- License:
- Free
- Editor's Rating:
- Not rated
- Average User Rating:
-
(out of 2 votes)
Rate it!
- Downloads:
- 18,324
- Requirements:
- Windows 2000, Internet Information server 5.0
- Limitations:
- No limitations
- Date Added:
- October 25, 2000
Publisher's description of Microsoft IIS5 "Session ID Cookie Marking" Vulnerability Patch
From Microsoft: This patch eliminates a security vulnerability in Microsoft Internet Information server that would allow a malicious user to hijack another user's secure Web session under a very restricted set of circumstances.IIS supports the use of a Session ID cookie to track the current session identifier for a Web session. However, ASP in IIS does not support the creation of secure Session ID cookies as defined in RFC 2109. As a result, secure and non-secure pages on the same Web site use the same session ID. If a user initiated a session with a secure Web page, a session ID cookie would be generated and sent to the user, protected by SSL. But if the user subsequently visited a non-secure page on the same site, the same session ID cookie would be exchanged, this time in plaintext. If a malicious user had complete control over the communications channel, he could read the plaintext session ID cookie and use it to connect to the user's session with the secure page. At that point, he could take any action on the secure page that the user could take.
The conditions under which this vulnerability could be exploited are rather daunting. The malicious user would need to have complete control over the other user's communications with the Web site. Even then, the malicious user could not make the initial connection to the secure page; only the legitimate user could do that. The patch eliminates the vulnerability by adding support for secure Session ID cookies in ASP pages. (Secure cookies already are supported for all other types of cookies, under all other technologies in IIS).
Read the FAQ for more information.
- See more CNET content tagged:
- malicious user,
- Microsoft IIS Server,
- cookie,
- session,
- Microsoft ASP
User reviews of Microsoft IIS5 "Session ID Cookie Marking" Vulnerability Patch
Be the first to review Microsoft IIS5 "Session ID Cookie Marking" Vulnerability Patch!
Submit your review for Microsoft IIS5 "Session ID Cookie Marking" Vulnerability Patch:
You must be 13 years of age or older to submit personal information to CNET Networks. In compliance with the Children's Online Privacy Protection Act of 1998, CNET Networks does not accept name and e-mail address information from users who are under 13 years of age.
All submitted ratings and written comments become the sole property of CNET Networks, Inc. (CNET) and may be used at CNET Networks' sole discretion. Ratings and written comments are generally posted within two to four business days in batch groups, not in real time. However, CNET Networks reserves the right to remove or refuse to post any submission for any reason. You acknowledge that you, not CNET Networks, are responsible for the contents of your submission.
CNET Networks is not responsible for the content of the publisher's descriptions or user reviews on this site. We encourage you to determine whether this product or your intended use is legal. We do not encourage or condone the use of any software in violation of applicable laws. CNET Download.com does not sell, resell, or license any of the products listed on the site. We cannot be held liable for issues that arise from the download or use of these products.
