In an ASP.NET web app, using Integrated Windows Authentication, is the session tied to the windows identity?
In other words, if I login (using IWA) to the app, and the app stores some "stuff" in my session, is this stuff accessible by session id alone? For instance, if a malicious someone managed to steal my session id, but NOT my credentials, can he then access my session stuff? Or is this session accessible only to the same identity, requiring both the session id AND the windows identity to access it?
Session Management with Windows Authentication
4.2k views Asked by AviD At
1
There are 1 answers
Related Questions in ASP.NET
- Implementing Azure AD B2C Authentication in .NET 8 Blazor Project (RenderMode: InteractiveAuto)
- Azure Application Insights Not Displaying Custom Logs for Azure Functions with .NET 8
- IIS Rewrite Module exclude bots but allow GoogleBot
- Angular 16 sending null values to API
- I am the domain admin, newbie, how do I connect youtube.com on my domain?
- Dropdown list showing SQLServer2005SQLBrowserUser$DONSERVER instead of Active Directory group name in ASP.NET MVC C#
- ASP.NET Identity, Losing Ability to Login until Application Pool Recycles
- How to unprotect ASP.NET FormAuthentication cookie
- How does it work using ASP.NET FormAuthentication
- What is the purpose of a completely standalone 'this'?
- Is there a way to read .csproj PropertyGroup variable in c#
- MSBuild trying to copy different dll with similar name into project sporadically
- Minimizing IdentityServer4 Round Trips in Microservice Architecture with Ocelot
- Azure AD guest account in web app authentication user claims data
- Receiving 400 bad request on post when customer auth handler is used
Related Questions in IIS
- error 500 on IIS FastCGI but no clue despite multiple error loggings activated
- IIS Rewrite Module exclude bots but allow GoogleBot
- How to deploy angular 17 SSR into IIS
- IIS web site with httpplatformhandler on specific route does not redirect to the nextjs site
- Why is 'EDITBIN /STACK:2097152 w3wp.exe' cmd is giving me an LNK1342 error?
- Primeng Angular styles on subdomain don't work
- Apps migrated from IIS server1 to another IIS server2 stopped communicating with an App on IIS server 1 via SSL (HTTPS)
- How to authenticate with REST API service on IIS using pass-through authentication in Python?
- ASP.NET Core 8 is missing from application pool selection after install
- Azure Application Gateway ByPass
- SSL certificate is installed on iis and website but in browser is unknown
- Redirect to another site but show the original URL in browser
- Problem in hosting React App with react-router-dom on IIS Server
- Django Channels on IIS
- ASP.NET Core/Angular17 application files does not load when published in IIS
Related Questions in WINDOWS-AUTHENTICATION
- Blazor WebAssembly with API protected with Windows authentication
- Web API works with Windows authentication enabled when consumed via Swagger but throws an unauthorized issue when accessed through web app
- AspNetCore WebApp not passing users windows credentials to API
- How can I run my C# app using a SQLConnection to SQL Server with Windows Authentication in a PC not joined to domain?
- .Net SqlConnection class with Windows authentication
- Cannot authenticate to IIS using win auth and dotnet 6
- SQL windows authentication fails sort of
- Why doesn't my visual studio asp.net core web application recognise my windows account when running the project
- .NET core 7 windows authentication exception when deployed
- Unable to connect to SQL Server using windows authentication mode through PowerShell
- SharePoint Online : Tokens and Mutli Factor Authentication in a WinForms App
- Windows Authentication in New Dotnet SPA Templates (React + Vite)
- ASP.NET (Blazor): Trigger windows authentication popup only on a single page
- How to configure ClaimTransformer for CoreWCF with TCP endpoints?
- Kerberos ticket has wrong impersonationlevel after the calling application upgraded from .NET 4.7
Related Questions in SESSION-MANAGEMENT
- How to maintain Session Management in Servlets
- Vaadin session expire URL and redundant redirect
- Problem Regarding session in Springboot 3
- EC2 Can't connect to your instance via Session Manager
- How to set session in marklogic cluster?
- Configure XRDP session to display Session Manager
- Memcached Session Manager failing in multi-threaded environment
- Single Sign-On with Google Account for Multiple Services: How Does It Work?
- How can I attach to an existing and ongoing session by selenium webdriver using executor_url and session_id in another python file?
- How to correctly handle the save-yourself callback on the client side - XSMP?
- How to control a session creation within java servlet?
- Session management in Typescript with express
- duende identity server 6.2 session managment
- How to manage concurrent sessions (user can login only from one browser) in tomcat hosted application without Manager maxActiveSessions
- how to fetch Session from spring data redis by session Id?
Related Questions in SESSION-HIJACKING
- How does HTTPS/TLS/SSL prevent Session Hijacking?
- How to protect Laravel session hijacking
- web.xml error when using 'HttpOnly' and 'Secure' attributes
- Session Hijacking over LAN
- Session hijacking: How to prevent access to web app when JSESSIONID cookie copied from one browser to another?
- Is Setting A $_SESSION Value That Is The Same As A GET Parameter A Security Risk - PHP?
- Is session hijacking possible using same system and same browser?
- Avoid session hijack within my own website
- How can I make a website more secured with a nodejs backend and reactjs frontend & mongodb as a database
- IdentityServer4 Session Hijacking
- can we avoid session hijacking using spring security?
- Is it possible for a hacker to impersonate a user by stealing session token and then faking the user-agent, IP and other details?
- Is PHP's session_regenerate_id() collision free?
- Domain / DNS injection issue - scam links seemingly coming from my website
- How to avoid session hijacking in MVC5 + Identity? / Invalidate cookie server side
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Excellent question. I just ran a test to confirm before i wrote this answer.
If i am 'Person A', and you are 'Person B', then this is what has to happen:
Note that Person B is still recognised as 'Person B' by the website, even though they are using Person A's session details. So if you have code that checks user permissions etc, then those checks are still done in the context of Person B.
This might sound like a huge issue, but it isn't really as long as the programmers are not careless. For instance, the only effect that Person B got in my test above was that they inherited the screen and grid layouts that Person A had set up, because we do our permission checks live (i.e. they are not cached). If you store sensitive data in the session then it could be a problem, but it is only a problem if they fields showing it are not permission checked every single time they are shown. It's also only an issue if the session for Person A hasn't expired.