WebApp Sec mailing list archives
Random Session.SessionID with IIS 6.0
From: Bénoni MARTIN <Benoni.MARTIN () libertis ga>
Date: Thu, 14 Oct 2004 20:16:21 +0100
Hi list ! I was wondering if someone can tell me if I'm right with this: Setting up: I've got an IIS 6.0, connection through HTTPs, and ASP pages on my IIS. What I'm tryng to do: As many people dream about :), just track the user through it's journey on my website ... But to avoid replay attacks and brute force password guessing, I need to get an unique identifier for this user. The trouble: I was thinking about some encrypted mix like HASH{user_tcp_port || Session.SessionID || Rnd-number || ...}. My 2 problems are: the user port and the Session.SessionID. - Pentesting my idea, I noticed that the user port (obviously > TCP:1024) ... change as time goes on (I think it is normal behaviour, that's why it is called ephemereal ports :) ) ! So I cannot rely on it :(. - Then I thought about 'Session.SessionID', Microsoft's Docs told me it was a unique identifier per session, so I was happy with it ... But it seems that this number is unique if you have cookies enabled on your browser, and as some people disable them ... So this identifier cannot be reliable, even whithin the same connection, and moreover it seems to increase +1 at each next session, so a little bit preditable :( I saw with ASP a beautiful Cert.Cookie(still Request.ServerVariables) ... But it seems NULL in my case :( So my question was: within an https connection, is there any ID that will be UNIQUE from the beginning to the end of the same session ? There is probably one, so my question would be turned in "how can I catch it?" I know my question is not new :( Thanks a lot list, am quite stuck with this :(
Current thread:
- Random Session.SessionID with IIS 6.0 Bénoni MARTIN (Oct 15)