|
it
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
preventing Session ID replay attackHello,
I am developing a Simple ASP Website with a login page. I want to know how can I change Session ID after login and also Close the current Session after User closes the Window or gets logged out of the Website. So that every time user logs in into the website, Session ID will be unique. Thank you. =?Utf-8?B?YW5vb3A=?= wrote on 16 apr 2007 in
microsoft.public.inetserver.asp.general: > I am developing a Simple ASP Website with a login page. I want to You cnnot, simply because changing the session.id would end the session per > know how can I change Session ID after login definition. > and also Close the Use session.abandon if you have to, or empty the > current Session after User closes the Window or gets logged out of the > Website. session("login") value if so designed. .... however you cannot reliably trust the closing of window to be reported. It depends on the browser used, the closing of the computer, or if someone trips over the mains connection or internet connection. > So that every time user logs in into the website, Session ID The session.id is unique as delivered by the system, better than once in a > will be unique. lifetime at least. -- Evertjan. The Netherlands. (Please change the x'es to dots in my emailaddress) to release all used sessions
session.abandon() http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/02106ee0-6603-4123-b5c8-eeb92ebbbc31.asp but this wont reset the session id ... (as far as i know) Show quoteHide quote On Apr 16, 10:09 am, "Evertjan." <exjxw.hannivo***@interxnl.net> wrote: > =?Utf-8?B?YW5vb3A=?= wrote on 16 apr 2007 in > microsoft.public.inetserver.asp.general: > > > I am developing a Simple ASP Website with a login page. I want to > > know how can I change Session ID after login > > You cnnot, simply because changing the session.id would end the session per > definition. > > > and also Close the > > current Session after User closes the Window or gets logged out of the > > Website. > > Use session.abandon if you have to, or empty the > session("login") value if so designed. > > ... however you cannot reliably trust the closing of window to be reported. > It depends on the browser used, the closing of the computer, or if someone > trips over the mains connection or internet connection. > > > So that every time user logs in into the website, Session ID > > will be unique. > > The session.id is unique as delivered by the system, better than once in a > lifetime at least. > > -- > Evertjan. > The Netherlands. > (Please change the x'es to dots in my emailaddress)  
Other interesting topics
recordset.addNew() with postgres
CHECK IF USER ALREADY LOGGED IN HELP! -- Redirection question Run SQL on form button and output result on page Accessing MS Access problem. Insert into Parent and Child in Access Relational DB Problem in Returning Recordset in ASP ASAP: Need ASP reseller hosting Problem in Returning Recordset in ASP adding e-mail system (for web based tracking system) |
|||||||||||||||||||||||
