Developing Web Applications

ASP Session ID and Session Security

The cookie approach to session management could become a potential security problem. If an intruder were able to capture or guess the session ID cookie in use by an active session, he or she could submit valid HTTP requests that included this cookie. In this manner, an intruder could hijack, or steal, a user’s active session. For example, if a user had supplied valid credit card information, and a script in an ASP page stored this information in the Session object, an intruder who managed to hijack the session could make purchases using the stolen session. For this reason, the following built-in security measures are taken when generating ASP session cookies:

• Session ID values are 32-bit long integers.
• Each time the Web server is restarted, a random session ID starting value is selected.
• For each new ASP session that is created, the session ID value is incremented.
• The 32-bit session ID is mixed with random data and encrypted to generate a 16­character cookie string. Later, when a cookie is received, the session ID is decrypted from the 16-character cookie string.
• The encryption key is randomly selected each time the Web server is restarted.

ASP session ID values are selected from a huge range and are encrypted, making it difficult to capture a valid cookie. In addition, guessing a valid cookie once does not make it easy to guess another valid cookie.

If the complexity of the ASP cookie generation algorithm does not meet the security requirements of your site, user authentication and client certificates can be used in conjunction with session management to provide even more security to your Web applications. For more information, see Security in this book.

© 1997-1999 Microsoft Corporation. All rights reserved.