[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-dotnet
Subject: [Owasp-dotnet] .NET and Session "Regeneration"
From: "Nick Sanidas" <nick.sanidas () aspectsecurity ! com>
Date: 2006-08-16 19:52:41
Message-ID: B9A412898630124ABE8350F4EBD32E840CE5EE () mymail ! aspectsecurity ! com
[Download RAW message or body]
--===============1666585658==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C6C16D.88857C51"
This is a multi-part message in MIME format.
Hello all,
I was wondering if anybody had opinions or information concerning
generating new sessions after key events in an application lifecycle,
such as authentication, switching in/out of SSL, or performing high
value transactions within the .NET platform.
In particular, .NET has no obvious equivalent of the J2EE
request.getSession(true). When performing a session "regeneration" in
J2EE, one would likely follow these steps (in one server trip):
1) extract session attributes to be carried over (including
identity)
2) call session.invalidate()
3) call request.getSession(true)
4) insert attributes to be carried over into new session
5) response goes to browser, session id cookie updated by framework
These J2EE steps assume that the user identity has been saved in the
session as well.
For .NET, (with Forms authentication and auth cookie) one would have to
follow a different scenario involving an extra interaction with the
browser (to expire the session id cookie):
1) extract session attributes to be carried over
2) persist extracted attributes in temp storage (db for example)
based on user identity
3) call Session.Abandon()
4) manually expire the .NET Session ID cookie in the response
5) response goes to browser
6) upon next request (sans session id) framework generates new
session and session id
7) use auth cookie to get identity to extract session attributes
from temp storage
8) insert attributes to be carried over into new session
9) response goes to browser, along with session id
Any thoughts or comments? In .NET 2.0, there is a SessionStateUtility
class, but it is not trivial to use (and likely dangerous).
Thanks in advance for any advice or comments.
Nick
[Attachment #3 (text/html)]
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:39984846;
mso-list-type:hybrid;
mso-list-template-ids:563002382 67698705 67698713 67698715 67698703 67698713 \
67698715 67698703 67698713 67698715;} @list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:250814688;
mso-list-type:hybrid;
mso-list-template-ids:1850134624 67698705 67698713 67698715 67698703 67698713 \
67698715 67698703 67698713 67698715;} @list l1:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Hello all,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I was wondering if anybody had opinions or information
concerning generating new sessions after key events in an application
lifecycle, such as authentication, switching in/out of SSL, or performing high
value transactions within the .NET platform.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>In particular, .NET has no obvious equivalent of the J2EE \
request.getSession(true). When performing a session “regeneration” in \
J2EE, one would likely follow these steps (in one server \
trip):<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 \
lfo1'><![if !supportLists]><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><span style='mso-list:Ignore'>1)<font \
size=1 face="Times New Roman"><span style='font:7.0pt "Times New \
Roman"'> </span></font></span></span></font><![endif]><font \
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>extract session \
attributes to be carried over (including identity)<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 \
lfo1'><![if !supportLists]><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><span style='mso-list:Ignore'>2)<font \
size=1 face="Times New Roman"><span style='font:7.0pt "Times New \
Roman"'> </span></font></span></span></font><![endif]><font \
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>call \
session.invalidate()<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 \
lfo1'><![if !supportLists]><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><span style='mso-list:Ignore'>3)<font \
size=1 face="Times New Roman"><span style='font:7.0pt "Times New \
Roman"'> </span></font></span></span></font><![endif]><font \
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>call \
request.getSession(true)<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 \
lfo1'><![if !supportLists]><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><span style='mso-list:Ignore'>4)<font \
size=1 face="Times New Roman"><span style='font:7.0pt "Times New \
Roman"'> </span></font></span></span></font><![endif]><font \
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>insert attributes \
to be carried over into new session<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 \
lfo1'><![if !supportLists]><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><span style='mso-list:Ignore'>5)<font \
size=1 face="Times New Roman"><span style='font:7.0pt "Times New \
Roman"'> </span></font></span></span></font><![endif]><font \
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>response goes to \
browser, session id cookie updated by framework<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>These J2EE steps assume that the user identity has been
saved in the session as well.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>For .NET, (with Forms authentication and auth cookie) one
would have to follow a different scenario involving an extra interaction with
the browser (to expire the session id cookie):<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 \
lfo2'><![if !supportLists]><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><span style='mso-list:Ignore'>1)<font \
size=1 face="Times New Roman"><span style='font:7.0pt "Times New \
Roman"'> </span></font></span></span></font><![endif]><font \
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>extract session \
attributes to be carried over<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 \
lfo2'><![if !supportLists]><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><span style='mso-list:Ignore'>2)<font \
size=1 face="Times New Roman"><span style='font:7.0pt "Times New \
Roman"'> </span></font></span></span></font><![endif]><font \
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>persist extracted \
attributes in temp storage (db for example) based on user \
identity<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 \
lfo2'><![if !supportLists]><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><span style='mso-list:Ignore'>3)<font \
size=1 face="Times New Roman"><span style='font:7.0pt "Times New \
Roman"'> </span></font></span></span></font><![endif]><font \
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>call \
Session.Abandon()<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 \
lfo2'><![if !supportLists]><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><span style='mso-list:Ignore'>4)<font \
size=1 face="Times New Roman"><span style='font:7.0pt "Times New \
Roman"'> </span></font></span></span></font><![endif]><font \
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>manually expire \
the .NET Session ID cookie in the response<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 \
lfo2'><![if !supportLists]><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><span style='mso-list:Ignore'>5)<font \
size=1 face="Times New Roman"><span style='font:7.0pt "Times New \
Roman"'> </span></font></span></span></font><![endif]><font \
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>response goes to \
browser <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 \
lfo2'><![if !supportLists]><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><span style='mso-list:Ignore'>6)<font \
size=1 face="Times New Roman"><span style='font:7.0pt "Times New \
Roman"'> </span></font></span></span></font><![endif]><font \
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>upon next request \
(sans session id) framework generates new session and session \
id<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 \
lfo2'><![if !supportLists]><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><span style='mso-list:Ignore'>7)<font \
size=1 face="Times New Roman"><span style='font:7.0pt "Times New \
Roman"'> </span></font></span></span></font><![endif]><font \
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>use auth cookie to \
get identity to extract session attributes from temp \
storage<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 \
lfo2'><![if !supportLists]><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><span style='mso-list:Ignore'>8)<font \
size=1 face="Times New Roman"><span style='font:7.0pt "Times New \
Roman"'> </span></font></span></span></font><![endif]><font \
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>insert attributes \
to be carried over into new session<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 \
lfo2'><![if !supportLists]><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><span style='mso-list:Ignore'>9)<font \
size=1 face="Times New Roman"><span style='font:7.0pt "Times New \
Roman"'> </span></font></span></span></font><![endif]><font \
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>response goes to \
browser, along with session id<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Any thoughts or comments? In .NET 2.0, there is a
SessionStateUtility class, but it is not trivial to use (and likely \
dangerous).<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Thanks in advance for any advice or \
comments.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Nick<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> <o:p></o:p></span></font></p>
</div>
</body>
</html>
_______________________________________________
Owasp-dotnet mailing list
Owasp-dotnet@lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-dotnet
--===============1666585658==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic