Patterns And Practices Security Checklists

[A.M]

Hi,

In Architecture and Design Review Security Checklist at following link:

http://msdn.microsoft.com/library/en-us/dnnetsec/html/CL_ArchDes.asp?frame=true&_r=1

I don't underestand following two items:

1) Session state is protected from unauthorized access.
2) Session identifiers are not passed in query strings.

How an unauthorized access to session state can happen and why would i pass
session identifier in query string ?

Thanks,
Ali

 

[bruce barker]

there are only a couple of ways to pass a session key

1) in a cookie (asp.net)
2) in the url
3) hidden field (though a url is often required for bootstrap)

your worried about how easy it is to hijack someone's session. in all the
above techinques the session key can be discovered by a network sniffer. so
now that i have the key, how easy is to use. a sample of a bad session key,
is an incrementing number, these are easy to hijack.


-- bruce (sqlwork.com)

 

[Yan-Hong Huang[MSFT]]

Hello Ali,

I noticed that you posted the same question in
microsoft.public.dotnet.framework.aspnet.security too. I have replied you
there. If you have free time, please check my reply in that group.

If you have any more concerns on it, please feel free to post there. Thanks
very much.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.