Pages

Monday, September 24, 2012

classic asp session timeout

classic asp session timeout  session object has timeout property


session TimeOut :- Returns the timeout period for a user session. The session timeout period is specified in minutes. if a user does not refresh or request a page within the timeout period the session ends. The default value of the Timeout property in iis  30 mins

syntax for session timeout

<%
session.Timeout = 30
%>
Posted by vicky at No comments:
Labels:

Sunday, September 2, 2012

change session id after login asp

How to change session id after login asp


Risk of not changing session id after login asp 
on accessing the application the users receive a session id which remains constant until the browser instance is used closed. An adversary can hijack session and gain unauthorized access to sensitive information

Step to change session id after login in asp

<% dim ckie1,ckie2,findcolonpos,finalckie
   ckie = Request.ServerVariables("HTTP_COOKIE")
     findcolonpos=InStr(1,ckie,";")
   if findcolonpos>0 then
                ckie1=split(ckie,";")
                ckie2=split(ckie1(1),"=")
        finalckie=ckie2(0)
        else
                ckiename = Mid(ckie,1,(Instr(ckie,"=")-1))
                finalckie=ckiename
        end if

 %>
<META HTTP-EQUIV="Set-Cookie" Content="<%=finalckie%>=NULL; path=/">


just put the above code  on top of page after the user gets login to application (eg :- Welcome page)



Posted by vicky at 4 comments:
Labels:
Subscribe to: Posts (Atom)