asp.netsecurityweb-applicationssession-statecookieless

avoid session hijacking for Web Applications


I read about Session Hijacking articles and would like to some more information related to it. Currently my web application which is developed in ASP.NET , is using Cookieless =true mode for sessionstate. We are using HTTPS which is a secure connection which will reduce session hijacking. I know when we using Cookieless the session id is embedded in URL which can be dangerous sometimes if user pass this URL to somebody and other user will be able to log in if session is still alive. So just want to know is HTTPS is more than enough or i should do something to secure my web app.


Solution

  • HTTPS protects only from grabbing and changing data between client and server (or server and client). It can't help you if user share link with friends (or hackers :) )

    As an option you can save client IP in session variables on session start and check on every request if current IP and IP from session are the same. This will provide a bit more security.