tags:

views:

87

answers:

4
+4  Q: 

avoid session hijacking for Web Applications

Hi,

I read about Session Hijacking articles and would like to some more information related to it. Currently my web application which is developed in ASP.NET , is using Cookieless =true mode for sessionstate. We are using HTTPS which is a secure connection which will reduce session hijacking. I know when we using Cookieless the session id is embedded in URL which can be dangerous sometimes if user pass this URL to somebody and other user will be able to log in if session is still alive. So just want to know is HTTPS is more than enough or i should do something to secure my web app.

+4  A: 

HTTPS protects only from grabbing and changing data between client and server (or server and client). It can't help you if user share link with friends (or hackers :) )

As an option you can save client IP in session variables on session start and check on every request if current IP and IP from session are the same. This will provide a bit more security.

Pavel Morshenyuk  2010-08-18 07:41:47
+4  A: 

You could end session if client IP changes and force them to re-login.

alxx  2010-08-18 07:50:47
+1  A: 

Session hijacking can happen though a number a methods. HTTPS prevents sniffing, but XSS is by far the most common attack. You can use httponlycookies to prevent an xss attack from accessing document.cookie, but then the attacker can just "ride" on the session xmlhttprequest (The Sammy worm did this to MySpace). Speaking of session riding, you should look into CSRF. Even SQL Injection can be used to hijack a session if you are storing the session id in the database, but not all web apps do this.

Use httponlycookies, make sure they are https only, use https for everything. Don't use asp.net's "cookiesless" sessions, this makes you vulnerable to Session Fixation. Session id's should always be passed using cookie, and never passed as GET or POST. You may want to consider using STS.

Rook  2010-08-18 09:35:01
thnks for the suggestion, but i cannot change from cookieless to cookie as it is already implemented, i could able to find something related to it - http://msdn.microsoft.com/hi-in/magazine/cc300500(en-us).aspxi hope it may help, if somebody can suggest something better than that then it will be grt.
Punit  2010-08-18 11:10:38
A: 

Consider also that your session id will possibly be revealed to outsiders in HTTP_REFERER header. HTTP_REFERER will contain URL of the last page accessed - including the session id in URL's parameters-, if a user follows a link which opens in the same browser window. That will be a problem if the link points outside from your service.

Petrus Repo  2010-08-18 12:36:14

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps