In our application, we are using session mode is Sqlserver and cookie less session.
Here we are facing one problem that is after logged into the applocation we are coping the landing page url and close the browser and again open the new browser. when we hiting the copied url in opening browser it is stay in landing page. Actually when we
hit the copied url in the new browser that should redirect to the login page. but it is not happening.
When i was joined into the project it was implemented. Now i am help less to change modification, because the application is in almost deliverable stage. and finally I need soultion. please if you have any more can you explain to me.
When i was joined into the project it was implemented. Now i am help less to change modification, because the application is in almost deliverable stage. and finally I need soultion. please if you have any more can you explain to me.
This is a fairly hard problem to solve. The fundamental issue is that you can't always get notified when the browser closes and thus you can't notify the server that the session should be abandonded. And on top of it all, session IDs in the URL are insecure.
I know you've inherited this problem, but maybe you still have time to make it better?
What you've experienced is known as "Session Hijacking". It's a serious web application security vulnerability. Either avoid using cookieless session (which is recommended) or try this approach of tagging the requestor's IP address as given in the link below
in the mean time till you decide to remove cookieless session.
Please remember to click “Mark as Answer” on the post that helps you and to unmark it if a marked post does not actually answer your question.
Thank you!
----------------------
"Microsoft Community Contributor Award 2011"
Marked as answer by Ming Xu - MSFT on Jun 30, 2012 01:29 PM
Vardhanmm
Member
2 Points
6 Posts
Security issue on cookie less session
Jun 13, 2012 06:40 PM|LINK
Hi,
In our application, we are using session mode is Sqlserver and cookie less session.
Here we are facing one problem that is after logged into the applocation we are coping the landing page url and close the browser and again open the new browser. when we hiting the copied url in opening browser it is stay in landing page. Actually when we hit the copied url in the new browser that should redirect to the login page. but it is not happening.
Please can any one suggest on this how to do.
The below is samle url
https://www.axisbank.co.in/BankAway/((28dhysekbag2hupu55q2dgppjo))/web/L001/retail/jsp/user/RetailSignOn.aspx?RequestId=26485202
BrockAllen
All-Star
27574 Points
4912 Posts
MVP
Re: Security issue on cookie less session
Jun 13, 2012 06:44 PM|LINK
Well, this is the trade off for using cookieless session. What's the motivation for using cokieless? It's dangerous as you noticed yourself.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
Vardhanmm
Member
2 Points
6 Posts
Re: Security issue on cookie less session
Jun 13, 2012 07:07 PM|LINK
When i was joined into the project it was implemented. Now i am help less to change modification, because the application is in almost deliverable stage. and finally I need soultion. please if you have any more can you explain to me.
BrockAllen
All-Star
27574 Points
4912 Posts
MVP
Re: Security issue on cookie less session
Jun 13, 2012 07:38 PM|LINK
This is a fairly hard problem to solve. The fundamental issue is that you can't always get notified when the browser closes and thus you can't notify the server that the session should be abandonded. And on top of it all, session IDs in the URL are insecure. I know you've inherited this problem, but maybe you still have time to make it better?
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
santa_1975
Star
8574 Points
1499 Posts
Re: Security issue on cookie less session
Jun 21, 2012 12:03 AM|LINK
What you've experienced is known as "Session Hijacking". It's a serious web application security vulnerability. Either avoid using cookieless session (which is recommended) or try this approach of tagging the requestor's IP address as given in the link below in the mean time till you decide to remove cookieless session.
http://stackoverflow.com/questions/3509862/avoid-session-hijacking-for-web-applications
Hope this helps.
Thank you!
----------------------
"Microsoft Community Contributor Award 2011"