suresh pondicherry
asked on
Capture login details when user login from same server in two different browsers
Hi All,
I am using most secured application and i couldn't share or upload any files other than .txt.
I am using VS 2013 , C#. My requirement is
1)The application should be set to disconnect a user’s session upon log on from a different location.
2)Also If user login from same server in two different browsers by hacking the same session , then i need to capture the time of login , IP address and browser name and login ID
Please find the global.asax.cs and web.config
Kind regards,
Pooja
I am using most secured application and i couldn't share or upload any files other than .txt.
I am using VS 2013 , C#. My requirement is
1)The application should be set to disconnect a user’s session upon log on from a different location.
2)Also If user login from same server in two different browsers by hacking the same session , then i need to capture the time of login , IP address and browser name and login ID
Please find the global.asax.cs and web.config
Kind regards,
Pooja
This isn't something that works very well, in my opinion. Yes, David is correct in that WP-bouncer has a concept, but the nature of stateless / HTTP applications is that there's no guarantee of who's who. In practice, if someone hijacks a session these days, they're often doing it from NAT within the same network, so they'll often have the same public IP.
On top of that, if someone DOES hijack a session and then resets the password, it can make it extremely difficult for the valid user to establish themselves as the correct user and not the hijacker.
The catch to all of this is that you're trying to block advanced techniques, but if someone is advanced enough to implement the attacks, they'll be more than advanced enough to avoid detection. For example, let's say I break into a network and I get into a position to intercept SSL traffic and hijack a session, at that point, I'm going to also spoof the user agent to avoid detection. No remote server will be able to tell the difference between me and the original session because we'd be sending identical requests. For all the remote server knows, it's just the same user with a second browser tab open.
So my advice would be to do the things you CAN do reliably. For example, you could store a session ID in the database on the user's record, and set / update that session ID upon login (or whenever the server chooses to rotate the session ID). And then on every single page hit, your code queries the user record and checks to see if its current session ID matches the one in the DB. If it doesn't match, you kill the current session. That would prevent multiple, valid logins from the same user. It won't prevent hijacking, but there's very little you can do to prevent hijacking.
On top of that, if someone DOES hijack a session and then resets the password, it can make it extremely difficult for the valid user to establish themselves as the correct user and not the hijacker.
The catch to all of this is that you're trying to block advanced techniques, but if someone is advanced enough to implement the attacks, they'll be more than advanced enough to avoid detection. For example, let's say I break into a network and I get into a position to intercept SSL traffic and hijack a session, at that point, I'm going to also spoof the user agent to avoid detection. No remote server will be able to tell the difference between me and the original session because we'd be sending identical requests. For all the remote server knows, it's just the same user with a second browser tab open.
So my advice would be to do the things you CAN do reliably. For example, you could store a session ID in the database on the user's record, and set / update that session ID upon login (or whenever the server chooses to rotate the session ID). And then on every single page hit, your code queries the user record and checks to see if its current session ID matches the one in the DB. If it doesn't match, you kill the current session. That would prevent multiple, valid logins from the same user. It won't prevent hijacking, but there's very little you can do to prevent hijacking.
ASKER
The application (C# class library ) which we have doesn't have access to database. Assume there is no database interactions. What's the best solution?
How are you handling logins, then?
ASKER
through Api's .
There is no database for this app.
There is no database for this app.
So you authenticate against these APIs but you don't control the APIs?
ASKER
i didn't dig deep how the current app authenticate api's. But this is the current situation with me. Don't have access to db and don't have access to create/delete files on the server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This code has been available for years + works great.