更改ASPSessionID [英] Change ASPSessionID
问题描述
如何在网络会话期间更改ASPSessionID?我在SSL中有一个ASP
应用程序。第一个屏幕是登录屏幕,它请求用户
id和密码。为此页面分配了ASPSessionID。一旦用户
通过有效的id / pwd进行身份验证,第二页就会启动真正的
应用程序。我想将ASPSessionID更改为与
首次登录页面不同,该页面是发给未经身份验证的用户的。我怎么做ASP中的
?
谢谢。
Joseph
sessionID就像一个代理键,它的值没有任何实际意义,而且我不知道为什么你需要它们不同。
" Joseph Shoe" < Joseph Sh**@discussions.microsoft.com >在消息中写道
新闻:AC ********************************** @ microsof t.com ...如何在网络会话期间更改ASPSessionID?我在SSL中有一个ASP
应用程序。第一个屏幕是登录屏幕,它要求
用户身份和密码。为此页面分配了ASPSessionID。一旦
用户
通过有效的id / pwd进行身份验证,第二页就会启动真正的应用程序。我想将ASPSessionID更改为与第一个登录页面不同,该页面是发给未经身份验证的用户的。我如何在ASP中做到这一点?
谢谢。
约瑟夫
无论
用户是否通过了身份验证,ASP都会在会话期间保持相同的sessionID。有人可以使用sessionID来获取对被认证的sessoin部分的访问权限,即
会话固定附件。
一个好的做法是服务器在用户获得成功验证后更改会话ID。
Aaron Bertrand [SQL服务器MVP]写道:
sessionID就像一个代理键,它的价值没有实际意义,我不知道为什么你需要它们不同。
Joseph Shoe < Joseph Sh**@discussions.microsoft.com >在消息中写道
新闻:AC ********************************** @ microsof t.com。 ..如何在网络会话期间更改ASPSessionID?我在SSL中有一个ASP
应用程序。第一个屏幕是登录屏幕,它要求
用户身份和密码。为此页面分配了ASPSessionID。一旦
用户
通过有效的id / pwd进行身份验证,第二页就会启动真正的应用程序。我想将ASPSessionID更改为与第一个登录页面不同,该页面是发给未经身份验证的用户的。我如何在ASP中做到这一点?
谢谢。
Joseph
>会话固定附件。
我不知道这是什么。但是你有没有试过假冒或者b / b模仿一个会话?
一个好的做法是服务器在用户之后更改会话ID
已经过验证。
因此用户更改为其他一些SessionID。 Whoopty斗。如果恶意
用户具有模拟特定会话ID的能力,那么肯定他们可以模仿经过身份验证的会话ID。一个。
你是如何以及为什么依靠sessionID来允许访问应用程序的某些部分?
为什么不像Session(authenticated)这样的变量?
How do you change the ASPSessionID during a web session? I have an ASP
application in SSL. The first screen is a login screen, which requests user
id and password. An ASPSessionID is assigned for this page. Once the user
is authenticated by valid id/pwd, the second page starts the real
applicaiton. I want to change the ASPSessionID to be different from the
first login page, which was issued to an unauthenticated user. How do I do
that in ASP?
Thanks.
Joseph
The sessionID is like a surrogate key, its value has no real meaning and I
have no idea why you need them to be different.
"Joseph Shoe" <Joseph Sh**@discussions.microsoft.com> wrote in message
news:AC**********************************@microsof t.com...How do you change the ASPSessionID during a web session? I have an ASP
application in SSL. The first screen is a login screen, which requests
user
id and password. An ASPSessionID is assigned for this page. Once the
user
is authenticated by valid id/pwd, the second page starts the real
applicaiton. I want to change the ASPSessionID to be different from the
first login page, which was issued to an unauthenticated user. How do I
do
that in ASP?
Thanks.
Joseph
ASP maintains the same sessionID for the duration of a session, whether the
user has passed the authentication. The sessionID can be used by someone to
gain access to the part of a sessoin that is considered authenticated, i.e.,
session fixation attachs.
It is a good practice that the server changes the session ID after a user is
sucessfully authenticated.
"Aaron Bertrand [SQL Server MVP]" wrote:
The sessionID is like a surrogate key, its value has no real meaning and I
have no idea why you need them to be different.
"Joseph Shoe" <Joseph Sh**@discussions.microsoft.com> wrote in message
news:AC**********************************@microsof t.com...How do you change the ASPSessionID during a web session? I have an ASP
application in SSL. The first screen is a login screen, which requests
user
id and password. An ASPSessionID is assigned for this page. Once the
user
is authenticated by valid id/pwd, the second page starts the real
applicaiton. I want to change the ASPSessionID to be different from the
first login page, which was issued to an unauthenticated user. How do I
do
that in ASP?
Thanks.
Joseph
> session fixation attachs.
I have no idea what this is. But have you ever tried to fake out or
impersonate a session?
It is a good practice that the server changes the session ID after a user
is
sucessfully authenticated.
So the user changes to some other SessionID. Whoopty-doo. If a malicious
user has the ability to impersonate a specific sessionID then certainly they
would be able to impersonate an "authenticated" one.
How and why are you relying on sessionID to allow access to certain parts of
the application? Why not a variable like Session("authenticated")?
这篇关于更改ASPSessionID的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
