best and secured way to pass the asp.net session token from page to page.
1. cookies (not secured)
2. url (not secured)
3. hidden fields ?
using hidded fields is right way to pass ?
how to pass using hidded fileds?
how to disble the session token in cookies and also in url (session state conguration)?
From my answer for similar question, "securing ASP.NET forms authentication token on client side?" :
Session:
Fast, Scalable, and Secure Session State Management for Your Web Applications
Related
We are developing an asp.net webforms app. We want to avoid using session state if possible, passing values in the querystring.
Question: After a user logs in, how do we keep the user from linking and reusing a url.
Is there a token of some type we can set on login that expires after a certain time?
If you are using ASP.NET Forms authentication, you can set the timeout for the cookie in the web.config, as explained here:
https://learn.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/1d3t3c61(v=vs.100)
I have a question connected with security.
Is it possible to implement authentication and authorization trough session variables without using forms authentication and forms authentication cookie stored in browser?
How is session id being sent in consecutive requests? Is it stored also in a cookie?
What are the drawbacks of using session instead of forms authentication for authentication?
Thank you
Using user session for authentication is a very bad idea from the security perspective. User session is maintained by a cookie (ASP.NET_SessionId), just like the authentication session (ASPXAUTH). However, ASP.NET has a lot of security safeguards built into the authentication session cookie management, such as encryption, validation, prevention of tampering, etc. None of these measures exist for the user session cookie, which makes it easy to break the site security.
There is absolutely no reason not to use forms authentication, it is actually more difficult to switch to using the session for authentication, because you have to custom code to support it.
Well, you got two questions.
Is it possible to implement authentication and authorization trough session variables without using forms authentication and forms authentication cookie stored in browser?
yes it's possible but we're not supposed to reinvent the wheel especially it is related to security. It's strongly recommended to use form authentication when possible unless you have strongly valid reasons.
How is session id being sent in consecutive requests? Is it stored also in a cookie? What are the drawbacks of using session instead of forms authentication for authentication?
to see the cookie.
step1: Create a new ASP.NET MVC project using internet template.
step2: Start it and create a new user and login.
step3: Open developer tools check the cookie section you can see two cookies
__RequestVerificationToken
.ASPXAUTH
.ASPXAUTH is the cookie that FormAuthentication consume to do the authentication. For all following requests to the server, the server will check this cookie to authenticate user.
You can specify "Remember me" when you login which will changes the life span of this cookie, if you don't tick it the life span is tied up to current session, if you tick it depends on the settings on the server side.
I have very good understanding on asp.net session management.
But i have few questions around that.
when session id is get created. when client login to application with user name and password. or when client try to access default.aspx page.
how server serve client session request.
can we access session id in js?
is there any difference between ASP.NET web form and ASP.NET MVC in terms of client server session creation?
Any links/book which gives me very depth idea about session will helpful for me.
Thanks in Advance !!!
Prashant
I have very good understanding on asp.net session management.
I think that you are misusing the terms here. ASP.NET Session is one thing, Forms Authentication is an entirely different thing. I suppose that you are talking about Forms Authentication here.
1) when session id is get created. when client login to application
with user name and password. or when client try to access default.aspx
page.
When someone calls the FormsAuthentication.SetAuthCookie method which usually happens once the username and password credentials are validated by the LogOn action.
2) how server serve client session request.
A forms authentication cookie is emitted to the client when the FormsAuthentication.SetAuthCookie method is called and this cookie gets sent to the server on each subsequent request. The cookie contains an encrypted value of the username that allows the server to populate the IPrincipal.
3) can we access session id in js?
No, the forms authentication cookie is emitted with the httponly flag meaning that it is not accessible to client scripting.
4) is there any difference between ASP.NET web form and ASP.NET MVC in terms of client server session creation?
They are absolutely the same. Actually there's no such notion as ASP.NET MVC client server session creation. All this mechanism is coming from ASP.NET.
Now let's suppose that you actually talked about ASP.NET Session in your question. I will try to answer your questions in that context:
1) when session id is get created. when client login to application
with user name and password. or when client try to access default.aspx
page.
Whenever some server side code attempts to read or write to the session using the HttpContext.Session property.
2) how server serve client session request.
A session cookie is emitted to the client when the some server side script attempts to read or write to the HttpContext.Session object. This cookie gets sent to the server on each subsequent request. The cookie is just an id that allows to access the session data which is stored on the server. By default session data is stored in memory. But you could also configure ASP.NET to store it out-of-proc or in SQLServer. For more information about the various session state modes please refer to MSDN.
3) can we access session id in js?
No, the ASP.NET session cookie is emitted with the httponly flag meaning that it is not accessible to client scripting.
4) is there any difference between ASP.NET web form and ASP.NET MVC in terms of client server session creation?
They are absolutely the same. Actually there's no such notion as ASP.NET MVC client server session creation. All this mechanism is coming from ASP.NET.
I'm building web portal in ASP.NET MVC 3 that uses distant web service as only way to communicate with database. Web service has requirement to always have Username/Password passed in request header, otherwise it rejects the call.
I have overridden ASP.NET Membership so that my ValidateUser method sends Username/Password to web service Login method, and returns true/false if authentication is successful. It works quite nice with AcountController provided with MVC 3 Empty internet template. Since I have to pass Username/Password on every web service call, I'm saving them in Session.
My problem is:
If I close browser and reopen it... I remain logged to website, but my Session variables are expired, so none of my requests to web service are being accepted, even though I'm still logged with credentials.
I'm looking for nice suggestion how to sync user logged in state with session state. Either to keep them both persistent until log off is used or to have them both dispose on browser being closed.
Thanks for all suggestions :)
When the user signs in using your AccountController, try setting the auth cookie like this:
FormsAuthentication.SetAuthCookie(model.UserName, false);
This should tell ASP.NET to delete the cookie when the browser window is closed. Then, when user opens up a new browser, both the session and the auth cookie should both be destroyed.
Sessions are cookies on the client side. Forms Authentication (which uses your membership provider) also uses cookies.
They are different.
Is your auth ticket or cookie persistent? This MS KB will explain things and scenarios in more detail than I would here...
Hth.
Hi,
I need to determind how my site uses Cookies to inform the user in proper way.
The solutio is a ASP.NET MVC website using .NET Membership. Im storing data in sessions on server but nothing is saved manual to cookies on the client. I Supose however that the ASP.NET Membership is using cookies (for autologin) but im not sure witch data it really stores on the client?
Could you pleas explain or give me a link for this?
BestRegards
The forms authentication ticket (the cookie on the client) stores values such as the username and cookie expiration time along with some other boolean fields related to the remember me checkbox and sliding expiration. This is if you use cookie-based forms authentication which is the default and a typical choice. More information can be found at the following site:
Forms Authentication Explained
It is important to note that sessions and the forms authentication ticket (cookie) are not related in any way. You can have a session without being logged in and you can login and never touch the session object. This is an important difference.
EDIT
This cookie is not used for 'auto login'. After authentication, putting in a username and password, the cookie is created and is used for authorization - can you access these resources - throughout your site.
ASP.NET Membership enabled sites will have up to 3 cookies:
Session token
Authentication token
Roles cache (if enabled in
web.config)
To see them, open your site in the browser of your choice, login, and inspect the cookies. In IE its Tools -> Internet Options -> Settings (next to Browsing History) -> View Files