开发者

Prevent transfer of Session

开发者 https://www.devze.com 2023-01-30 01:50 出处：网络

HI, Does somebody now a good way to make se开发者_JS百科ssion not transferable, so an user can\'t move/copy the session token ID from one machine to another?

相关专题：asp.net security

HI,

Does somebody now a good way to make se开发者_JS百科ssion not transferable, so an user can't move/copy the session token ID from one machine to another?

Thank you!

Why not encrypt a string of the incoming IP address and place in the session. Then when working with the session object you can verify it by decrypting the ip from the session and checking that it is valid against the request IP.

Just an idea. Let me know if you need code.

Set the cookieless attribute of your sessionState node in your web.config file to false, so that you use cookies to store the session keys instead of the URL. Here are a couple of (older) articles on the subject:

Top 10 Application Security Vulnerabilities in Web.config Files
MSDN: Understand How the ASP.NET Cookieless Feature Works

Cookies are also not totally "safe". If you are looking to google the topic, it is called session hijacking.