Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- session is the only option we have to make connection between client and server to look like statefull
- infact they are stateless
- can be maintained in two ways, session tokens or authentication tokens
- session token
- -session is maintained totally at server
- -id is stored in cookie
- authentication token
- -session is maintained totally at client, reduces overhead, example is JWT
- -encrypted and safe
- types of session attacks
- session hijack
- -stealing a valid session cookie through sniffing attack like MITM
- session fixation
- -find a way to set a known session on victim's browser
- ASP.NET Session Management
- -client side
- -viewstate
- -hiddenfield
- -cookies
- -controlstate
- -querystring
- -server side
- -session
- -applicationobject
- -profileproperties
- Defensive Practices
- -Session Hijacking
- -implement ssl to encrypt cookies
- -short time for expiry
- -avoid cookieless sessions
- -avoid cookieless="useuri"
- -avoid autodetect in cookie modes
- -avoid usedeviceprofile in cookie modes
- -enable regenerateexpiredsessionid for cookieless sessions
- -reset the session when user logs out
- -generate lengthy session keys to prevent guessing
- -re-authenticate if critical function is being executed
- session fixation
- -remove asp.net_sessionid had to be removed explicitly beside
- session.abandon and session.removeall and session.clear
- Cross Site Scripting Attack(XSS)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement