Solved

How do I make MS IIS server (classic ASP) to create random sessionIDs?

Posted on 2009-07-07
23
932 Views
Last Modified: 2012-05-07
Hi, I am told that its a good security thing to make the IIS create random sessionIDs, but I cannot see anywhere how to make it do so?
0
Comment
Question by:loopstudio
  • 9
  • 6
  • 6
  • +1
23 Comments
 
LVL 11

Expert Comment

by:Sven
Comment Utility
There is no such option for this in IIS. At least for Classic ASP.
You could do this only if you replace IIS session managment by storing the sessions within a database.

http://www.devarticles.com/c/a/ASP/Session-Replacement-in-ASP/
0
 

Author Comment

by:loopstudio
Comment Utility
A security-guy told me that it should be possible in IIS 6 !

I just dont know how to activate it.. as it doenst seem to work..?
0
 
LVL 5

Expert Comment

by:rgc6789
Comment Utility
Is there some reason why you can't use session.SessionID?
0
 
LVL 12

Expert Comment

by:R_Harrison
Comment Utility
Are you sure you are checking the right thing?    Session.SessionID is not what you should be looking at for Session Hijacking purposes.    Try the following to show the info you need to check.

<%=Request.ServerVariables("HTTP_COOKIE")%>

Then look for the bit that starts ASPSESSIONID - this is the real sessionid that is passed in the HTTP headers and can be used to exploit session hijacking.
0
 
LVL 12

Expert Comment

by:R_Harrison
Comment Utility
Forgot to say, you may need to refresh the page to show the value as the value is sent back to your browser but the code runs on the server.   Refreshing again and again should then show you the same ASPSESSIONID value as your browser keeps telling the server its session value.

Hope you understand the appove.
0
 
LVL 5

Expert Comment

by:rgc6789
Comment Utility
R_Harrison:

There are a couple of ways to secure sessionid, but it really depends upon the use. If it's a login site to download a whitepaper for instance, then Session Hijacking is not really a concern. If, however, we are talking about a banking website, that's a different animal.

I should have asked my question better than above, so let's try this. What will you be using the SessionID for? What kind of website is it? Will it be used internally or externally or both? Is there a reason you don't want to use SessionID, such as security?
0
 
LVL 12

Expert Comment

by:R_Harrison
Comment Utility
rgc6789

Sorry I dealt with his previous question, so I knew the background.   I am aware of all the security issues as I specalise in this field.   I have already mentioned things like XSS, SQL Injection, Session Hijacking (hence this question) etc in his previous questions.

Of course security is always relative and never an absolute.


0
 
LVL 5

Expert Comment

by:rgc6789
Comment Utility
No problem. I felt I was missing something here - out in the cold!
0
 

Author Comment

by:loopstudio
Comment Utility
both of You..: its because of security reasons.. I want it to be secure!

So.. IS the standard buildin sessions secure? And/or is it ONLY secure, if its randomly? And does the it have to be random in the session.sessionID or in the <%=Request.ServerVariables("HTTP_COOKIE")%> ?

And if its NOT secure, should I then make my own session-ID system?
0
 
LVL 5

Expert Comment

by:rgc6789
Comment Utility
Sorry, but it just isn't that simple. I have been developing e-commerce sites for over 12 years. The answer to your question is what are you trying to secure? Some of my clients, for instance, save credit card information for use later on monthly billing, etc. Those clients I use a mixture of custom and non-custom. Self-encrypting certain info and keeping all session info within SSL. Of course I never store password info or credit card info in the session.

However, most of my clients don't store sensitive info, and we don't put anything in the session that would be sensitive, so I'm not as concerned.

That said, yes, you can develop your own way of creating random sessionid's. You can also use methods such as appending the IP address to the sessionid and verifying it that way. It would look like 12345678901|1.1.1.1. You can then verify not only the sessionid but the IP.
0
 
LVL 12

Expert Comment

by:R_Harrison
Comment Utility
Sessions themselves are generally secure - the main issue with session security is session hijacking - however as long as you prevent cross-site scripting (XSS) and your server is generating random "HTTP_COOKIE" ASPSESSIONIDS then your exposure to session hijacking is very limited.  If you are still concerned adding a Session("IPAddress") which stores the IP address and checking this will reduce the threat of session hijacking even further.

Sessions are particulary good for security as the do not pass the data back and forth between the browser and server (unless you programme it to) which means the data stored in them is impossible to intercept through packet sniffing.

Below is a brief explanation of how sessions work which may help you understand all the comments...

When a browser connects to your server, your server looks for the ASPSESSIONID in the HTTP headers - HTTP_COOKIE - if it is not present when it sends the webpage to the server it includes an ASPSESSIONID which the browser will then include in every subsequent page request in that browser session (there are some exceptions here but don't worry about them).

When your server finds an ASPSESSIONID in the HTTP headers, it uses this to lookup the SESSION.SESSIONID value and all other values stored against the session using the Session() command.

--- The weakness, is that since 'hackers' can look at the HTTP headers, when they connect to your webserver they will see it sends out an ASPSESSIONID which the browser will use in subsequent page requests.    Therefore they can start requesting pages and inserting ASPSESSIONID values, if your server finds a matching value then it will respond applying all the Session() values stored against the ASPSESSIONID.     The problem for the hacker is there are Billons and Trillions of combinations for ASPSESSIONIDS so they are almost impossible to guess.

Some old servers use to issue the HTTP_COOKIE ASPSESSIONID in a known order, therefore a hacker could visit your website and look at what ASPSESSIONID they where issued and work out what the last few or the next few would be.    This DOES NOT apply to IIS6.

Since almost all servers have fixed this security issue, hackers started using XSS to get access to the ASPSESSIONID's.   Read my article on EE about XSS hacking for details on how this is done and how to prevent it.

http://www.experts-exchange.com/articles/Internet/Web_Development/Preventing-Cross-Site-Scripting-XSS-1.html

If you are looking to store sensitive information long term, then obviously sessions are of no use as sessions are timed out after 20 mins of inactivity (by default).  Therefore it is recommend you store this information in an encrypted state inside a database located in a DMZ.    Thus if anybody hacks your server or database they can only retreive encrypted info.

If you need anything further let me know.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:loopstudio
Comment Utility
rcg:
Here some info:
I dont store creditcardinfo. But I do have a shop site and account.
ALL site is SSL crypted! Does this help against session hijacking?
0
 

Author Comment

by:loopstudio
Comment Utility
rcg:
Also interesting with the IP check idea.
I guess u then have so save the users IP when he logs in. And then just checks both session and ip in important programs?
But does it matter if the IP and the session-var is "in the same" value? Would You then save it in your own session cookie? Or in 2 different cookies? Or check the IP from a DB call?
0
 
LVL 5

Expert Comment

by:rgc6789
Comment Utility
I think you are plenty safe from hijacking if you are on IIS6.0 or 7. The bigger concern here is cross-site scripting and sql injection, IMHO. See R_Harrison's link on xss and also do some research on sql injection. There are a number of ways to protect against sql injection, but the biggest in my opinion is the use of stored procedures and not embedding sql in your asp/asp.net code. But, that's a different conversation.
0
 

Author Comment

by:loopstudio
Comment Utility
Hi r Harrison..
Again, thanx a lot, I really appreciate both Your help, and also Your detailed description of sessions.
I dont store sensitive information in the session with session() command. But of couse verifies the user in all pages by a check against a session("somevalue") var. If not match he have to log in.

I will now check what u said about checking the right sessionID for random IDs.
The last part about storing "this" information in DMZ.. I dont know what You are talking about. What is "this" information? And the DMZ?

I DO have:
XSS prevention
SSL encryption of whole website
SQL injection prevention
IIS6
0
 

Author Comment

by:loopstudio
Comment Utility
rgc: What is IMHO?
0
 
LVL 5

Expert Comment

by:rgc6789
Comment Utility
In My Humble Opinion!
0
 

Author Comment

by:loopstudio
Comment Utility
R Harrison..

I can now see that the the HTTP_COOKIE ASPSESSIONID "IS" random, and that the session.sesisonid ISNT.

So does that mean I HAVE random sessions? And the security is all fine?
0
 

Author Comment

by:loopstudio
Comment Utility
An also to Harrison:
Could I make You take a look at the comments I have made to the first issue:
http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_24430610.html#discussion

Thanx in advance :)
0
 
LVL 12

Accepted Solution

by:
R_Harrison earned 125 total points
Comment Utility
If you have random HTTP_COOKIE ASPSESSIONID that is fine and correct.

Regarding the XSS in your other question, the article I wrote http://www.experts-exchange.com/articles/Internet/Web_Development/Preventing-Cross-Site-Scripting-XSS-1.html contains examples of XSS code, some using only brackets, etc, so you can see the importance of replacing '<', '>' and '(' ')'.   Also remember if you use REQUEST or other data that has not been 'cleaned' inside a tag e.g  <img src="abc.asp?a=<%=REQUEST("IMAGENAME")%>"> then a hacker can easily insert XSS by using the following as the value for IMAGENAME.

1" onMouseOver="alert('some nasty xss code be here')"

As you can see no '<' or '>' are in the xss code but it will still run.
0
 

Author Comment

by:loopstudio
Comment Utility
What if I instead of removing "()<>" tags, then change them to the respective "%something" codes?
Will they then be a thread?
0
 
LVL 12

Expert Comment

by:R_Harrison
Comment Utility
I use the function below, it swaps the <>() with the equivalent <>() so it displays correct on screen but will not run in a browser.

Copy the function on to your page, then simply

response.write(MakeSafe(yourstring))

<%

Function MakeSafe(PassedValue)

	If IsNull(PassedValue)=false Then

		Makesafe=Replace(PassedValue, "<", "&lt;")

		Makesafe=Replace(Makesafe, ">", "&gt;")

		Makesafe=Replace(Makesafe, "(", "&#40;")

		Makesafe=Replace(Makesafe, ")", "&#41;")

	End IF

End Function

%>

Open in new window

0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now