[Owasp-leaders] ASP.net Session hijacking

Michael Hidalgo Fallas michael.hidalgo at owasp.org
Mon Apr 2 15:26:49 UTC 2012


Thanks for the information provided. I wil be digging into this. Thanks for
the information provided Erlend and Jim.

Dinis, I'm currently focused on  WCF and REST architectural style to build
services on top of the Web. I'm also currently focused on ASP.NEt Ajax and
MVC framework. Do you know what are the needs of the .Net project? I have
been researching about some of the vulnerabilities when people usually
creates  SOAP-based web services.

Thanks

On Mon, Apr 2, 2012 at 8:16 AM, Erlend Oftedal <Erlend.Oftedal at bekk.no>wrote:

>  ASP.NET <http://asp.net/> is interesting that way. Authentication and
> session data is split in two. The FormsAuthCookie is an encrypted cookie
> with a username and timestamp. It cannot be invalidated server side, so
> there is really no way to log out. A log out is just a manner of deleting
> the cookie client side, which, in case it's stolen, doesn't really help.
> The session though is invalidatable server side. But it doesn't contain
> authentication data. If there is no data in the session, no session is
> kept. If the user submits a cookie value containing a session id that does
> not exist on the server, the server will create one with the given id...
> This is at least the way it works pre-MVC.
>
> Regarding protection you can set absolute and sliding expiration of the
> auth. You can set the Secure flag and I think httponly is on by default.
>
> Erlend
>
> ------------------------------
> From: Michael Hidalgo Fallas
> Sent: 02.04.2012 15:57
> To: OWASP Leaders; dinis cruz
> Subject: [Owasp-leaders] ASP.net Session hijacking
>
>
>  Hi Leaders,
>
> I wonder if any of you guys have create any kind of research/best practice
> about  ASP.Net Session Hijacking attacks and prevention. I'm currently
> focused on how to prevent this kind of attacks using  ASP.Net.
>
> Also Do you think it is a good idea to have a White papers section in our
> main page? If this section already exist, please point me there. I believe
> that this kind of documents may follow any of the IEEE standards to perform
> researchs. I know that there are several research in our site, but this
> kind of white papers  can be distributed in universities.
>
>
> Thanks for your comments!
> --
>
> *Michael Hidalgo F.
> OWASP Chapter Leader,Costa Rica.*
>
> “*If you believe in yourself and have dedication and pride - and never
> quit, you'll be a winner. The price of victory is high but so are the
> rewards.” Paul Bryant*
>
>
>


-- 

*Michael Hidalgo F.
OWASP Chapter Leader,Costa Rica.*

“*If you believe in yourself and have dedication and pride - and never
quit, you'll be a winner. The price of victory is high but so are the
rewards.” Paul Bryant*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120402/30f05601/attachment.html>


More information about the OWASP-Leaders mailing list