Classic asp - ASPSESSIONID
in [IIS]
|
Prev: Error: Attempt to install Server Side Includes failed with error c
Next: How to set Defaults for new Web sites in IIS7?
From: Mike on 22 Feb 2010 09:00 Hello, For our security audit, we've been asked to refresh the ASPSESSIONID "after" the user has logged in to our application. While we are glad to oblige, we're having a tough time implementing this. Would anyone know of a way to programmatically obtain a new ASPSESSIONID? Thanks in advance, Mike
From: Ken Schaefer on 27 Feb 2010 09:28 you can get a new ASPSESSIONID by terminating the user's current ASP session (e.g. Session.Abandon) and then giving them a new session. But if you are storing authentication information in session state, then the user will be "logged out" What is the rationale for requiring a new session ID? Cheers Ken -- http://adOpenStatic.com/blog "Mike" <m(a)m.com> wrote in message news:eY2vad8sKHA.3536(a)TK2MSFTNGP06.phx.gbl... > Hello, > > For our security audit, we've been asked to refresh the ASPSESSIONID > "after" the user has logged in to our application. > > While we are glad to oblige, we're having a tough time implementing this. > > Would anyone know of a way to programmatically obtain a new ASPSESSIONID? > > Thanks in advance, > > Mike
From: Mike on 1 Mar 2010 17:55 Thank you for your help, Boy we have tried the heck out of Session.Abandon, to no avail. Would definitely love to find that it is actually possible. Perhaps when you say "giving them a new one" is where we've missed. We've been thinking that was done automatically by IIS. The Auditor points out that a Session should not be the same before and after authentication. That an entirely new one should be created after signing on. "Ken Schaefer" <kenREMOVE(a)THISadOpenStatic.com> wrote in message news:#9hrRk7tKHA.4624(a)TK2MSFTNGP02.phx.gbl... > you can get a new ASPSESSIONID by terminating the user's current ASP > session (e.g. Session.Abandon) and then giving them a new session. But if > you are storing authentication information in session state, then the user > will be "logged out" > > What is the rationale for requiring a new session ID? > > Cheers > Ken >
From: Neil Gould on 2 Mar 2010 07:43 Hi Mike, I would ask the Auditor for his/her rationalization for thinking such things. AFAIK, the SessionID is not a validator, other than for tracking a particular session. I'm not sure what your goal is, but it would seem to me that, in terms of security, you'd be in exactly the same place after terminating the current session and starting a new one. Neil Mike wrote: > Thank you for your help, > > Boy we have tried the heck out of Session.Abandon, to no avail. Would > definitely love to find that it is actually possible. Perhaps when > you say "giving them a new one" is where we've missed. We've been > thinking that was done automatically by IIS. > > The Auditor points out that a Session should not be the same before > and after authentication. That an entirely new one should be created > after signing on. > > "Ken Schaefer" <kenREMOVE(a)THISadOpenStatic.com> wrote in message > news:#9hrRk7tKHA.4624(a)TK2MSFTNGP02.phx.gbl... >> you can get a new ASPSESSIONID by terminating the user's current ASP >> session (e.g. Session.Abandon) and then giving them a new session. >> But if you are storing authentication information in session state, >> then the user will be "logged out" >> >> What is the rationale for requiring a new session ID? >> >> Cheers >> Ken
From: Mike on 2 Mar 2010 16:35
I wish I could. But our company has actually hired a security type contact and what he explains that it is a valid request of the auditor. In that it is something else that can be implemented in one's arsenal and that it does successfully foil a percentage of attacker trickery. Thank you for your help. By chance, would you happen to have a sample of abandon session that generates a new value for the ASPSESSIONID cookie? Funny these security dudes never have sample/examples. "Neil Gould" <neil(a)myplaceofwork.com> wrote in message news:ORSiTZguKHA.2436(a)TK2MSFTNGP04.phx.gbl... > Hi Mike, > > I would ask the Auditor for his/her rationalization for thinking such > things. AFAIK, the SessionID is not a validator, other than for tracking a > particular session. I'm not sure what your goal is, but it would seem to > me > that, in terms of security, you'd be in exactly the same place after > terminating the current session and starting a new one. > > Neil > > Mike wrote: >> Thank you for your help, >> >> Boy we have tried the heck out of Session.Abandon, to no avail. Would >> definitely love to find that it is actually possible. Perhaps when >> you say "giving them a new one" is where we've missed. We've been >> thinking that was done automatically by IIS. >> >> The Auditor points out that a Session should not be the same before >> and after authentication. That an entirely new one should be created >> after signing on. >> >> "Ken Schaefer" <kenREMOVE(a)THISadOpenStatic.com> wrote in message >> news:#9hrRk7tKHA.4624(a)TK2MSFTNGP02.phx.gbl... >>> you can get a new ASPSESSIONID by terminating the user's current ASP >>> session (e.g. Session.Abandon) and then giving them a new session. >>> But if you are storing authentication information in session state, >>> then the user will be "logged out" >>> >>> What is the rationale for requiring a new session ID? >>> >>> Cheers >>> Ken > > |