will be availableunning every where. Now if I am building a website to be uploaded using those shared web hosting services, which does not allow MSDTC , what are my options ?
View 10 Replies
Oct 14, 2010
I have code in an ASP.NET form that needs to, depending on user entry create messages in the database. We are speaking of potentially thousands of db entries. How do I protect against deadlocks, I mean apart from using Transactions and setting IsolationLevel to Serializable, as well as using WITH(NOLOCK) statement on my select statements since I don't mind a dirty read.
Event code: 3005 Event message: An unhandled exception has occurred. Event time: 10/13/2010 10:12:14 PM Event time (UTC): 10/14/2010 3:12:14 AM Event ID: a565c58a7f844692859aa21303447c7c Event sequence: 206 Event occurrence: 1 Event detail code: 0 Application information: Application domain: /LM/W3SVC/610100832/Root-12-129314933998593750 Trust level: Full Application Virtual Path: / Application Path: D:Websitesadmin.beta.sharedTime.com Machine name: SHAREDTIME Process information: Process ID: 3440 Process name: w3wp.exe Account name: NT AUTHORITYNETWORK SERVICE Exception information: Exception type: SqlException Exception message: Transaction (Process ID 56) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction. Request information: Request URL: http://beta.admin.sharedTime.com/admin_text_mass_send.aspx Request path: /admin_text_mass_send.aspx User host address: 69.211.10.138 User: Is authenticated: False Authentication Type: Thread account name: NT AUTHORITYNETWORK SERVICE Thread information: Thread ID: 10 Thread account name: NT AUTHORITYNETWORK SERVICE Is impersonating: False Stack trace: at mtNamespace.mt.createmessage_queue(String phone_number, String text_message, DateTime send_on, String system_name, Double user_no, Double send_priority, String message_type, Boolean returnqueue) in http://server/App_Code/mt.vb:line 1509 at ASP.admin_text_mass_send_aspx.save_user_values(Object sender, EventArgs e) in http://server/admin_text_mass_send.aspx:line 103 at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) Custom event details:
View 1 Replies
Apr 7, 2010
I have an asp.net page that will be doing some processing that may take a very long time to complete. I cannot just set the page timeout value since this is going to be in a hosted environment and the timeout values that I set in my web.config are overridden by the server host. What I'm doing is taking a file from a FileUpload control and doing some web requests to a 3rd party service for each line in the file, all of which may take a very long time to process a large file. I'm talking on the order of, say, 30 minutes, and there's just no way to optimize this any further to cut down on the processing time. Is it possible to even do such a lengthy page request in asp.net? Can someone give me a pointer in the right direction here to make this happen? Is my only hope to create an async page? It seems that doing an async page is the way to go if I have a potential for a lot of lengthy requests, but really this massive of a request is going to happen VERY rarely so this is not an issue of running out of thread pool since most of the time this particular request will be completed relatively quickly, but on occasion it may receive a very large file it will need to process and will take a very long time. So what is the best way to handle that case?I'd also like to update the client with the processing status as the processing is going on. I'm familiar with doing client ajax calls via jQuery to a page webmethod so if there is some clean way to update the client as this long processing
View 7 Replies
Mar 15, 2010
I'm using the ASP.NET login control.
How can I set the session timeout?
View 2 Replies
Feb 4, 2011
I have an MVC web app and want to setup the security in a fashion that is NOT persisted. The problem is that if a user logs in and closes the browser (all instances) and open a new browser, goes to the site heshe is logged in automatically. I want the "session" to expire if you close the browser but I cannot seem to get the answer.
I have authentication mode="Forms" in the web.config and all my usernamepasswords are kept in a custom SQL DB. I can see that on login, Asp.net drop a cookie called ".ASPXAUTH" that expires in 30 minutes. I changed it to expire "At end of session" but if I close the tab I can see that that cookie is still active.
What do I need to do to get the browser to force a login if the user closes the tab or browser?
View 4 Replies
Mar 16, 2010
I got this login system where I need to set a session for when a user log's on, eacth user have 2 id's, and I need to get one of them to get the right content from my DB... So how do I get my users id's from my session's?
View 4 Replies
Dec 10, 2010
I have a number of ActionLinks in my site's master page that link off to the various top level pages of my site. Some of these top level pages include an optional "page" parameter, which defaults to 1:
[Code]....
The ActionLink itself appears like:
[Code]....
I expect that the link should show as "/Latest", since no "page" argument is specified in the ActionLink. However, if I'm currently on a different page that has a page parameter (/Author/Person/5) then the ActionLink appears as "Latest/5"!
I've heard this behavior referred to as "ambient parameters", but I haven't seen any way of working around it. setting "page" to null in the ActionLink, but that's not a general solution - some pages have more than one parameter and they aren't always called page.
How do I create a link through MVC that does not include any inherited/ambient parameters?
View 1 Replies
May 5, 2010
I am doing web based projects in dotnet. Currently I am implementing security using session variables. I keep current user id and user type in session and authenticate user from these session variables (say Session["UserId"],Session["UserName"] and Session["UserType"]).
I've heard that such security can be broken and applications can be hacked very easily, like it is possible to get session id and directly connect to that session id etc.
View 1 Replies
Jan 2, 2011
using the Login control, which I just dragged and dropped from the toolbox, when the user successfully enters his or her username and password, I want the username text to be set as a session.
View 2 Replies