Jump to content
Washington DC Message Boards

Asp Session Id And Session Security

Guest St. Benard

Recommended Posts

Guest St. Benard

The cookie approach to session management could become a potential security problem. If an intruder were able to capture or guess the session ID cookie in use by an active session, he or she could submit valid HTTP requests that included this cookie. In this manner, an intruder could hijack, or steal, a user?s active session. For example, if a user had supplied valid credit card information, and a script in an ASP page stored this information in the Session object, an intruder who managed to hijack the session could make purchases using the stolen session. For this reason, the following built-in security measures are taken when generating ASP session cookies:


Session ID values are 32-bit long integers.

Each time the Web server is restarted, a random session ID starting value is selected.

For each new ASP session that is created, the session ID value is incremented.

The 32-bit session ID is mixed with random data and encrypted to generate a 16?character cookie string. Later, when a cookie is received, the session ID is decrypted from the 16-character cookie string.

The encryption key is randomly selected each time the Web server is restarted.

ASP session ID values are selected from a huge range and are encrypted, making it difficult to capture a valid cookie. In addition, guessing a valid cookie once does not make it easy to guess another valid cookie.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...