Solved

How do I make MS IIS server (classic ASP) to create random sessionIDs?

Posted on 2009-07-07
23
941 Views
Last Modified: 2012-05-07
Hi, I am told that its a good security thing to make the IIS create random sessionIDs, but I cannot see anywhere how to make it do so?
0
Comment
Question by:loopstudio
  • 9
  • 6
  • 6
  • +1
23 Comments
 
LVL 11

Expert Comment

by:Sven
ID: 24794014
There is no such option for this in IIS. At least for Classic ASP.
You could do this only if you replace IIS session managment by storing the sessions within a database.

http://www.devarticles.com/c/a/ASP/Session-Replacement-in-ASP/
0
 

Author Comment

by:loopstudio
ID: 24794273
A security-guy told me that it should be possible in IIS 6 !

I just dont know how to activate it.. as it doenst seem to work..?
0
 
LVL 5

Expert Comment

by:rgc6789
ID: 24795896
Is there some reason why you can't use session.SessionID?
0
Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.

 
LVL 12

Expert Comment

by:R_Harrison
ID: 24796167
Are you sure you are checking the right thing?    Session.SessionID is not what you should be looking at for Session Hijacking purposes.    Try the following to show the info you need to check.

<%=Request.ServerVariables("HTTP_COOKIE")%>

Then look for the bit that starts ASPSESSIONID - this is the real sessionid that is passed in the HTTP headers and can be used to exploit session hijacking.
0
 
LVL 12

Expert Comment

by:R_Harrison
ID: 24796200
Forgot to say, you may need to refresh the page to show the value as the value is sent back to your browser but the code runs on the server.   Refreshing again and again should then show you the same ASPSESSIONID value as your browser keeps telling the server its session value.

Hope you understand the appove.
0
 
LVL 5

Expert Comment

by:rgc6789
ID: 24796293
R_Harrison:

There are a couple of ways to secure sessionid, but it really depends upon the use. If it's a login site to download a whitepaper for instance, then Session Hijacking is not really a concern. If, however, we are talking about a banking website, that's a different animal.

I should have asked my question better than above, so let's try this. What will you be using the SessionID for? What kind of website is it? Will it be used internally or externally or both? Is there a reason you don't want to use SessionID, such as security?
0
 
LVL 12

Expert Comment

by:R_Harrison
ID: 24796404
rgc6789

Sorry I dealt with his previous question, so I knew the background.   I am aware of all the security issues as I specalise in this field.   I have already mentioned things like XSS, SQL Injection, Session Hijacking (hence this question) etc in his previous questions.

Of course security is always relative and never an absolute.


0
 
LVL 5

Expert Comment

by:rgc6789
ID: 24796463
No problem. I felt I was missing something here - out in the cold!
0
 

Author Comment

by:loopstudio
ID: 24806462
both of You..: its because of security reasons.. I want it to be secure!

So.. IS the standard buildin sessions secure? And/or is it ONLY secure, if its randomly? And does the it have to be random in the session.sessionID or in the <%=Request.ServerVariables("HTTP_COOKIE")%> ?

And if its NOT secure, should I then make my own session-ID system?
0
 
LVL 5

Expert Comment

by:rgc6789
ID: 24806540
Sorry, but it just isn't that simple. I have been developing e-commerce sites for over 12 years. The answer to your question is what are you trying to secure? Some of my clients, for instance, save credit card information for use later on monthly billing, etc. Those clients I use a mixture of custom and non-custom. Self-encrypting certain info and keeping all session info within SSL. Of course I never store password info or credit card info in the session.

However, most of my clients don't store sensitive info, and we don't put anything in the session that would be sensitive, so I'm not as concerned.

That said, yes, you can develop your own way of creating random sessionid's. You can also use methods such as appending the IP address to the sessionid and verifying it that way. It would look like 12345678901|1.1.1.1. You can then verify not only the sessionid but the IP.
0
 
LVL 12

Expert Comment

by:R_Harrison
ID: 24807484
Sessions themselves are generally secure - the main issue with session security is session hijacking - however as long as you prevent cross-site scripting (XSS) and your server is generating random "HTTP_COOKIE" ASPSESSIONIDS then your exposure to session hijacking is very limited.  If you are still concerned adding a Session("IPAddress") which stores the IP address and checking this will reduce the threat of session hijacking even further.

Sessions are particulary good for security as the do not pass the data back and forth between the browser and server (unless you programme it to) which means the data stored in them is impossible to intercept through packet sniffing.

Below is a brief explanation of how sessions work which may help you understand all the comments...

When a browser connects to your server, your server looks for the ASPSESSIONID in the HTTP headers - HTTP_COOKIE - if it is not present when it sends the webpage to the server it includes an ASPSESSIONID which the browser will then include in every subsequent page request in that browser session (there are some exceptions here but don't worry about them).

When your server finds an ASPSESSIONID in the HTTP headers, it uses this to lookup the SESSION.SESSIONID value and all other values stored against the session using the Session() command.

--- The weakness, is that since 'hackers' can look at the HTTP headers, when they connect to your webserver they will see it sends out an ASPSESSIONID which the browser will use in subsequent page requests.    Therefore they can start requesting pages and inserting ASPSESSIONID values, if your server finds a matching value then it will respond applying all the Session() values stored against the ASPSESSIONID.     The problem for the hacker is there are Billons and Trillions of combinations for ASPSESSIONIDS so they are almost impossible to guess.

Some old servers use to issue the HTTP_COOKIE ASPSESSIONID in a known order, therefore a hacker could visit your website and look at what ASPSESSIONID they where issued and work out what the last few or the next few would be.    This DOES NOT apply to IIS6.

Since almost all servers have fixed this security issue, hackers started using XSS to get access to the ASPSESSIONID's.   Read my article on EE about XSS hacking for details on how this is done and how to prevent it.

http://www.experts-exchange.com/articles/Internet/Web_Development/Preventing-Cross-Site-Scripting-XSS-1.html

If you are looking to store sensitive information long term, then obviously sessions are of no use as sessions are timed out after 20 mins of inactivity (by default).  Therefore it is recommend you store this information in an encrypted state inside a database located in a DMZ.    Thus if anybody hacks your server or database they can only retreive encrypted info.

If you need anything further let me know.
0
 

Author Comment

by:loopstudio
ID: 24809159
rcg:
Here some info:
I dont store creditcardinfo. But I do have a shop site and account.
ALL site is SSL crypted! Does this help against session hijacking?
0
 

Author Comment

by:loopstudio
ID: 24809208
rcg:
Also interesting with the IP check idea.
I guess u then have so save the users IP when he logs in. And then just checks both session and ip in important programs?
But does it matter if the IP and the session-var is "in the same" value? Would You then save it in your own session cookie? Or in 2 different cookies? Or check the IP from a DB call?
0
 
LVL 5

Expert Comment

by:rgc6789
ID: 24809213
I think you are plenty safe from hijacking if you are on IIS6.0 or 7. The bigger concern here is cross-site scripting and sql injection, IMHO. See R_Harrison's link on xss and also do some research on sql injection. There are a number of ways to protect against sql injection, but the biggest in my opinion is the use of stored procedures and not embedding sql in your asp/asp.net code. But, that's a different conversation.
0
 

Author Comment

by:loopstudio
ID: 24809305
Hi r Harrison..
Again, thanx a lot, I really appreciate both Your help, and also Your detailed description of sessions.
I dont store sensitive information in the session with session() command. But of couse verifies the user in all pages by a check against a session("somevalue") var. If not match he have to log in.

I will now check what u said about checking the right sessionID for random IDs.
The last part about storing "this" information in DMZ.. I dont know what You are talking about. What is "this" information? And the DMZ?

I DO have:
XSS prevention
SSL encryption of whole website
SQL injection prevention
IIS6
0
 

Author Comment

by:loopstudio
ID: 24809344
rgc: What is IMHO?
0
 
LVL 5

Expert Comment

by:rgc6789
ID: 24809362
In My Humble Opinion!
0
 

Author Comment

by:loopstudio
ID: 24809819
R Harrison..

I can now see that the the HTTP_COOKIE ASPSESSIONID "IS" random, and that the session.sesisonid ISNT.

So does that mean I HAVE random sessions? And the security is all fine?
0
 

Author Comment

by:loopstudio
ID: 24830554
An also to Harrison:
Could I make You take a look at the comments I have made to the first issue:
http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_24430610.html#discussion

Thanx in advance :)
0
 
LVL 12

Accepted Solution

by:
R_Harrison earned 125 total points
ID: 24831866
If you have random HTTP_COOKIE ASPSESSIONID that is fine and correct.

Regarding the XSS in your other question, the article I wrote http://www.experts-exchange.com/articles/Internet/Web_Development/Preventing-Cross-Site-Scripting-XSS-1.html contains examples of XSS code, some using only brackets, etc, so you can see the importance of replacing '<', '>' and '(' ')'.   Also remember if you use REQUEST or other data that has not been 'cleaned' inside a tag e.g  <img src="abc.asp?a=<%=REQUEST("IMAGENAME")%>"> then a hacker can easily insert XSS by using the following as the value for IMAGENAME.

1" onMouseOver="alert('some nasty xss code be here')"

As you can see no '<' or '>' are in the xss code but it will still run.
0
 

Author Comment

by:loopstudio
ID: 24965504
What if I instead of removing "()<>" tags, then change them to the respective "%something" codes?
Will they then be a thread?
0
 
LVL 12

Expert Comment

by:R_Harrison
ID: 24975265
I use the function below, it swaps the <>() with the equivalent <>() so it displays correct on screen but will not run in a browser.

Copy the function on to your page, then simply

response.write(MakeSafe(yourstring))

<%
Function MakeSafe(PassedValue)
	If IsNull(PassedValue)=false Then
		Makesafe=Replace(PassedValue, "<", "&lt;")
		Makesafe=Replace(Makesafe, ">", "&gt;")
		Makesafe=Replace(Makesafe, "(", "&#40;")
		Makesafe=Replace(Makesafe, ")", "&#41;")
	End IF
End Function
%>

Open in new window

0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OnPage: Incident management and secure messaging on your smartphone
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question