T
Toro
Hi,
I have found some information about a potential security flaw in
cookieless session management. I am sure that the issue is well known to the
community because it was reported over 2 years ago.
[http://builder.com.com/5100-6387-1044869.html]
Since this report nothing was apparently done to fix the issue because
the hole still exists in ASP.NET 1.1.
Two questions then:
1. Is there any obvious and objective reason for that this issue cannot be
easily fixed by not allowing the asp.net engine to create a new session with
user-supplied id? Does it break the cookieless session model in some other
places? If not, will the issue be fixed in asp.net 2.0?
2. Does using the https solve the issue?
Thanks in advance for any information.
I have found some information about a potential security flaw in
cookieless session management. I am sure that the issue is well known to the
community because it was reported over 2 years ago.
[http://builder.com.com/5100-6387-1044869.html]
Since this report nothing was apparently done to fix the issue because
the hole still exists in ASP.NET 1.1.
Two questions then:
1. Is there any obvious and objective reason for that this issue cannot be
easily fixed by not allowing the asp.net engine to create a new session with
user-supplied id? Does it break the cookieless session model in some other
places? If not, will the issue be fixed in asp.net 2.0?
2. Does using the https solve the issue?
Thanks in advance for any information.