Automatic mitigation for ASP.NET vulnerability

Posted: Friday, October 08, 2004 10:22 AM by bruce
Filed under: SOAP, Home, Tips

By now, most of you will have heard about the ASP.NET vulnerability that allows creatively formed URLs to bypass forms or Windows-based authentication. And while there has been a piece of code that can be added to global.asax, Microsoft has released a more easily deployed mechanism for mitigating the security risk. Check out http://www.microsoft.com/security/incident/aspnet.mspx to download an msi file that installs an HTTP Module that protects all of the sites on a web server.

Comments

bruce October 8, 2004 4:56 PM

Hi Bruce,

I have few questions. I am developing an ASP.NET website using cookieless session. By setting the cookieless=true property to true in webconfig ASP.NET embeds session id in the url. After logging in if I copy and paste the same URL to different browser then it prompts me back to the Login page. My questions is:

- How does ASP knows that you are using different browser session? when infact your ip addres, useragent and everything else is same?
- How secure it is?
- Are there any security implications?

Thanks,
amir
TrackBack October 18, 2004 12:59 PM

Title (required)
Name (required)
Your URL (optional)
Comments (required)
	Remember Me?

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

ObjectSharp Blogs

Bruce Johnson's SOA(P) Box

Using SOA in the .NET world

Automatic mitigation for ASP.NET vulnerability

Comments

Leave a Comment

Syndication

Recent Posts

Archives

Tag Cloud

Connections

ObjectSharp Blogs

Other Blogs I Read

Profiles

Recent Articles

ObjectSharp Consulting