Retrieving Process IDs from ASP

Results 1 to 4 of 4

Thread: Retrieving Process IDs from ASP

  1. #1
    Scott S Guest

    Default Retrieving Process IDs from ASP

    Hello<BR><BR>I&#039m looking for a method of obtaining the process ID from the client. For example say a user comes to my website, I create a SESSIONID and place it inside a cookie, that way i can identify that user as he browses through my website. But, if someone figures out his SESSIONID it is possible that his session could be hijacked (there would be a small window of opportunity but the possiblity remains) If i had a method of uniquely identifying the instance of the browser, i could compare both the SessionID and the process or Instance ID. thus making it effectively impossible to hijack. Perhaps there is another type of ID or information that would accomplish the same goal? Any Ideas? <BR><BR>BTW I&#039m not talking about the Session object, I&#039m refering to a custom written session object that uses GUIDs to Identify sessions and then stores the information in database tables. <BR><BR><BR>Scott S

  2. #2
    Join Date
    Dec 1969

    Default RE: Retrieving Process IDs from ASP

    But ASP is a multithreaded engine. Getting the process ID of the engine does no good in your scenario: The user who spoofs you with a duplicate cookie could well end up running with the same process ID!<BR><BR>And if you mean the client process ID: Only way to get that would be to install an ActiveX control on the client. Try to get *me* to let you do that! Ha!<BR><BR>Why don&#039t you be happy with the user&#039s IP address? Yes, it&#039s not perfect either. But it means he&#039d have to share the cookie with somebody using the same IP address (e.g., behind the same corporate firewall...though of course with AOL...).<BR><BR>Anyway, you are only going to "believe" the IP until the session times out, no? The next time the user comes in he/she could be on another IP and so you have to adjust the cookie value anyway...or use a new cookie or...<BR><BR>I guess I don&#039t see the need for all this. A user sharing his/her cookie is just as likely as a user sharing his/her username and password. If they do it, they are responsible for any monetary consequences, not you.<BR><BR>What am I missing?<BR><BR>

  3. #3
    Scott S Guest

    Default RE: Retrieving Process IDs from ASP

    Yes, for most situations the IP address will be just fine, the only time that it becomes a serious issue in terms of functionality (there are security drawbacks also) is when the user is behind a "Mega Proxy" like AOL users, apparently those users may not have the same IP address within the session. I realize and fully understand that putting an activeX object on the client is wholly inappropriate (and impossible). <BR><BR>I figured if i could some how identify each instance of the browser then no matter what proxy server crazyness was going on I could safely identify each client. I&#039m basically looking for a fairly bullet proof method of identifying each client without having to use cookies or IP addresses. Mostly to get around the "mega proxies" that AOL and similar services use. <BR><BR>Once i can identify browser instances and check these with the session information, it gets very difficult & almost impossible to hijack any session information.<BR><BR>Any ideas? <BR><BR>Scott S

  4. #4
    Bart Mortelmans Guest

    Default RE: Retrieving Process IDs from ASP

    I&#039m not sure, but wouldn&#039t just putting your site on https do the thing? If the sessing ID is send out secure and it&#039s "hard to guess", isn&#039t that safe enough?<BR><BR>Let&#039s say you use a secure connection, have your own session-tingy going on and use a session-ID and session password. The session ID is easy to guess but the password is just a random number from 0 to just how secure you want it. You make sure this session password is always posted to the next (secure) page...<BR><BR>Let me know if you think this is secure!<BR>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts