WebApp Sec mailing list archives
Re: Cookie not expiring...
From: dharmeshmm () mastek com
Date: 17 Aug 2005 13:24:42 -0000
Hi All, I think the case is only with Cookieless sessions. "Session ID values used in cookieless sessions are recycled by default. That is, if a request is made with a session ID that has expired, a new session is started using the System.Web.SessionState.HttpSessionState.SessionID supplied with the request. This behavior can result in the unwanted sharing of session data when a link that contains a cookieless System.Web.SessionState.HttpSessionState.SessionID is shared with multiple browsers perhaps through a search engine or other means. You can reduce the possibility of session data being shared by multiple clients by disabling the recycling of session identifiers. To do this, set the regenerateExpiredSessionId attribute of the <sessionState> configuration element to true. This will result in a new session id being generated when a cookieless session request is made with an expired session id." But the most important thing that was missed is "If the request made with the expired session id is made using the HTTP POST method, then any posted data will be lost when regenerateExpiredSessionId is true, as ASP.NET performs a redirect to ensure that the browser has the new session identifier in the URL." And in .NET, you call the System.Web.SessionState.HttpSessionStateProvider.Abandon method when a user logs out. This reduces the potential for an unwanted source using the unique identifier stored in the URL to retrieve private data stored in the session for a user. Regards, Dharmesh Mehta Technology Cell, Mastek Ltd.
Current thread:
- Cookie not expiring... spawn security (Aug 16)
- Re: Cookie not expiring... bryan allott (Aug 17)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Re: Cookie not expiring... Rogan Dawes (Aug 17)
- Re: Cookie not expiring... Thomas Chiverton (Aug 17)
- <Possible follow-ups>
- RE: Cookie not expiring... Steven Rebello (Aug 17)
- RE: Cookie not expiring... David Knapman (Aug 17)
- Re: Cookie not expiring... dharmeshmm (Aug 17)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Windows 2003 Server Hardening Joe Osborn (Aug 18)
- Re: Windows 2003 Server Hardening jcarr083 (Aug 19)
- RE: Windows 2003 Server Hardening Sarbjit Singh Gill (Aug 19)
- RE: Windows 2003 Server Hardening Aleksander P. Czarnowski (Aug 19)
- RE: Cookie not expiring... Dan Simon (Aug 17)
- Re: Cookie not expiring... bryan allott (Aug 17)