Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session and cookie management in.Net Justin Brunelle CS795 6/18/2009.

Published byDale O’Connor’ Modified over 8 years ago

Similar presentations

Presentation on theme: "Session and cookie management in.Net Justin Brunelle CS795 6/18/2009."— Presentation transcript:

1 Session and cookie management in.Net Justin Brunelle CS795 6/18/2009

2 Introduction to Cookies Used to store data –Stateful way of storing data in stateless environment Contain two attributes – names and values

3 Cookie Example Creating a cookie in ASP.NET: HttpCookie cookie = new HttpCookie(“cookieName”); cookie.Values[“ValueName1”] = “MyVal1”; cookie.Values[“ValueName2”] = “MyVal2”; Retrieving a cookie in ASP.NET HttpCookie myCookie = Request.Cookies[“cookieName”]; if(myCookie != null) { string val1 = myCookie.Values[“ValueName1”]; string val2 = myCookie.Values[“ValueName2”]; }

4 Introduction to Sessions ASP starts a session and returns a cookie –Automatic when using sessions on user login –Needs cookies Session Objects contain session state data

5 Session Example Add data to a session object Session[“DataName’] = myData; Retrieving data from a session object myData = Session[“DataName”] Other Functions: Session.IsNewSession Session.RemoveAll Session.SessionID

6 Sessions without Cookies You don't have to change anything in your ASP.NET application to enable cookieless sessions, except the following configuration setting – Session identifiers stored in the URL Session information lost between sessions with cookieless sessions Cookieless sessions creates a security issue when sending URLs to others http://msdn.microsoft.com/en-us/library/aa479314.aspx

7 Session Variables Can be used to store data about the current user and his session Session["FirstName"] = FirstNameTextBox.Text; Session["LastName"] = LastNameTextBox.Text;

8 Cookies and Security Insecure –Stored in text –Can be encrypted Still can be read, and possibly decoded Solution: –Encrypt in web.config Use timeouts to prevent theft and reuse

9 Cookie Poisoning Cookies intercepted when sent between the server and the client Modifying cookies to gain access to sensitive information –Such as, getting a cookie and changing the values –Extracting passwords Both done with a web proxy tool http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1210580,00.html

10 Prevent Cookie Poisoning Encrypt values and sensitive information –DES, AES, etc.

11 Prevent Cookie Poisoning Treat cookies as untrusted sources of information Use regular expressions and type matching to test validity of cookies –Use regular expressions and strict data formatting conventions in your code –If the type stored in a cookie is known, make sure the value of the cookie can be cast such as string to int, where int is the desired type

12 Protection from JavaScript and Cookies Users can use scripting attacks by entering JavaScript into forms fields –Can be stored in cookies and read later We can cache malicious attacks –Attacks cached from Cookies, QueryString and Forms Posts. http://msdn.microsoft.com/en-us/library/ms972967.aspx

13 Protection from JavaScript and Cookies –Checks all input data against a list of potentially dangerous values –Slows performance, but only for users doing the attack ValdidateRequest=true won't hamper your users experience in any way HttpRequestValidationException is thrown to signal malicious code –Catch the error and program accordingly

14 Alternate script injection protection Server.HtmlEncode(string) –Encodes the inserted script using html codes – alert(“hi”); becomes – < script > language=" javascript" >alert(" hi" );</script> –Must be careful about how we use decoded strings with this method

15 Encrypting Cookies Use HttpSecureCookie and MachineKeyCryptography Function secureMyCookie(HttpCookie myCookie) { HttpCookie encodedCookie = new HttpCookie(myCookie.Name, myCookie.Value); encodedCookie.Domain = myCookie.Domain; encodedCookie.Expires = myCookie.Expires; encodedCookie.HttpOnly = myCookie.HttpOnly; encodedCookie.Path = myCookie.Path; encodedCookie.Secure = myCookie.Secure; encodedCookie.Value = MachineKeyCryptography.Encode(cookie.Value, CookieProtection cookieProtection); return encodedCookie; } http://www.codeproject.com/KB/web-security/HttpSecureCookie.aspx

16 Encryption and Decryption HttpCookie cookie = new HttpCookie("UserName", "Terminator"); cookie.Expires = DateTime.Now.AddDays(1); HttpCookie encodedCookie = HttpSecureCookie.Encode(cookie); Response.Cookies.Add(encodedCookie); HttpCookie cookie = Request.Cookies["UserName"]; lblDisplayBefore.Text = cookie.Value; HttpCookie decodedCookie = HttpSecureCookie.Decode(cookie);

17 Session State in IE Tabs Session only shared between tabs if user opens a new tab from a tab already in the session –State can become unstable if user modifies the same data a different way in each tab –User might have to log into each of the tabs

18 Resolutions Issues with these: –Logging in is annoying –Can’t use pop-ups to transmit data Don’t have sessions –Hidden fields are insecure Problem stems from the process that runs the tabs

19 Resolutions (cont’d) Config Setting: Appends the session state to the URL of the new tab http://hostName/SamplePage/(S(asdf34qwer10asdfz))/myPage.aspx –Gives us a new session for each tab stemming from the first session

20 IE8 Tabs Tabs run by one process –Tab process handles a single session for each tab –Code from the previous slide forces a new session Users can also select “File -> New Session”

21 Tricking ASP.NET Sessions Normally, session cookies expire at the end of the session We can enter JavaScript in the address bar to create your own session cookies: javascript:void(document.cookie="ASP.NET_SessionId=WhyDidTheChickenCr ossThe;path=/") We can set the expiration date to save the cookie and session data javascript:void(document.cookie="ASP.NET_SessionId=WhyDidTheCh ickenCrossThe;path=/;expires=Mon, 19 Mar 2007 18:25:19 GMT");

22 Protecting Session Cookies ASP.NET does not put login credentials in session cookies –Mitigates the following problem slightly Hijackers can still take session cookies and reuse them to gain access to information Use the following to protect your cookies: if (!Page.User.Identity.IsAuthenticated) { if (Page.Request.Cookies["ASP.NET_SessionId"] != null) { Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddYears(-30); } Session.Abandon(); }

23 Questions?

Download ppt "Session and cookie management in.Net Justin Brunelle CS795 6/18/2009."

Similar presentations

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Cookies.NET Security Summer 2006 CS795/895 Hadi Arbabi.

Cookies.NET Security Summer 2006 CS795/895 Hadi Arbabi.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.

XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Session Management A290/A590, Fall 2014 09/25/2014.

Session Management A290/A590, Fall /25/2014.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
Databases with PHP A quick introduction. Y’all know SQL and Databases  You put data in  You get data out  You can do processing on it very easily 

Databases with PHP A quick introduction. Y’all know SQL and Databases  You put data in  You get data out  You can do processing on it very easily 
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET

Similar presentations

Ads by Google