Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

avoid session hijacking for Web Applications

I read about Session Hijacking articles and would like to some more information related to it. Currently my web application which is developed in ASP.NET , is using Cookieless =true mode for sessionstate. We are using HTTPS which is a secure connection which will reduce session hijacking. I know when we using Cookieless the session id is embedded in URL which can be dangerous sometimes if user pass this URL to somebody and other user will be able to log in if session is still alive. So just want to know is HTTPS is more than enough or i should do something to secure my web app.

like image 259
Punit Avatar asked Dec 16 '22 22:12

Punit


2 Answers

HTTPS protects only from grabbing and changing data between client and server (or server and client). It can't help you if user share link with friends (or hackers :) )

As an option you can save client IP in session variables on session start and check on every request if current IP and IP from session are the same. This will provide a bit more security.

like image 59
Pavel Morshenyuk Avatar answered Dec 22 '22 00:12

Pavel Morshenyuk


You could end session if client IP changes and force them to re-login.

like image 23
alxx Avatar answered Dec 21 '22 22:12

alxx