preventing Session ID replay attack

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • =?Utf-8?B?YW5vb3A=?=
    #1

    preventing Session ID replay attack

    Hello,
    I am developing a Simple ASP Website with a login page. I want to
    know how can I change Session ID after login and also Close the current
    Session after User closes the Window or gets logged out of the Website. So
    that every time user logs in into the website, Session ID will be unique.

    Thank you.
    Tags: None
    • Evertjan.
      #2
      Re: preventing Session ID replay attack

      =?Utf-8?B?YW5vb3A=?= wrote on 16 apr 2007 in
      microsoft.publi c.inetserver.as p.general:
      I am developing a Simple ASP Website with a login page. I want to
      know how can I change Session ID after login
      You cnnot, simply because changing the session.id would end the session per
      definition.
      and also Close the
      current Session after User closes the Window or gets logged out of the
      Website.
      Use session.abandon if you have to, or empty the
      session("login" ) value if so designed.

      .... however you cannot reliably trust the closing of window to be reported.
      It depends on the browser used, the closing of the computer, or if someone
      trips over the mains connection or internet connection.
      So that every time user logs in into the website, Session ID
      will be unique.
      The session.id is unique as delivered by the system, better than once in a
      lifetime at least.


      --
      Evertjan.
      The Netherlands.
      (Please change the x'es to dots in my emailaddress)

        Comment

        • michal
          #3
          Re: preventing Session ID replay attack

          to release all used sessions
          session.abandon ()
          http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/02106ee0-6603-4123-b5c8-eeb92ebbbc31.asp

          but this wont reset the session id ... (as far as i know)

          On Apr 16, 10:09 am, "Evertjan." <exjxw.hannivo. ..@interxnl.net >
          wrote:
          =?Utf-8?B?YW5vb3A=?= wrote on 16 apr 2007 in
          microsoft.publi c.inetserver.as p.general:
          >
          I am developing a Simple ASP Website with a login page. I want to
          know how can I change Session ID after login
          >
          You cnnot, simply because changing the session.id would end the session per
          definition.
          >
          and also Close the
          current Session after User closes the Window or gets logged out of the
          Website.
          >
          Use session.abandon if you have to, or empty the
          session("login" ) value if so designed.
          >
          ... however you cannot reliably trust the closing of window to be reported.
          It depends on the browser used, the closing of the computer, or if someone
          trips over the mains connection or internet connection.
          >
          So that every time user logs in into the website, Session ID
          will be unique.
          >
          The session.id is unique as delivered by the system, better than once in a
          lifetime at least.
          >
          --
          Evertjan.
          The Netherlands.
          (Please change the x'es to dots in my emailaddress)

            Comment

            Previous template Next
            Working...