Securing ASP app with session

TheMSsForum.com: The Microsoft Software Forum

I have been working on internal, intranet apps in the past few years, so I
haven't needed to secure apps with a login/password and sessions like I did
8 or so years ago (I use Windows Auth now, which makes it easier)... Is
using sessions still a practical, safe way to secure the backend of the
apps? Or should I just bite the bullet and move to ASP.NET to build a
secure backend?

I have researched session hijacking and there seems to be a lot of
information out there about that type of attack... what are your thoughts?

Thanks,
Drew
Top

Re: Securing ASP app with session by Bob

Bob
Tue May 27 12:54:34 CDT 2008

Drew wrote:
> I have been working on internal, intranet apps in the past few years,
> so I haven't needed to secure apps with a login/password and sessions
> like I did 8 or so years ago (I use Windows Auth now, which makes it
> easier)... Is using sessions still a practical, safe way to secure
> the backend of the apps?

It's as safe as the developer makes it.

> Or should I just bite the bullet and move
> to ASP.NET to build a secure backend?
>
Huh? There are reasons to move to ASP.Net. AFAIK, this is not one of
them.

> I have researched session hijacking and there seems to be a lot of
> information out there about that type of attack... what are your
> thoughts?
>
I am not sure where you are coming from (or going): ASP.Net has the
same vulnerability to session-hijacking as classic ASP. It is up to the
developer to properly secure the site to prevent these types of
exploits. Since you've seen the information, you must have seen the
steps needed to prevent these exploits.


--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


Top

Re: Securing ASP app with session by Drew

Drew
Tue May 27 13:04:37 CDT 2008

Bob,

I was under the wrong assumption... After looking into the session variables
again I see where I was screwing up.

Drew

"Bob Barrows [MVP]" <reb01501@NOyahoo.SPAMcom> wrote in message
news:OoHZ6KCwIHA.3380@TK2MSFTNGP03.phx.gbl...
> Drew wrote:
>> I have been working on internal, intranet apps in the past few years,
>> so I haven't needed to secure apps with a login/password and sessions
>> like I did 8 or so years ago (I use Windows Auth now, which makes it
>> easier)... Is using sessions still a practical, safe way to secure
>> the backend of the apps?
>
> It's as safe as the developer makes it.
>
>> Or should I just bite the bullet and move
>> to ASP.NET to build a secure backend?
>>
> Huh? There are reasons to move to ASP.Net. AFAIK, this is not one of
> them.
>
>> I have researched session hijacking and there seems to be a lot of
>> information out there about that type of attack... what are your
>> thoughts?
>>
> I am not sure where you are coming from (or going): ASP.Net has the
> same vulnerability to session-hijacking as classic ASP. It is up to the
> developer to properly secure the site to prevent these types of
> exploits. Since you've seen the information, you must have seen the
> steps needed to prevent these exploits.
>
>
> --
> Microsoft MVP -- ASP/ASP.NET
> Please reply to the newsgroup. The email account listed in my From
> header is my spam trap, so I don't check it very often. You will get a
> quicker response by posting to the newsgroup.
>
>


Top