SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Unhappy Session.Abandon() behavior

    When I found the Session.Abandon() method, I was ecstatic - this looked like the elegant solution to my problem!

    I guess I don't know how it works, sadly.

    From my testing, it appears that Session.Abandon() does nothing more than clear the session variables. Is this correct?

    The problem I'm having is that when we hired a penetration tester to test our ASP application (well, one of them, anyway), he decided that having a static session ID (i.e. the ASPSESSID cookie) was a security flaw (and I'm inclined to agree with him). Regardless of what y'all think about this, my boss agrees and thus wants me to fix it.

    I was hoping Session.Abandon() would prompt the application to generate a new session ID cookie. Sadly, that appears to not be the case. Unless I'm doing something wrong?

    Is there a way that I can effectively force ASP to give the client a new session ID so that I can make my boss happy (and make sure I keep getting paychecks)?

    EDIT:
    Wow, just reread this and realized it's not at all clear what I mean when I say "static session ID!" What I mean by that is that the session is created, and thus the session ID established, before the user logs in, and does not change upon a successful login. Hope this clears things up some.
    Last edited by kromey; Sep 8, 2006 at 18:57. Reason: Clarification

  2. #2
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sorry to be a nuisance, all, but my boss is starting to breath down my neck on this.

    Just to clarify, I need a way to force ASP to create a new value in the ASPSESSIONID cookie - is there a way to do this, or would I need to build some other mechanism to get this behavior?

  3. #3
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I really hate to be bumping my post here, but I really need something to tell my boss. Even if it's just someone (i.e. someone more than just me) saying, "I don't think this is possible without building an entirely new session handling method from scratch," would be great!

    Please? Anyone?

  4. #4
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    53 thread views and I still can't get anyone to say, "I don't think it's possible"???

    I'm not looking for an authoritative "That is/is not possible in ASP," I just want to give my boss something more than my word alone, please!

  5. #5
    SitePoint Member
    Join Date
    Oct 2006
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Create new Session ID

    Sometimes, you may not want to reuse the session ID. If you do and if you understand the ramifications of not reusing the session ID, use the following code example to abandon a session and to clear the session ID cookie:Session.Abandon();
    Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

    Theres more information in the following URL.

    http://support.microsoft.com/kb/899918/en-us

  6. #6
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the reply. Unfortunately, the application I'm dealing with is classic ASP, not ASP.NET. I've been all over Microsoft's KB and I just cannot find an answer one way or the other, which leads me to conclude that what I want to do is just simply not possible.

    On further study, however, Session.Abandon() does in fact appear to have the desired effect, that is to ensure that any session data associated with the abandoned session is destroyed and/or no longer tied to that cookie. Which, when all is said and done, is indeed the effect we are after.

    My boss just wants to see the value of the cookie change, since the penetration tester said that the fact that it isn't changing is a security hole. Anyone have a way to make my boss happy?

  7. #7
    SitePoint Enthusiast Northern Star's Avatar
    Join Date
    Aug 2006
    Location
    Cheshire, UK
    Posts
    96
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Session.Abandon() should and does wipe the Session.SessionID.

    Code:
    <%
    
    Response.Write Session.SessionID
    
    If Request.QueryString("abandon") = "true" Then
    
    	Session.Abandon()
    	Response.Redirect "test.asp"
    
    End If
    %>
    
    <a href="?abandon=true">Abandon</a>
    Try uploading that page to your server and run it.

  8. #8
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Session.Abandon() does indeed destroy the current Session.SessionID. However, this is not the value that lives in the cookie. I realize, and you and everyone else here realizes, that this effectively destroys the session and the value in the cookie is no longer associated with any active session information, however my boss can see the cookie value and sees that it is not changing.

    I guess I'll just have to explain this to her. I can print the Session.SessionID value, too, so that she can see that it is indeed changing. The cookie value doesn't change, but the session is indeed being destroyed appropriately. Well, that is, it will be once I add the Session.Abandon() code to the application. In all honesty, the entire thing is the worst coding atrocity I've ever seen. If I had my way (and infinite time) I'd scrap and rewrite the entire thing from the ground up. Using PHP. Because I don't know ASP.

  9. #9
    SitePoint Enthusiast Northern Star's Avatar
    Join Date
    Aug 2006
    Location
    Cheshire, UK
    Posts
    96
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kromey
    In all honesty, the entire thing is the worst coding atrocity I've ever seen. If I had my way (and infinite time) I'd scrap and rewrite the entire thing from the ground up.
    I go through the same process on a weekly basis!

    Hope your boss sees the light in the end!
    "If it ain't broken, don't fix it!"
    ----
    Northern Star - Web design, stategy & development.

  10. #10
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Eh, either she does, or I end up rewriting it, in which case all my other project deadlines would need to be pushed way back. Or she'd have to either another programmer. Either way is fine with me.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •