Wrox Programmer Forums
| Search | Today's Posts | Mark Forums Read
ASP.NET 2.0 Professional If you are an experienced ASP.NET programmer, this is the forum for your 2.0 questions. Please also see the Visual Web Developer 2005 forum.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 2.0 Professional section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old January 30th, 2010, 03:41 PM
Friend of Wrox
Points: 1,749, Level: 16
Points: 1,749, Level: 16 Points: 1,749, Level: 16 Points: 1,749, Level: 16
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2007
Location: San Diego, CA, USA.
Posts: 477
Thanks: 10
Thanked 19 Times in 18 Posts
Default session state expires??

I'm trying to use session state for the first time and my initial tests are have raised some concerns. I'm using cookies to store information so the session is as secure as possible, however, the information is somewhat sensitive (reservation information) and it would be very bad if someone even accidentally (much less maliciously) made a reservation that wound up on someone else's account or cancelled a reservation they had made. A critical part of the design, is that the client wants the session to timeout after 5-10 minutes which I've set in the sessionState element of the application's web.config.

However, in testing I can browse to the website a few days later and pick up the original session ID. I'm building a more powerful testing harness to see exactly what kind of damage I can do with this. I located this information in MSDN on the subject.

"ASP.NET identifies sessions uniquely with each browser. By default, the unique identifier for a session is stored in a non-expiring session cookie in the browser."

Aside from the timeout attribute of the sessionState element (which I've cranked down to 5 minutes), I can't find a relevant way to affect this default behavior. I wouldn't have thought replay attacks would have been ignored by MS? How do you really expire a session??
__________________
-------------------------

Whatever you can do or dream you can, begin it. Boldness has genius, power and magic in it. Begin it now.
-Johann von Goethe

When Two Hearts Race... Both Win.
-Dove Chocolate Wrapper

Chroniclemaster1, Founder of www.EarthChronicle.com
A Growing History of our Planet, by our Planet, for our Planet.
 
Old February 4th, 2010, 09:08 PM
Friend of Wrox
Points: 4,332, Level: 27
Points: 4,332, Level: 27 Points: 4,332, Level: 27 Points: 4,332, Level: 27
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Nov 2003
Location: , NJ, USA.
Posts: 1,348
Thanks: 0
Thanked 5 Times in 5 Posts
Default

You can't force a session to expire. You could store the information in an encrypted cookie and set and absolute expiration time of the cookie.
 
Old February 4th, 2010, 09:36 PM
Friend of Wrox
Points: 1,749, Level: 16
Points: 1,749, Level: 16 Points: 1,749, Level: 16 Points: 1,749, Level: 16
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2007
Location: San Diego, CA, USA.
Posts: 477
Thanks: 10
Thanked 19 Times in 18 Posts
Default

That actually explains a lot. I think I will basically take your suggestion and store it in the DB instead.

So can I ask? What is the "timeout" attribute in the sessionState element of the web.config for?? The MSDN listing is very misleading, http://msdn.microsoft.com/en-us/libr...8VS.71%29.aspx. It implies that "something" is abandoned but clearly it's not the session id, and I can flush the cache and still retrieve session data stored in the cookie after the timeout as well. That just seems so ridiculous, even the documentation talks about how expiring a session is a critical security practice. But I guess you've got to write some custom functions to get it to happen.
__________________
-------------------------

Whatever you can do or dream you can, begin it. Boldness has genius, power and magic in it. Begin it now.
-Johann von Goethe

When Two Hearts Race... Both Win.
-Dove Chocolate Wrapper

Chroniclemaster1, Founder of www.EarthChronicle.com
A Growing History of our Planet, by our Planet, for our Planet.
 
Old February 5th, 2010, 11:30 AM
Friend of Wrox
Points: 4,332, Level: 27
Points: 4,332, Level: 27 Points: 4,332, Level: 27 Points: 4,332, Level: 27
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Nov 2003
Location: , NJ, USA.
Posts: 1,348
Thanks: 0
Thanked 5 Times in 5 Posts
Default

I have seen this question posted many times in many forums and trying to force a session expiration is quirky at best. I am not sure what the .NET engine does behind the scenes to do this, but you cannot rely on the session expiring. I am not sure if this has been fixed in the new versions of IIS and the .NET framework. It may be worth investigating.
 
Old February 5th, 2010, 11:43 AM
Friend of Wrox
Points: 1,749, Level: 16
Points: 1,749, Level: 16 Points: 1,749, Level: 16 Points: 1,749, Level: 16
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2007
Location: San Diego, CA, USA.
Posts: 477
Thanks: 10
Thanked 19 Times in 18 Posts
Default

I can't specifically vouch for 3.5, but for .NET 2.0 running under VWD (dev box) and IIS7 (production), the answer is definitely no. ;)

It does just flabbergast me that MSDN would be so completely misleading. I guess it's a good thing I test ALL of my specs and security for myself. I'm sure the material written at MSDN not lies, but it's skating a pretty fine edge. They clearly imply there timeout values you can set and stress the importance of using them for application security. I'm trying to write my own code to do the same thing, and I'll use a session variable to persist my custom session id across multiple pages.

I may not be able to expire .NET's session, but I should have complete control over my ability to accept the custom id by giving it a datetime stamp.
__________________
-------------------------

Whatever you can do or dream you can, begin it. Boldness has genius, power and magic in it. Begin it now.
-Johann von Goethe

When Two Hearts Race... Both Win.
-Dove Chocolate Wrapper

Chroniclemaster1, Founder of www.EarthChronicle.com
A Growing History of our Planet, by our Planet, for our Planet.




Similar Threads
Thread Thread Starter Forum Replies Last Post
Session Variable expires unexpectedly beetle_jaipur Classic ASP Professional 0 October 31st, 2009 05:00 AM
TIP: Redirecting when session expires jimibt BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 5 November 16th, 2007 05:42 AM
Session State|View State|Do I have other options? rockon ASP.NET 1.x and 2.0 Application Design 2 October 5th, 2005 07:10 PM
Session expires immediately codebuyer Classic ASP Components 6 March 18th, 2005 12:54 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.