Securing ASP app with session
in [ASP]
|
From: Drew on 27 May 2008 13:12 I have been working on internal, intranet apps in the past few years, so I haven't needed to secure apps with a login/password and sessions like I did 8 or so years ago (I use Windows Auth now, which makes it easier)... Is using sessions still a practical, safe way to secure the backend of the apps? Or should I just bite the bullet and move to ASP.NET to build a secure backend? I have researched session hijacking and there seems to be a lot of information out there about that type of attack... what are your thoughts? Thanks, Drew
From: Bob Barrows [MVP] on 27 May 2008 13:54 Drew wrote: > I have been working on internal, intranet apps in the past few years, > so I haven't needed to secure apps with a login/password and sessions > like I did 8 or so years ago (I use Windows Auth now, which makes it > easier)... Is using sessions still a practical, safe way to secure > the backend of the apps? It's as safe as the developer makes it. > Or should I just bite the bullet and move > to ASP.NET to build a secure backend? > Huh? There are reasons to move to ASP.Net. AFAIK, this is not one of them. > I have researched session hijacking and there seems to be a lot of > information out there about that type of attack... what are your > thoughts? > I am not sure where you are coming from (or going): ASP.Net has the same vulnerability to session-hijacking as classic ASP. It is up to the developer to properly secure the site to prevent these types of exploits. Since you've seen the information, you must have seen the steps needed to prevent these exploits. -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.
From: Drew on 27 May 2008 14:04 Bob, I was under the wrong assumption... After looking into the session variables again I see where I was screwing up. Drew "Bob Barrows [MVP]" <reb01501(a)NOyahoo.SPAMcom> wrote in message news:OoHZ6KCwIHA.3380(a)TK2MSFTNGP03.phx.gbl... > Drew wrote: >> I have been working on internal, intranet apps in the past few years, >> so I haven't needed to secure apps with a login/password and sessions >> like I did 8 or so years ago (I use Windows Auth now, which makes it >> easier)... Is using sessions still a practical, safe way to secure >> the backend of the apps? > > It's as safe as the developer makes it. > >> Or should I just bite the bullet and move >> to ASP.NET to build a secure backend? >> > Huh? There are reasons to move to ASP.Net. AFAIK, this is not one of > them. > >> I have researched session hijacking and there seems to be a lot of >> information out there about that type of attack... what are your >> thoughts? >> > I am not sure where you are coming from (or going): ASP.Net has the > same vulnerability to session-hijacking as classic ASP. It is up to the > developer to properly secure the site to prevent these types of > exploits. Since you've seen the information, you must have seen the > steps needed to prevent these exploits. > > > -- > Microsoft MVP -- ASP/ASP.NET > Please reply to the newsgroup. The email account listed in my From > header is my spam trap, so I don't check it very often. You will get a > quicker response by posting to the newsgroup. > >
|
Pages: 1 Prev: WEBDAV - ASP, I am Struck!! Next: After Parenthesis in ASP Variables - Query |