grassieDgrace

I have been using classic ASP for quite sometime. Even now, I have used it for corporate intraweb in order to meet the diverse information needs of each employee. Classic ASP helped me in succeeding intraweb systems but it is too old for this generation and might adhere into hijacking. The following I’ve found in a book (ASP.NET Bible) on how classic ASP leads to security threats.

In classic ASP, when a client requests ASP scripts from a Web server, a session is established between the client and the server. During this session establishment, the Web server generates a Session ID cookie and send it to the client. The Session ID cookie is sent to the lcient in HTTP header. Therefore, to identify its session data in subsequent requests, the client sahres a common key (Session ID cookie) with the Web Server. This state management model works well for the clients that accept HTTP cookies. However, there are certain cookie is the only way a browser request is identified. Any other HTTP request with matching cookie is assumed to have come from the same browser. Thus, a hacker who succeeds in hijacking the cookie could use a user’s active session. Due to these security theats, some clients disable cookies and thus disable session state on the server. Thus, the ASP scripts do not work well for the clients who not accept HTTP cookies.

From this reason, I might consider transferring the system into .NET but this might take me some months to develop as I would start from scratch. I have a little knowlegde in .NET (especifically ASP.NET) but little by little I could make it succeeded one day.

Signed off
Graz