"Keith" <keith@keithadler.com> wrote in message
news:77b601c3e87d$1c5144f0$a101280a@phx.gbl...
> I have found what I believe to be a serious security
> issue in ASP.Net. If you have:
>
> 1. Your website configured for anonymous access
> 2. Elect under web.config to set the sessionstate
> attribute of cookieless to true
>
> Anyone from any IP address or across another browser can
> copy the URL and work within the session. My question
> is "Why doesn't ASP.Net provide an option around ensuring
> all requests for a user session originate from the same
> IP address and/or same useragent?" I know that some
> people sit behind firewalls, proxies and layer 4 devices
> that could load balance and affect HTTP traffic, but it
> honestly escapes me why I can access my web application
> on any machine inside or outside of my network with just
> the sessionid in the URL from even different browsers.
> There must be a way to control this in the
> configuration. Am I alone in find this troubling?

"Keith" <keith@keithadler.com> wrote in message
news:77b601c3e87d$1c5144f0$a101280a@phx.gbl...
> I have found what I believe to be a serious security
> issue in ASP.Net. If you have:
>
> 1. Your website configured for anonymous access
> 2. Elect under web.config to set the sessionstate
> attribute of cookieless to true
>
> Anyone from any IP address or across another browser can
> copy the URL and work within the session. My question
> is "Why doesn't ASP.Net provide an option around ensuring
> all requests for a user session originate from the same
> IP address and/or same useragent?" I know that some
> people sit behind firewalls, proxies and layer 4 devices
> that could load balance and affect HTTP traffic, but it
> honestly escapes me why I can access my web application
> on any machine inside or outside of my network with just
> the sessionid in the URL from even different browsers.
> There must be a way to control this in the
> configuration. Am I alone in find this troubling?