You are correct that it should be Response, not Request, I mistyped
that. I can't fully test it right now, but I did see the behavior you
describe where a new session ID is issued with each request.
Nevertheless, forms authentication worked for me and it did seem to
maintain session variables, although I can't see how it could have
done that. I would need to do further testing.
I cover ASP.NET session management in more detail and how to improve
on it in my upcoming book Hacking The Code:
http://www.amazon.com/exec/obidos/tg/detail/-/1932266658
Mark Burnett
On Wed, 26 Nov 2003 11:32:20 -0000, Ed Devlin wrote:
> Thanks Mark, a perfect, simple solution
>
>
> I tried it (but I use Response not Request):
> Request.Cookies("ASP.NET_SessionId").Secure=True
>
>
> This works (the session cookie is marked as secure) but somehow it
> breaks the ASP.NET session management. Although the browser
> submits the session cookie on its next request, ASP.NET seems to be
> constantly blanking and re-issuing the session cookie with a new
> id, which stops the forms authentication working properly.
>
>
> For the moment I'll have to let this one go, but I'd be interested
> to know if you have used the above technique successfully.
>
>
> Cheers
>
>
> Ed
>
>
> -----Original Message-----
> From: Mark Burnett [mailto:mb (at) xato (dot) net [email concealed]]
> Sent: 25 November 2003 17:04
> To: ed.devlin (at) detica (dot) com [email concealed]; focus-ms (at) securityfocus (dot) com [email concealed] Subject: Re:
> how do I force secure ASP.NET session cookies?
>
>
> Just access the ASP.NET session cookie directly and mark it as
> secure: Request.Cookies("ASP.NET_SessionId").Secure=True
>
>
> Mark
>
>
> ********************************************************************
> **** This message should be regarded as confidential. If you have
> received this email in error please notify the sender and destroy
> it immediately. Statements of intent shall only become binding when
> confirmed in hard copy by an authorised signatory.
>
> Detica Limited is registered in England under No: 1337451 and
> Detica (Rubus) Limited under No: 03361831.
>
>
> Registered offices: Surrey Research Park, Guildford, Surrey, GU2
> 7YP, England. ******************************************************
> ******************
that. I can't fully test it right now, but I did see the behavior you
describe where a new session ID is issued with each request.
Nevertheless, forms authentication worked for me and it did seem to
maintain session variables, although I can't see how it could have
done that. I would need to do further testing.
I cover ASP.NET session management in more detail and how to improve
on it in my upcoming book Hacking The Code:
http://www.amazon.com/exec/obidos/tg/detail/-/1932266658
Mark Burnett
On Wed, 26 Nov 2003 11:32:20 -0000, Ed Devlin wrote:
> Thanks Mark, a perfect, simple solution
>
>
> I tried it (but I use Response not Request):
> Request.Cookies("ASP.NET_SessionId").Secure=True
>
>
> This works (the session cookie is marked as secure) but somehow it
> breaks the ASP.NET session management. Although the browser
> submits the session cookie on its next request, ASP.NET seems to be
> constantly blanking and re-issuing the session cookie with a new
> id, which stops the forms authentication working properly.
>
>
> For the moment I'll have to let this one go, but I'd be interested
> to know if you have used the above technique successfully.
>
>
> Cheers
>
>
> Ed
>
>
> -----Original Message-----
> From: Mark Burnett [mailto:mb (at) xato (dot) net [email concealed]]
> Sent: 25 November 2003 17:04
> To: ed.devlin (at) detica (dot) com [email concealed]; focus-ms (at) securityfocus (dot) com [email concealed] Subject: Re:
> how do I force secure ASP.NET session cookies?
>
>
> Just access the ASP.NET session cookie directly and mark it as
> secure: Request.Cookies("ASP.NET_SessionId").Secure=True
>
>
> Mark
>
>
> ********************************************************************
> **** This message should be regarded as confidential. If you have
> received this email in error please notify the sender and destroy
> it immediately. Statements of intent shall only become binding when
> confirmed in hard copy by an authorised signatory.
>
> Detica Limited is registered in England under No: 1337451 and
> Detica (Rubus) Limited under No: 03361831.
>
>
> Registered offices: Surrey Research Park, Guildford, Surrey, GU2
> 7YP, England. ******************************************************
> ******************
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]