is there any security issue realated to leaving ASP.NET Session ID value on html hidden field?
Its in order to work around a problem when using uploadify, which is based on flash to work and have known problems (this link, look for ‘STEP 6’) in sending the right cookies to the server through ajax request so I’m having problems when trying to authenticate against my session based authentication process.
By puuting SessionId value in a hidden field it allows me to grab the right valu and after some code on global.asax sucefully work around this problem.
Am I doing something totally wrong? Btw, im using 128bit ssl encryption.
Thank you!!!
EDIT:
The point is, if session ids are alaways present in https post/request, whats the difference if I store them as a post argument or as cookie value beign sent within an http req.? If someone that intercepts my req and get my SessionId can easily bypass security, whats the best way to implement autenthication???
Yes anyone getting hold of the session id can access that user’s session. This is a big security risk, made worse by the fact many people wrongly use it for custom authentication (which you appear to be doing).
By writing it into the page your making it easier to steal via XSS techniques and others. Session is not at all secure, that’s why .NET has it’s own authentication scheme using encryption and entirely decoupled from session.
I can send you a link, set your cookie, wait for you to login, share the same cookie and access all your details as if I were you. Session Id is a random token there is no encryption at all.
The way to implement authentication is via the .NET authentication cookie, and optionally the use of
MembershipProvider. This creates an encrypted cookie based on the server unique machine key. Only this server can decrypt the cookie in order to authenticate the user. If someone forces a session ID on you, or steals it, they still can’t authenticate as you.Of course someone could also steal your authentication cookie, but there’s an option to only serve the cookie over SSL to protect against this, and it can’t be forced on you due to encryption.