views:

87

answers:

4

Hi,

I read about Session Hijacking articles and would like to some more information related to it. Currently my web application which is developed in ASP.NET , is using Cookieless =true mode for sessionstate. We are using HTTPS which is a secure connection which will reduce session hijacking. I know when we using Cookieless the session id is embedded in URL which can be dangerous sometimes if user pass this URL to somebody and other user will be able to log in if session is still alive. So just want to know is HTTPS is more than enough or i should do something to secure my web app.

+4  A: 

HTTPS protects only from grabbing and changing data between client and server (or server and client). It can't help you if user share link with friends (or hackers :) )

As an option you can save client IP in session variables on session start and check on every request if current IP and IP from session are the same. This will provide a bit more security.

Pavel Morshenyuk
+4  A: 

You could end session if client IP changes and force them to re-login.

alxx
+1  A: 

Session hijacking can happen though a number a methods. HTTPS prevents sniffing, but XSS is by far the most common attack. You can use httponlycookies to prevent an xss attack from accessing document.cookie, but then the attacker can just "ride" on the session xmlhttprequest (The Sammy worm did this to MySpace). Speaking of session riding, you should look into CSRF. Even SQL Injection can be used to hijack a session if you are storing the session id in the database, but not all web apps do this.

Use httponlycookies, make sure they are https only, use https for everything. Don't use asp.net's "cookiesless" sessions, this makes you vulnerable to Session Fixation. Session id's should always be passed using cookie, and never passed as GET or POST. You may want to consider using STS.

Rook
thnks for the suggestion, but i cannot change from cookieless to cookie as it is already implemented, i could able to find something related to it - http://msdn.microsoft.com/hi-in/magazine/cc300500(en-us).aspxi hope it may help, if somebody can suggest something better than that then it will be grt.
Punit
A: 

Consider also that your session id will possibly be revealed to outsiders in HTTP_REFERER header. HTTP_REFERER will contain URL of the last page accessed - including the session id in URL's parameters-, if a user follows a link which opens in the same browser window. That will be a problem if the link points outside from your service.

Petrus Repo