S
Stefan Hoffmann
Hello everyone!
We are developing a webshop in asp.net. We did not want to use cookies
for session management, so we tried cookieless sessions.
This changes the URL requested to something like
http://.../WebApplication3/(xwa4n4a3cr45h2idog25v355)/WebForm1.aspx
Well, this -> (xwa4n4a3cr45h2idog25v355) is the session id. Someone
sniffing on the net can easily obtain this request and use it from
another computer. As long as the session still exists this someone will
have full access to all the users information at this moment. I thought
at least it should be bound to a IP to prevent such attacks from other
networks than the one the user is using at the moment.
Another not really nice behaviour of the cookieless session management
is, that you can reuse(or maybe better:inject?) session ids. When the
session has already expired and you use a link with a session id,
asp.net will create a new session - but use the old id.
Now - you can imagine what happens if someone posts such link into a
forum or something (to e.g. show all his friends that there is a
wonderful cheap and extremly useful article in the webshop). They will
be shopping in a group (hey - nice feature :/)...
Additionally I don't have a clue how to prevent these ids from being
bookmarked. I don't really want every user in the shop have his or her
own private session id.
Any proposals how to circumvent these problems?
Maybe i just configured something really wrong?
Thanks in advance,
Stefan Hoffmann
PS: If you don't understand my english, ask and i will try to explain.
We are developing a webshop in asp.net. We did not want to use cookies
for session management, so we tried cookieless sessions.
This changes the URL requested to something like
http://.../WebApplication3/(xwa4n4a3cr45h2idog25v355)/WebForm1.aspx
Well, this -> (xwa4n4a3cr45h2idog25v355) is the session id. Someone
sniffing on the net can easily obtain this request and use it from
another computer. As long as the session still exists this someone will
have full access to all the users information at this moment. I thought
at least it should be bound to a IP to prevent such attacks from other
networks than the one the user is using at the moment.
Another not really nice behaviour of the cookieless session management
is, that you can reuse(or maybe better:inject?) session ids. When the
session has already expired and you use a link with a session id,
asp.net will create a new session - but use the old id.
Now - you can imagine what happens if someone posts such link into a
forum or something (to e.g. show all his friends that there is a
wonderful cheap and extremly useful article in the webshop). They will
be shopping in a group (hey - nice feature :/)...
Additionally I don't have a clue how to prevent these ids from being
bookmarked. I don't really want every user in the shop have his or her
own private session id.
Any proposals how to circumvent these problems?
Maybe i just configured something really wrong?
Thanks in advance,
Stefan Hoffmann
PS: If you don't understand my english, ask and i will try to explain.
(No,