Geek asks and answers

Classic ASP: ASPSessionID Reused

I know how to handle this in ASP.NET, but is there a way to get the classic ASP session id to clear? This is a randomly generated identifier, such as ASPSESSIONIDG32423E, which does not seem to be available in the RESPONSE.COOKIES collection, so I cannot clear it. We have an ASP site class that is still hanging around, and recently it has been an audit which, after the user logs out, uses the same session ID again.

LEARN MORE:

First visit to the page, I see this in the proxy editor in Response:

Set-Cookie: ASPSESSIONID = PUYQGHUMEAAJPUYL; path = / webapp

After logging out, I call Session.RemoveAll and Session.Abandon, and then redirect the user to the login page. At this point, I should see a new Set-Cookie with a different value for SessionID. Instead, I do not receive a new cookie, and the new login session reuses the original session cookie. This is an audit that we must solve in some way, but there seems to be no way to control this.

+3
source share
3 answers

, . : Start.asp Start2.asp. post, ​​ Start2.asp, , login.asp post, Start.asp. Start.asp ASPSessionID, 0. Response.AddHeader "Set-Cookie", , Response.Cookies( "ASPSESSIONID..." ) , :

Start.ASP

<%
If instr(Request.ServerVariables("HTTP_COOKIE"), "ASPSESSIONID") > 0 Then

    Dim Allcookies

    AllCookies = Split(Request.ServerVariables("HTTP_COOKIE"),";")
    For i = 1 to UBound(AllCookies)

        If instr(AllCookies(i), "ASPSESSIONID") > 0 Then
            Response.AddHeader "Set-Cookie", Left(AllCookies(i),instr(AllCookies(i),"=") -1) & "=0; path=/;secure;httponly"
        End if

    Next 
End if

Response.Redirect("start2.asp")
%>

Start2.asp, cookie ASPSEssionID Secure; httponly ( , ASP ​​ , SSL -. SSL- -).

Start2.asp

<%
    'CODE for authorization/authentication
   '...

Session.Contents.RemoveAll
Session.Abandon
If instr(Request.ServerVariables("HTTP_COOKIE"), "ASPSESSIONID") > 0 Then
       Dim Allcookies

        AllCookies = Split(Request.ServerVariables("HTTP_COOKIE"),";")

        For i = 1 to UBound(AllCookies)

            if left(Request.ServerVariables("HTTP_HOST"),2) = "65" and instr(AllCookies(i), "ASPSESSIONID") > 0 Then
                Response.AddHeader "Set-Cookie", AllCookies(i) & "; path=/;secure;httponly"
            End if        

        Next 

End if

%>

<html>
<body>
<form action="login.asp" method="post">
<input type="hidden" name="start2" id="start2" value="Yes" />

</form>

<script type="text/javascript">
     document.forms[0].submit();
</script>
</body>
</html>

, , ASPSessionID , Start2.asp Set-Cookie httponly login.asp. , login.asp :

If request.form("Start2") = "" Then
    Response.Redirect("start.asp")
End if
+3

IMO - , . Session.Abandon . Ref.: http://www.devguru.com/technologies/asp/quickref/session_abandon.html

.

+1

ASP.NET, , ASP

, cookie . , , , .

http://support.microsoft.com/?kbid=899918

, , cookie ( ​​ ).

You can try calling Session.Abandonand then redirecting the user to a page that uses JavaScript to clear all cookies, then redirecting to a login page or any other page.

Removing All Cookies Using JavaScript

0
source

More articles:


All Articles