EzDevInfo.com

What is the best way to prevent session hijacking?

Specifically this is regarding when using a client session cookie to identify a session on the server.

Is the best answer to use SSL/HTTPS encryption for the entire web site, and you have the best guarantee that no man in the middle attacks will be able to sniff an existing client session cookie?

And perhaps second best to use some sort of encryption on the session value itself that is stored in your session cookie?

If a malicious user has physical access to a machine, they can still look at the filesystem to retrieve a valid session cookie and use that to hijack a session?

Difference between session affinity and sticky session?

What is the difference between session affinity and sticky session in context of load balancing servers?

How to empty/destroy a session in rails?

I can't seem to find it anywhere... How do I delete/destroy/reset/empty/clear a user's session in Rails? Not just one value but the whole thing..

Differences between cookies and sessions?

I am training in web developement and am learning about JSP & Servlets. I have some knowledge of HttpSession - I have used it in some of my sample projects.

In browsers I have seen the option to "delete cookies". If I delete the cookies it deletes the HttpSession also.

Are cookies and session the same? What are the differences between them?

Session variables in ASP.NET MVC

I am writing a web application that will allow a user to browse to multiple web pages within the website making certain requests. All information that the user inputs will be stored in an object that I created. The problem is that I need this object to be accessed from any part of the website and I don't really know the best way to accomplish this. I know that one solution is to use session variables but I don't know how to use them in asp .net MVC. And where would I declare a session variable? Is there any other way?

PHP Pass variable to next page

It seems pretty simple but I can't find a good way to do it.

Say in the first page I create a variable

$myVariable = "Some text";

And the form's action for that page is "Page2.php". So in Page2.php, how can I have access to that variable? I know I can do it with sessions but I think it's too much for a simple string, and I do only need to pass a simple string (a file name).

How can I achieve this?

In ASP.NET, when should I use Session.Clear() rather than Session.Abandon()?

Both Session.Clear() and Session.Abandon() get rid of session variables. As I understand it, Abandon() ends the current session, and causes a new session to be created thus causing the End and Start events to fire.

It seems preferable to call Abandon() in most cases, such as logging a user out. Are there scenarios where I'd use Clear() instead? Is there much of a performance difference?

ASP.NET: Session.SessionID changes between requests

Why does the property SessionID on the Session-object in an ASP.NET-page change between requests?

I have a page like this:

...
<div>
    SessionID: <%= SessionID %>
</div>
...

And the output keeps changing every time I hit F5, independent of browser.

I've seen this work correctly in other projects.

socket.io and session?

I'm using express framework. I want to reach session data from socket.io. I tried express dynamicHelpers with client.listener.server.dynamicViewHelpers data, but i can't get session data. Is there a simple way to do this? Please see the code

app.listen(3000);

var io = require('socket.io');
var io = io.listen(app);

io.on('connection', function(client){
    // I want to use session data here
    client.on('message', function(message){
        // or here
    });
    client.on('disconnect', function(){
        // or here
    }); 
});

What is default session timeout in ASP.NET?

What is the default session timeout value in ASP.NET?

Firefox session cookies

Generally speaking, when given a cookie that has no expiration period, modern browsers will consider this cookie to be a 'session cookie', they will remove the cookie at the end of the browsing session (generally when the browser instance closes).

IE, Opera, Safari and Chrome all support this behavior.

However firefox (3.0.9 latest proper release) appears not to follow this rule, from what I can tell it doesn't expire the cookies when the browser is closed, or when the user logs off or restarts the OS..

So, why does firefox refer to these as session cookies, when they last aparently indefinitely?

Does anyone know how Firefox handles session cookie expiration?

Session timeout in ASP.NET

I am running an ASP.NET 2.0 application in IIS 6.0. I want session timeout to be 60 minutes rather than the default 20 minutes. I have done the following

1. set in web.config
2. Set session timeout to 60 minutes in IIS manager/Web site properties/ASP.NET configuration settings
3. Set idle timeout to 60 minutes in application pool properties/performance.

I am still getting a session timeout at 20 minutes. Is there anything else I need to do?

PHP Session Fixation / Hijacking

I'm trying to understand more about PHP Session Fixation & hijacking and how to prevent these problems. I've been reading the following two articles on Chris Shiflett's website:

• Session Fixation
• Session Hijacking

However, I'm not sure I'm understanding things correctly.

To help prevent session fixation is it enough to call session_regenerate_id(true); after successfully logging someone in? I think I understand that correctly.

He also talks about using tokens passed along in urls via $_GET to prevent session hijacking. How would this be done exactly? I'm guessing when someone logs in you generate their token & store it in an session variable, then on each page you'd compare that session variable with the value of the $_GET variable?

Would this token need to be changed only once per session or on each page load?

Also is their a good way of preventing hijacking without having to pass a value along in the urls? this would be alot easier.

Do AJAX requests retain PHP Session info?

If I had a user logged onto my site, having his id stored in $_SESSION, and from his browser he clicked a 'Save' button which would make an AJAX request to the server. Will his $_SESSION and cookies be retained in this request, and can I safely rely on the id being present in the $_SESSION?

What is the proper way to re-attach detached objects in Hibernate?

I have a situation in which I need to re-attach detached objects to a hibernate session, although an object of the same identity MAY already exist in the session, which will cause errors.

Right now, I can do one of two things.

1. getHibernateTemplate().update( obj ) This works if and only if an object doesn't already exist in the hibernate session. Exceptions are thrown stating an object with the given identifier already exists in the session when I need it later.

2. getHibernateTemplate().merge( obj ) This works if and only if an object exists in the hibernate session. Exceptions are thrown when I need the object to be in a session later if I use this.

Given these two scenarios, how can I generically attach sessions to objects? I don't want to use exceptions to control the flow of this problem's solution, as there must be a more elegant solution...