Avoid session hijacking for web applications

Question

Avoid session hijacking for web applications

I read about the Session Capture article and would like more information about this. Currently, my web application developed in ASP.NET uses Cookieless = true for sessionstate. We use HTTPS, which is a secure connection that will reduce session hijacking. I know when we use Cookieless, the session identifier is embedded in the URL, which can sometimes be dangerous if the user passes this URL to someone, and another user can log in if the session is still alive. So I just want to know that HTTPS is more than enough, or I have to do something to protect my web application.

+4

security web-applications asp.net session-state cookieless

Punit Aug 18 '10 at 7:32

source share

4 answers

You can end the session if the client IP address changes and forces them to re-enter.

+4

alxx Aug 18 '10 at 7:50

source share

Session hijacking can occur, although there are a number of methods. HTTPS prevents sniffing, but XSS is the most common attack. You can use httponlycookies to prevent an xss attack from accessing document.cookie , but then an attacker can simply “drive through” the xmlhttprequest session (Sammy did it on MySpace). Speaking of riding, you should learn CSRF . Even SQL Injection can be used to capture a session if you store the session identifier in the database, but not all web applications do this.

Use httponlycookies, make sure they are only https, use https for everything. Do not use asp.net sessions without a pedestrian without use , this makes you vulnerable to Session Fixation . Session ID must always be transmitted using a cookie and never transmitted as GET or POST. You can consider using STS .

+2

rook Aug 18 '10 at 9:35

source share

Also consider that your session identifier may be detected by outsiders in the HTTP_REFERER header. HTTP_REFERER will contain the URL of the last available page - including the session identifier in the URL parameters - if the user follows the link that opens in the same browser window. This will be a problem if the link points outside of your service.

+2

Petrus repo Aug 18 '10 at 12:36

source share

Pavel morshenyuk · Accepted Answer · 2010-08-18T07:41:47+0000

HTTPS protects only from the capture and alteration of data between the client and server (or server and client). This will not help you if the user shares the link with friends (or hackers :))

As an option, you can save the client IP address in session variables when starting a session and check each request if the current IP address and the IP address from the session match. This will provide a bit more security.

Avoid session hijacking for web applications

More articles: