[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Problems with my asp.net website and something google is doing

Posted on 2011-02-12
4
Medium Priority
?
258 Views
Last Modified: 2012-05-11
A little background;

We used to run our site using a cookie mechanism. When a user logged in, it would store a reference for that session in that cookie and our profile/security system would run of this reference. Our client complained to us that they were getting emails from users stating they were unable to login. Well, they could login, but were asked to login again over and over, basically, because the cookie could not be read. Tried to explain this to client with a resolution but it was not accepted. We were told to find a workaround.

The workaround was to pass the session reference in the URL for each page. We would then validate this as and when required. Obviously, this is a security rish from session hijacking, so we put various steps in place to hopefully counter this. Those were;

Store IP in the session details in our DB
Continue to store the cookie, but not make our sesssions reliant on it.

When a request needed to be validated, we would check the following;

Do the IPs match.
Do the cookies match.

In some scneraios, one of these tests could fail;

If the user does not allow cookies, the IPs in theory would still match.
If the user uses a proxy system that used multiple IPs, the cookie would still match

However, if both tests fail we would then class the session as hijacked and remove it from our system, therefore hopefully removing any risks.

Now, this does not cover all scenarios, but it seemed a good start. If a user refused cookies and used a mutliple IP proxy system (I think AOL does), they would not be able to login. I would try to find a resolution to this as and when it does arrive.

However, we received an email today from a user stating that the system kept bouncing her to the login page and from our logs I could see this was because both of the checks were failing. When I went it to investigate, I noticed that each login request was followed within a few seconds with a request from 'googlebot' and this was the cause of the session being killed, an example of the log file is below (not full log information, but enough;

User logs in;

2011-02-12 14:14:20 10.0.95.1 GET /login.aspx - 80 - 87.*.*.*
2011-02-12 14:14:42 10.0.95.1 POST /login.aspx - 80 - 87.*.*.*

Gets redirected to main page with session reference attached and cookie stored

2011-02-12 14:14:42 10.0.95.1 GET /default.aspx id=1c55c55ee1b34ad6ae43c59ad7c2802e 80 - 87.*.*.*

2 seconds later, the request comes in from another IP (resolved to crawl-66-249-71-237.googlebot.com).

2011-02-12 14:14:45 10.0.95.1 GET /default.aspx id=1c55c55ee1b34ad6ae43c59ad7c2802e 80 - 66.249.71.237 Mediapartners-Google - - 302 0 0 374 187

Session is killed here because neither IP or cookie match.

This is repeated 5 times until we get the email from the user. So not really sure what I can do about this and more curious about why google is doing this and are they allowed to.






0
Comment
Question by:officedog
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 16

Expert Comment

by:BurnieP
ID: 34879019
Another idea could be to stoe the SessionID from the Session object in the database, instead of the IP address.  The Session.SessionID is the same for the duration of the session of the client on the website.

About Google,  I believe they are scraping your website to optimize their search engine.  They do it to every website querying for keywords so your website can appear better in the search results.

0
 
LVL 11

Expert Comment

by:madgino
ID: 34879022
Probably the client has google toolbar installed with some specific settings and this generates the requests.
As long as the client accepted the terms and conditions when installing the toolbars I can see any problem on why google is doing this.

As far as I see it you are really in an impossible situation, all you can do is test and advice the client how to configure the browser/toolbar.
0
 

Author Comment

by:officedog
ID: 34879030
Your comment regarding the SessionID from the asp.net session is a good one. This could be a further check.

However, I understand how standard search engine spidering works, but it seems google are using the hijacked session URL to revisit the site. Of course they are probably not doing anything malicious, but it does raise a question of why and what it is they are actually doing.
0
 
LVL 16

Accepted Solution

by:
BurnieP earned 2000 total points
ID: 34879046
Hi,

I found this wikipedia about googlebot : http://en.wikipedia.org/wiki/Googlebot

You can find more information about it by reading this or googling googlebot.  I would not be too worry about it since they are not malicious and are just trying to get your website up in the search rankings.
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Hi all and welcome to my first article on Experts Exchange. A while ago, someone asked me if i could do some tutorials on object oriented programming. I decided to do them on C#. Now you may ask me, why's that? Well, one of the re…
Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question