开发者

Prevent transfer of Session

HI,

Does somebody now a good way to make se开发者_JS百科ssion not transferable, so an user can't move/copy the session token ID from one machine to another?

Thank you!


Why not encrypt a string of the incoming IP address and place in the session. Then when working with the session object you can verify it by decrypting the ip from the session and checking that it is valid against the request IP.

Just an idea. Let me know if you need code.


Set the cookieless attribute of your sessionState node in your web.config file to false, so that you use cookies to store the session keys instead of the URL. Here are a couple of (older) articles on the subject:

  • Top 10 Application Security Vulnerabilities in Web.config Files
  • MSDN: Understand How the ASP.NET Cookieless Feature Works

Cookies are also not totally "safe". If you are looking to google the topic, it is called session hijacking.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜