I am trying to use .NET Remoting Client Activated Objects to store client authentication information during multiple calls, instead of implementing a session management system that requires the client to send a session identifier in each call. As MSDN states:
When a client sends a request to the server object using the "new" operator, an activation request message is sent to the remote application. The server then creates an instance of the requested class and returns ObjRef back to the client application that called it.
My question is that an anonymous client (an attacker) cannot guess / overdo ObjRef and gain access to the outgoing object on the server?
In session web systems such as ASP.NET/PHP, the session identifier can be considered as a reference to a session object on the server, but it is too long (for example, 32 bytes), so it is impossible to attack .. but what about ObjRef in deletion?
Update: I did some validation in the original source; it looks like there is a URI string associated with each instance of the ObjRef class. These URIs consist of a static (for each process) GUID, eighteen random bytes (in base64 form), and a counter number:
// Identity.cs: // We insert the tick count, so that the uri is not 100% predictable. // (ie perhaps we should consider using a random number as well) String random = System.Convert.ToBase64String(GetRandomBytes()); // Need to replace the '/' with '_' since '/' is not a valid uri char ObjURI = (IDGuidString + random.Replace('/', '_') + "_" + GetNextSeqNum() + ".rem").ToLower(CultureInfo.InvariantCulture);
I assume that at least eighteen random bytes as an identifier for each ObjRef can be long enough to protect the object from brute force attack.
source share