Securing ASP app with session

[Drew]

I have been working on internal, intranet apps in the past few years, so I
haven't needed to secure apps with a login/password and sessions like I did
8 or so years ago (I use Windows Auth now, which makes it easier)... Is
using sessions still a practical, safe way to secure the backend of the
apps? Or should I just bite the bullet and move to ASP.NET to build a
secure backend?

I have researched session hijacking and there seems to be a lot of
information out there about that type of attack... what are your thoughts?

Thanks,
Drew

 

[Bob Barrows [MVP]]

I have been working on internal, intranet apps in the past few years,
so I haven't needed to secure apps with a login/password and sessions
like I did 8 or so years ago (I use Windows Auth now, which makes it
easier)... Is using sessions still a practical, safe way to secure
the backend of the apps?

It's as safe as the developer makes it.

Or should I just bite the bullet and move
to ASP.NET to build a secure backend?

Huh? There are reasons to move to ASP.Net. AFAIK, this is not one of
them.

I have researched session hijacking and there seems to be a lot of
information out there about that type of attack... what are your
thoughts?

I am not sure where you are coming from (or going): ASP.Net has the
same vulnerability to session-hijacking as classic ASP. It is up to the
developer to properly secure the site to prevent these types of
exploits. Since you've seen the information, you must have seen the
steps needed to prevent these exploits.

 

[Drew]

Bob,

I was under the wrong assumption... After looking into the session variables
again I see where I was screwing up.

Drew