IIS6 - Can session id be manipulated?

Hi,

I have gotten a question about how IIS6 handles the session id (cookie).
I've got a very persistent customer who claims, that you can just hijack
another session by changing the session id in your own session cookie.
I'm no security expert, but I find that very hard to believe. All though I
haven't been able to find documentation about how the IIS handles the
session id in a secure way, so it can't be manipulated.

Does anyone have some links to MS descriptions or something like that, so I
can show the customer you can just hijack another persons session?

Thanks,
John

Re: IIS6 - Can session id be manipulated?

Kim wrote on Tue, 29 Jan 2008 12:59:41 +0100:

> Hi,

> I have gotten a question about how IIS6 handles the session id
> (cookie).
> I've got a very persistent customer who claims, that you can just
> hijack another session by changing the session id in your own session
> cookie.
> I'm no security expert, but I find that very hard to believe. All
> though I haven't been able to find documentation about how the IIS
> handles the session id in a secure way, so it can't be manipulated.

> Does anyone have some links to MS descriptions or something like that,
> so I can show the customer you can just hijack another persons
> session?

> Thanks,
> John

I'm pretty sure that your customer is right - otherwise you'd get all sorts
of issues with customers on dynamically changing IP addresses or proxies
hiding other possibly identifiable information to tie the cookie to. Of
course, the hijacker would have to actually guess or determine the session
cookie that they want to hijack, and if they manage to intercept the cookie
then hijacking a session could be the least of your, or your customers,
problems as they'd likely also be able to just dump all the packets and view
what is being passed back and forth anyway.

I don't use the ASP sessions except for the odd occassion where it makes it
easy to handle some non-critical temporary data (like generated captcha
values for subsequent comparison in forms), all the sites I run use a custom
session handling system that combines a variety of factors to determine
possible hijacking of the cookies used.

--
Dan

Re: IIS6 - Can session id be manipulated?

Kim wrote on Tue, 29 Jan 2008 12:59:41 +0100:

> Hi,

> I have gotten a question about how IIS6 handles the session id
> (cookie).
> I've got a very persistent customer who claims, that you can just
> hijack another session by changing the session id in your own session
> cookie.
> I'm no security expert, but I find that very hard to believe. All
> though I haven't been able to find documentation about how the IIS
> handles the session id in a secure way, so it can't be manipulated.

> Does anyone have some links to MS descriptions or something like that,
> so I can show the customer you can just hijack another persons
> session?

> Thanks,
> John


For a bit more info, try this: http://www.microsoft.com/technet/security/Bulletin/MS00-080. mspx

it describes a patch for IIS4 and IIS5 to ensure that the session id cookie
used on secure (SSL) pages wasn't also used when viewing non-secure pages.
This helps to reduce the possibilty of a hijack if you allow customers to
view both secure and non-secure pages on your site. It still doesn't solve
the problem, as it requires that two different session IDs are used for
secure and non-secure pages, so the non-secure one could still be hijacked.

If you're really worried about session hijacking, run everything over SSL -
while it won't completely prevent it, it reduces the risk because in order
to get the session cookie the hijacker would have to intercept the data when
it's unencrypted (either at the customer's browser, or the server) and if
that happens then you've got a lot more to worry about that session cookies.

--
Dan

Re: IIS6 - Can session id be manipulated?

Hi,

Thank you for the answer.
I don't think it's so much a case of whether you can grab another persons
session cookie from a non-secure line or not.
It's more like this:
I sit on computer A connected to server X
You sit on computer B connected to server X

If I can guess your session id and put that number in my own session cookie,
can I then get access to your session data?

Regards,
John


"Daniel Crichton" wrote in message
news:OUuKyhoYIHA.6068@TK2MSFTNGP05.phx.gbl...
>
>> Hi,
>
>> I have gotten a question about how IIS6 handles the session id
>> (cookie).
>> I've got a very persistent customer who claims, that you can just
>> hijack another session by changing the session id in your own session
>> cookie.
>> I'm no security expert, but I find that very hard to believe. All
>> though I haven't been able to find documentation about how the IIS
>> handles the session id in a secure way, so it can't be manipulated.
>
>> Does anyone have some links to MS descriptions or something like that,
>> so I can show the customer you can just hijack another persons
>> session?
>
>> Thanks,
>> John
>
>
> For a bit more info, try this:
> http://www.microsoft.com/technet/security/Bulletin/MS00-080. mspx
>
> it describes a patch for IIS4 and IIS5 to ensure that the session id
> cookie used on secure (SSL) pages wasn't also used when viewing non-secure
> pages. This helps to reduce the possibilty of a hijack if you allow
> customers to view both secure and non-secure pages on your site. It still
> doesn't solve the problem, as it requires that two different session IDs
> are used for secure and non-secure pages, so the non-secure one could
> still be hijacked.
>
> If you're really worried about session hijacking, run everything over
> SSL - while it won't completely prevent it, it reduces the risk because in
> order to get the session cookie the hijacker would have to intercept the
> data when it's unencrypted (either at the customer's browser, or the
> server) and if that happens then you've got a lot more to worry about that
> session cookies.
>
> --
> Dan
>

Re: IIS6 - Can session id be manipulated?

John wrote on Thu, 31 Jan 2008 13:28:45 +0100:

> Hi,

> Thank you for the answer.
> I don't think it's so much a case of whether you can grab another
> persons session cookie from a non-secure line or not.
> It's more like this:
> I sit on computer A connected to server X
> You sit on computer B connected to server X

> If I can guess your session id and put that number in my own session
> cookie, can I then get access to your session data?

> Regards, John

Yes, that's right. I did say in my other reply that the hijacker would have
to guess it or determine it.

Getting access to a session isn't always a critical issue though - for
instance, on my own sites ASP sessions are only used for holding a captcha
string for a short time, no personal information is held in an ASP session
object and without a page on the sites that spits out what values the
session object contains even being able to hijack a session on my sites is a
waste of time.

--
Dan