Asp Session Id And Session Security

[Guest St. Benard]

The cookie approach to session management could become a potential security problem. If an intruder were able to capture or guess the session ID cookie in use by an active session, he or she could submit valid HTTP requests that included this cookie. In this manner, an intruder could hijack, or steal, a user?s active session. For example, if a user had supplied valid credit card information, and a script in an ASP page stored this information in the Session object, an intruder who managed to hijack the session could make purchases using the stolen session. For this reason, the following built-in security measures are taken when generating ASP session cookies:

 

Session ID values are 32-bit long integers.

Each time the Web server is restarted, a random session ID starting value is selected.

For each new ASP session that is created, the session ID value is incremented.

The 32-bit session ID is mixed with random data and encrypted to generate a 16?character cookie string. Later, when a cookie is received, the session ID is decrypted from the 16-character cookie string.

The encryption key is randomly selected each time the Web server is restarted.

ASP session ID values are selected from a huge range and are encrypted, making it difficult to capture a valid cookie. In addition, guessing a valid cookie once does not make it easy to guess another valid cookie.