4

I'm looking to prevent session hijacking in my ASP.NET application and came across this great post by Jeff Prosise. However, it's from 2004 and I was wondering if there have been any updates that either perform the same thing, or result in any complications? Also, has anyone used this on a production server and, if so, have there been any issues caused by this? The only problem that could affect my applications is if someone's IP network changes in a short period of time, but I can't imagine this being very likely.

Thanks

keyboardP
  • 68,824
  • 13
  • 156
  • 205

2 Answers2

0

This is an interesting approach to session hardening but it does not stop session hijacking. This system has the same problem as HTTPOnly Cookies which is that an attacker can create requests from the victim's browser using xss and there for the attacker doesn't need to know the value of the session id.

This quote is taken from the article you linked to:

SecureSessionModule raises the bar for hackers who hijack sessions using stolen session IDs

This raises the bar, but you still need to patch your XSS and CSRF vulnerabilities.

rook
  • 66,304
  • 38
  • 162
  • 239
0

This is long dead but I have noticed a problem with it that will possibly start affecting more and more servers in the coming years. Part of the MAC that's generated uses the IP address, splitting on the ".", but IPv6 addresses use ":".

I don't have a production server on IPv6 but I've recently upgraded my development machine which is connecting to Cassini via IPv6 and I very quickly get into a non-stop string of session errors.

Chao
  • 3,033
  • 3
  • 30
  • 36