Session ID management

A

anoop

Hello,
I am developing a Simple ASP Application with a Login page. I
want to know how session ID can be generated after User has authenticated
instead of generation along with the Login page request. Also Session ID must
be unique each time the user logs in. This is required so that Session
Hijacking and Session Fixation could be prevented. Should I have to use other
process instead of General ASP Session Management. Please Help

Thank you
 
A

Anthony Jones

anoop said:
Hello,
I am developing a Simple ASP Application with a Login page. I
want to know how session ID can be generated after User has authenticated
instead of generation along with the Login page request. Also Session ID must
be unique each time the user logs in. This is required so that Session
Hijacking and Session Fixation could be prevented. Should I have to use other
process instead of General ASP Session Management. Please Help

Thank you

Bear in mind that simply assigning a session an ID doesn't make the session
authentic.
You can store some value in the session object after successful
authentication which your other pages check before allowing other activity.

A simple solution is to use https for the entire session. The cost is a
busy site can create a heavy load on the server and a server can only
support one https website (no host header site selection).

I can't see how ASPs standard session management is vunerable to a fixation
attack.

As to a hijacking that would require a man in the middle or some locally
installed network sniffing. In that case anything sent in the clear is
vunerable. If that is a serious concern then only https provides serious
level of protection.

If https is not doable yet your still seriously concerned about session
hijacking you could use your own cookie to hold unique value which changes
each request. All you pages would have to check the cookie value with the
expected value stored in the session then create a new value for the cookie
and store that in the session. In that case an attacker would have to have
the latest response in order to hijack and such hijacking is less covert
since it breaks the existing client activity.

However the above doesn't protect from clever man-in-the-middle attacks, is
complex to implement and can make the normal use of the application fragile.

My guess is ultimately all you really are after is in my first paragraph ;)
 
E

Egbert Nierop \(MVP for IIS\)

anoop said:
Hello,
I am developing a Simple ASP Application with a Login page. I
want to know how session ID can be generated after User has authenticated
instead of generation along with the Login page request. Also Session ID
must
be unique each time the user logs in. This is required so that Session
Hijacking and Session Fixation could be prevented. Should I have to use
other
process instead of General ASP Session Management. Please Help

Sure ;)

All about session management, ok, not all, but a lot about it below.

If you really want to be sure that a sessioncookie is not hijacked, you
should use SSL or use regenerate a new cookie at each request, so that each
session request, must chain to the previous request.

ISP Session supports that, and it requires less CPU stress than using sec
SSL.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,982
Messages
2,570,190
Members
46,736
Latest member
zacharyharris

Latest Threads

Top