Wednesday, December 29, 2010

How to secure Classic ASP Session ID with Pure ASP

    This is the second part of my first blog "

How to secure Classic ASP Session ID (ASPSESSIONID) with JAVASCRIPT"

In this blog, I'll demonstrate how to achieve the same goal with only Classic ASP without the help of client side javascript.

Step 1: Login page (login.asp).
<html>
<head>
<script type="text/javascript">        
        alert(document.cookie);
</script>
</head>
<body>
<%
    Dim cookies
    cookies = Request.ServerVariables("HTTP_COOKIE")
%>
Server Cookies:<%= cookies %>;
<form name="login" onsubmit="" action="session2.asp">
<input type="text" name="username" />
<input type="text" name="password" />
<input type="hidden" name="sessionid" value="" />
<input type="submit" value="Login" />
</form>
</body>
</html>
This is the login page and you will see the ASPSESSIONID in both javascript alert and the html page. Redirect to another page for authentication.

Step 2: Authentication page (session2.asp).

<%
    'CODE for authorization/authentication
    '...
    'get ASPSESSIONID
    Dim aspsessionid
    aspsessionid = Request.ServerVariables("HTTP_COOKIE")
    aspsessionid = "ASPSESSIONID" & Split(Split(aspsessionid,"ASPSESSIONID")(1),"=")(0)
    'if login successful
    'delete the current session id to generate new one
    Response.AddHeader "Set-Cookie",aspsessionid & "=0"
    'redirect to another page to get new session id
    Response.Redirect "Session3.asp"
%>

If login is successful, current session id will be read and assign invalid value to it. That will force the web server to generate new session id. Then redirect to new page to get new session id.

Step 3: Reading new session key (session3.asp)
<%
    'redirect to another page to get new session id
    Response.Redirect "Session4.asp"
%>
In this page, current browser session id value will be "0" and server generate new session id. Redirect to next page again to get newly generated session id.

Step 4: Privileged page (session4.asp).
<%
    'get ASPSESSION cookie
    Dim AspSessionCookie
    AspSessionCookie = Request.ServerVariables("HTTP_COOKIE")
    AspSessionCookie = "ASPSESSIONID" & Split(AspSessionCookie,"ASPSESSIONID")(1)
    if  InStr(1,AspSessionCookie,";") then
        AspSessionCookie = Split(AspSessionCookie,";")(0)        
    end if
    Response.AddHeader "Set-Cookie", AspSessionCookie & ";secure;httponly"
%>

<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
    <script type="text/javascript">        
        alert(document.cookie);
    </script>
</head>
<body onload="">
<%= AspSessionCookie %>
    ASP Session ID has been secured. :)
    <a href="session5.asp">visit</a>
</body>
</html>
In this page, both session key and value will be read and append "httponly" and "secure" flags to it. Then append those values to the response header.
Now you will not be able to access ASPSESSIONID via client side javascript and unsecurely.

We are done!

:)
Posted by at

1 comment:

Subscribe to: Post Comments (Atom)