avoid session hijacking for Web Applications

假装没事ソ 提交于 2019-12-07 11:17:45

问题


I read about Session Hijacking articles and would like to some more information related to it. Currently my web application which is developed in ASP.NET , is using Cookieless =true mode for sessionstate. We are using HTTPS which is a secure connection which will reduce session hijacking. I know when we using Cookieless the session id is embedded in URL which can be dangerous sometimes if user pass this URL to somebody and other user will be able to log in if session is still alive. So just want to know is HTTPS is more than enough or i should do something to secure my web app.


回答1:


HTTPS protects only from grabbing and changing data between client and server (or server and client). It can't help you if user share link with friends (or hackers :) )

As an option you can save client IP in session variables on session start and check on every request if current IP and IP from session are the same. This will provide a bit more security.




回答2:


You could end session if client IP changes and force them to re-login.




回答3:


Session hijacking can happen though a number a methods. HTTPS prevents sniffing, but XSS is by far the most common attack. You can use httponlycookies to prevent an xss attack from accessing document.cookie, but then the attacker can just "ride" on the session xmlhttprequest (The Sammy worm did this to MySpace). Speaking of session riding, you should look into CSRF. Even SQL Injection can be used to hijack a session if you are storing the session id in the database, but not all web apps do this.

Use httponlycookies, make sure they are https only, use https for everything. Don't use asp.net's "cookiesless" sessions, this makes you vulnerable to Session Fixation. Session id's should always be passed using cookie, and never passed as GET or POST. You may want to consider using STS.




回答4:


Consider also that your session id will possibly be revealed to outsiders in HTTP_REFERER header. HTTP_REFERER will contain URL of the last page accessed - including the session id in URL's parameters-, if a user follows a link which opens in the same browser window. That will be a problem if the link points outside from your service.



来源:https://stackoverflow.com/questions/3509862/avoid-session-hijacking-for-web-applications

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!