All geek questions in one place

Capture Jeff Prosease Blog - Any Updates?

I want to prevent session hijacking in my ASP.NET application and stumbled upon this great post by Jeff Prosis. However, since 2004, I was wondering if there are any updates that either perform the same thing or lead to any complications? Also, has anyone used this on a production server, and if so, have there been any problems caused by this? The only problem that can affect my applications is that some IP network changes over a short period of time, but I cannot imagine that this is very likely.

thanks

+4
source share
2 answers

This is an interesting session simplification approach, but it does not stop session capture. This system has the same problem as HTTPOnly Cookies , which is that an attacker can create requests from a victim browser using xss and there for an attacker, t know the value of the session identifier.

This quote is from an article you linked to:

SecureSessionModule raises the bar for hackers who hijack sessions using stolen session identifiers

This raises the bar, but you still need to fix the XSS and CSRF vulnerabilities.

0
source

It's long been dead, but I noticed a problem with it that might start to affect more and more servers in the coming years. Part of the generated MAC uses an IP address, separating ".", But IPv6 addresses use ":".

I do not have a production server on IPv6, but I recently updated my development machine, which connects to Cassini via IPv6, and I very quickly fall into an endless chain of session errors.

0
source

Source: https://habr.com/ru/post/1303298/

More articles:


All Articles