I have seen some sites, where your authentication does note expire after your ip changes. How to create such session, and how safe is it?
So, how does session validate then? by some hardware information?
The fact that you have a session cookie is the validation.
Sessions work by creating a server-side resource with a random id. For example, a random id is created, iuwehrc3948hg3w09x4h, and an entry in a database is saved with it. That random id is sent as a cookie to the browser. The browser returns this cookie with every request, the server looks up the database entry with this id and gets the associated session data.
The "validation" is that the browser possesses a valid session id. The browser can only know this id if it was given to it by the server previously. Because the id is entirely random, it should practically be unguessable by any 3rd party.
Having said this, cookie hijacking is a concern, in which a 3rd party outright steals a valid session cookie (e.g. through a shared network, malware installed on the victim's machine etc.). In this case recording the IP address of the client in the session and validating it as well can help mitigate problems; but as you note, it also means that sessions have an extremely limited life span. The most practical solution to avoid session hijacking is to use HTTPS throughout.
Related
I'm reading about session management in ASP.NET and I'm a bit confused.
This is what I understand:
When a client starts communication with my application, a session is created and the state of the session is maintained in a session object on the server.
The browser gets a cookie with the session ID and every request that he wants to make with relation to the session needs to be sent with that cookie.
The session ends when some rules are met.
As long as the session is alive, the browser must have the cookie and the server must maintain the session object in memory.
Is this how it works or am I mixing things up? I read somewhere that the server can maintain the state with the cookie only but I don't understand if it's correct or possible (the last point in the bullet list).
You've got it right, that's how it normally works. In terms of cookies ASP.net does have a way of offering a session without a cookie, which it achieves by basically putting your cookie into the URL instead. That might be what you're thinking of.
Normally this isn't a great idea, it makes session hijacking as simple as copy pasting the victims URL into your own browser.
There are two ways that session state can store the unique ID that associates the client with a server session: by storing an HTTP cookie on the client or by encoding the session ID in the URL. Storing the session ID in the cookie is more secure but requires the client browser to support cookies.
From https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection.cookieless?view=netframework-4.8
I want to implement measures to prevent/mitigate session hijacking. Thus, I want to know the options, either from built-in ASP.NET or custom components.
Please note that session hijacking refers to Forms Auth session and Session State.
My ASP.NET is using HTTPS for all pages all the time. But it is possible that session can be compromised once the session cookie id is obtained by third party somehow, e.g. from user's hard drive, cross-site scripting attacks, and man-in-the-middle attacks
In particular, I am concerned about session id hijacking because https is used all the time for my projects
Below is the links I reviewed, which are written a few years back:
Foiling Session Hijacking Attempts Jeff Prosise Please refer to Caveats section for its shortcomings.
I cannot find much relevant information, or different from Jeff's on the web.
Here are a couple suggestions:
Salt your sessionId. This would ensure that you have unique session Ids - although, I am pretty sure the default ASP.NET session Ids are unique enough for your purposes; however, for added security you could use something that either you can control or is self-identifying. For instance, you could use a GUID as a salt - which you can control by updating as you see fit.
Track the SessionId and user ip address of your users as a pair in a dictionary object. This would enable you to match the session Ids to the ip address and reveal any session hijacking that is occurring outside of the user's LAN. Obviously not without flaws as it won't matter much if the user's computer or router is infected, but it will at least make it more difficult for the attacker to accomplish their task.
Not sure what you would do if the user's computer is infected, but that risk exists whether you increase your defensive measures or not.
i read few article about Session Hijacking. hacker sniff cookie and get the session id from there. but i think session id is stored in cookie as encrypted value. is not it?
is it possible to decrypt easily?
what other sensitive data is stored in session cookie...please explain. whatever we stored in session variable from server side code that is stored in session cookie...is it right?
please guide me regarding session cookie and what would be best way to protect Session hijacking. thanks
The idea is that they get the session cookie and used it as it is, to send it to the server and server connects the cookie with the victim session. Actually there is no data on session cookie, just an encrypted number of the session id.
Now there is a case that sensitive data stored on cookie and that is the Roles of the currenct user. To avoid a possible decrypt and change on web.config on <roleManager cacheRolesInCookie="false"
Also on the authentication cookie and on role manager always use the requireSSL="true", so its impossible to steal the cookie of authentication, but you must use secure pages for this make work.
How some can stole a critical session. This can be done if the programmer depends the critical data that show to the user, on the session id. For example, if you store the phone number and the name on a session variable and show that to the user, then some one can stole the full web page and read it (if not ssl). If you have connect the backoffice and the access to hidden administrate page with the session id, then if some steal the session cookie and open the pages, then he can gets on that administrators back office pages.
So its up to you not to store critical information's on session data, and always use ssl pages to administrate and to get send cookie critical data.
Now if a hacker steal the session cookie and you there just store what users see in previous pages, a history of products like amazon, then is not big deal because still can not connect this history with the user, but also can anyone sniff the urls that a user see.
Of course its up to you also to not store critical data on any unencrypted cookie !
So you split your data to critical ones, and not critical ones, and always use SSL for page and cookie for the critical ones, and never trust the data that comes from unsecure pages.
You can also read :
Can some hacker steal the cookie from a user and login with that name on a web site?
Hope this helps you.
An ASP.NET cookie stores Session ID and an Authorization Ticket; however, the issue is not whether one can decrypt the cookie, but rather to be able to create one with identical values and trick the server into believing that your copy of the original cookie is the real one.
The HTTP protocol is stateless so client and server don't maintain information about each other. Session Cookies (using the Session ID and Authorization Ticket) is how they keep track of each other. The web server knows which Session ID is attached to which authorization ticket and if you can provide a valid pair of these values, the web server will happily accept it. The Web server encrypts the cookie using a symmetric encryption algorithm and an autogenerated key (default setting). You can tweak these settings, if you want to, by modifying the appropriate sections in the machine.config file.
I was wondering if HttpContext.Session uses cookies to store data. A work colleague told me that in a mobi site, phones generally do not have cookies and therefore you don't have session. I always thought session is data that is stored on the server side and is not dependant on client side objects please explain if I am wrong.
I read this.
In ASP.NET; you have a Session cookie. This cookie is used to identify which session is yours; but doesn't actually contain the session information.
By default, ASP.NET will store session information in memory inside of the worker process (InProc), typically w3wp.exe. There are other modes for storing session, such as Out of Proc and a SQL Server.
ASP.NET by default uses a cookie; but can be configured to be "cookieless" if you really need it; which instead stores your Session ID in the URL itself. This typically has several disadvantages; such as maintence of links become difficult, people bookmarking URLs with expired session IDs (so you need to handle expired session IDs, etc). Most modern phones, even non-smart phones, support cookies. Older phones may not. Whether you need to support cookieless sessions is up to you.
If your URL looked like this:
http://www.example.com/page.aspx
A cookieless URL would look like this:
http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx
Where lit3py55t21z5v55vlm25s55 is a session ID.
You can learn more about ASP.NET's session state here
The session data is stored on the server, but it also stores an id string in a cookie to identify the user.
If cookies are not supported, the id string can't be stored, and the server can't pair the session when the user makes another request.
The session id is just a number generated by the server (either from a counter or randomly), so it doesn't contain any information from the data that you store in the session object.
(The application can also be configured to put the session in the URL instead of in a cookie. This enables you to use sessions without cookies, but it ruins your nice URLs.)
Nowadays it can be both.
Server Session
Server Side session already explained in the others posts. The session is stored on the server but it need a cookie to store an indicator of who is requesting the session value.
Client Session
The new concept of WebStorage defined by W3C shows how a client side session is nowasays needed.
Here is the HTML5 implementation of a WebStorage:
https://code.google.com/p/sessionstorage/
This is a tricky question in some ways, as it is a bit of both.
The session state, itself, is stored on the server. But, you need some type of indicator on the client to use it. Normally, this is a server cookie, which is very thin and is basically a GUID for the session and nothing more. But, you can set up sites to pass the session ID in the URI, so it need not be a cookie.
Not sure how phones deal with the session cookie concept, but since I can log in, and do not see IDs in URIs, I assume there is a mechanism, even if it does not handle user cookies.
Session id is by defauld stored as cookie. You can also configure your session to pass its id as a query parameter ("cookieless").
I put some authentication information in cookie. For security reason, I want to prevent someone copying the cookie to another computer and use it to login. How can i do it?
As said before, if you are putting authentication information into cookies in plaintext, you should seriously considering using something like sessions.
Once you have sesssions, perhaps you could associate the session id with an IP address in your backend, and check if the session id and requesting IP address match: that way, if someone copies the cookie containing the session id and then tries to access the site remotely, the session id and IP will not match up, and the authentication will fail.
There is not, You should NEVER put sensitive date in a cookie.
For authentication information you should use sessions.
http://www.tizag.com/phpT/phpsessions.php
You could encrypt the information with a reliable, public, well known algorithm. Then if the cookie was copied, the recipient wouldn't be able to glean any information from it.
Of course this means you need to do the encryption and decryption on a server to keep it secure, otherwise (if you used JavaScript) the private key could be obtained from the JavaScript code and used to decrypt the cookie. You would also have to work out whether the cookie you are receiving is from the original recipient, or whether it is a copy.
Since you have to do this server-side for it to work, you may as well use a session anyway. This is just like a cookie, except an ID is passed around instead of the actual data (the ID is used to look up the data on the server.) However it is still possible to copy the session cookie and make another computer appear to be logged in as the original one, and this is what FireSheep does.
You should not put authentication information into the cookie itself. When setting the cookie you should make a session, tied to some persistent storage (sql/nosql).
This is basically some unique randomly generated ID that is matched with other information. The randomly generated ID is sent as the cookie. On successive requests you read the cookie, and try to get a user account from it.
You can place constraints on the session that it can only be accessed from the IP address that you assigned it to. You could also tie it to the user-agent (although this is security by obscurity, user-agents can be configured).