K
Kevin Watkins
Hi,
Apologies for cross posting like this, but I wasn't sure on the best
group to post to and I didn't receive much of a response to my
original email in microsoft.public.dotnet.framework.aspnet.security.
My application currently has a rather large security hole in it which
I need help with as soon as possible.
My original post can be found at
http://groups.google.co.uk/[email protected]
Basically the problem is a difference in behaviour between going to a
URL by loading up IE via its icon, and by going to a URL by typing it
into the Windows Explorer address bar.
My application uses ASP.NET. It records information in the Session
variable and uses forms authentication to log in. The code for a
simple test application to demonstrate all this is included in my
original post.
Firstly I go to my app by loading up IE by clicking its icon then
entering the URL in the address bar. I log in, then close the browser
window. If I then open a new instance of IE in the same way and go
back to the site I am logged out as you'd expect, because my session
has ended. Everything works correctly and I'm a happy bunny.
However, if I enter the URL into the address bar of a Windows Explorer
window (E.g. double click on 'My Computer' and use the window that
comes up) my site displays in the window. I log in, then close the
window. If I then enter the URL into another Windows Explorer address
bar, I haven't been logged out. My session remains and my forms
authentication still holds.
Looking into this further, I believe this is due to session cookies
being held in memory. When I load up IE I get an iexplore.exe process
showing in task manager. Presumably the session cookies are held in
the memory space of this process, so when I close my IE window, the
process ends, the cookies are destroyed and my session/authentication
is therefore lost.
However, when I enter the URL into Windows Explorer, it does not
launch an iexplore.exe process. I'm therefore guessing that the
session cookies are held in the memory space of explorer.exe. As this
process never ends, the session cookies never die and my
session/authentication information is never lost.
In a related issue, if I open a popup using JavaScript from my site
when it has been accessed via Windows Explorer, an iexplore.exe
process is launched for the new window. The session/authentication
information is not carried through to this new window, I'm guessing
because the in memory cookies aren't copied to the new process.
Now I hope I'm being a muppet and have not set up something correctly
in ASP.NET or IIS. I tried setting the cookieless property in the
sessionState node in Web.Config to true, but still had the problem. I
have tested the website locally and on three different remote servers.
I have tested this on XP and 2000 running IE6, and on 2000 running
IE5.5. The bug only seems to happen under IE5.5, which makes me think
it might be a bug in IE 6.
Has anyone experienced anything similar? I would be grateful for any
help in solving this problem, as currently I have a big security hole.
If a user enters my site via Windows Explorer and then doesn't log
out, then another user could come along, use their PC, go to my site
via Windows Explorer and obtain the previous user's access rights.
I currently have a JavaScript onunload to log the user out if the
window closes, but this is not 100% perfect and is certainly not
ideal! So any help would be really appreciated!!!
Thanks,
Kev
(e-mail address removed)
Apologies for cross posting like this, but I wasn't sure on the best
group to post to and I didn't receive much of a response to my
original email in microsoft.public.dotnet.framework.aspnet.security.
My application currently has a rather large security hole in it which
I need help with as soon as possible.
My original post can be found at
http://groups.google.co.uk/[email protected]
Basically the problem is a difference in behaviour between going to a
URL by loading up IE via its icon, and by going to a URL by typing it
into the Windows Explorer address bar.
My application uses ASP.NET. It records information in the Session
variable and uses forms authentication to log in. The code for a
simple test application to demonstrate all this is included in my
original post.
Firstly I go to my app by loading up IE by clicking its icon then
entering the URL in the address bar. I log in, then close the browser
window. If I then open a new instance of IE in the same way and go
back to the site I am logged out as you'd expect, because my session
has ended. Everything works correctly and I'm a happy bunny.
However, if I enter the URL into the address bar of a Windows Explorer
window (E.g. double click on 'My Computer' and use the window that
comes up) my site displays in the window. I log in, then close the
window. If I then enter the URL into another Windows Explorer address
bar, I haven't been logged out. My session remains and my forms
authentication still holds.
Looking into this further, I believe this is due to session cookies
being held in memory. When I load up IE I get an iexplore.exe process
showing in task manager. Presumably the session cookies are held in
the memory space of this process, so when I close my IE window, the
process ends, the cookies are destroyed and my session/authentication
is therefore lost.
However, when I enter the URL into Windows Explorer, it does not
launch an iexplore.exe process. I'm therefore guessing that the
session cookies are held in the memory space of explorer.exe. As this
process never ends, the session cookies never die and my
session/authentication information is never lost.
In a related issue, if I open a popup using JavaScript from my site
when it has been accessed via Windows Explorer, an iexplore.exe
process is launched for the new window. The session/authentication
information is not carried through to this new window, I'm guessing
because the in memory cookies aren't copied to the new process.
Now I hope I'm being a muppet and have not set up something correctly
in ASP.NET or IIS. I tried setting the cookieless property in the
sessionState node in Web.Config to true, but still had the problem. I
have tested the website locally and on three different remote servers.
I have tested this on XP and 2000 running IE6, and on 2000 running
IE5.5. The bug only seems to happen under IE5.5, which makes me think
it might be a bug in IE 6.
Has anyone experienced anything similar? I would be grateful for any
help in solving this problem, as currently I have a big security hole.
If a user enters my site via Windows Explorer and then doesn't log
out, then another user could come along, use their PC, go to my site
via Windows Explorer and obtain the previous user's access rights.
I currently have a JavaScript onunload to log the user out if the
window closes, but this is not 100% perfect and is certainly not
ideal! So any help would be really appreciated!!!
Thanks,
Kev
(e-mail address removed)