Security of asp3?

[khadem1386]

Hi to all:*-can I know some differs between security of asp3 and asp.net.*-can you show me some way to make asp secure in DBase management.*-What is and where is asp3 holes and bugs about security?Thanks a lot

[justsomeguy]

There aren't a lot of ASP-specific security holes, most of the security issues with ASP are the same security issues that you would see with PHP or anything else. It also depends on the other tools you're using, for example MS SQL Server is less secure than MySQL only because it allows more than one database query in a single statement, where MySQL does not. That's not necessarily a bad thing though, I have some ASP applications that send batches of queries to the server instead of individual queries, but if you're not sanitizing database inputs to avoid SQL injections you can get burned more with SQL Server than you can with MySQL. But if you're using good programming practices and you know what you're doing then you can make it secure no matter which language and database you use. Conversely, if you don't know what you're doing then you can make an insecure, buggy application in any language you want.

[khadem1386]

Thanks.I read some essay about session hacking in asp.net prepossessing .I thought that session variables were safe.If I transfer my important information variable by some sessions. how much chance is to HACK. or scan its by other peoples?and how can I secure my sessions?Thanks a lot.

[Synook]

If I transfer my important information variable by some sessions. how much chance is to HACK. or scan its by other peoples?

Sessions are handled server-side and only the processed data is sent to the client. It is very possible, however, for any information to be intercepted if sent through an unencrypted connection. This is not an ASP fault though, just a general network vulnerability.

and how can I secure my sessions?

Use an encrypted connection, i.e. SSL.

[justsomeguy]

I don't see any resources talking about hacking ASP.NET sessions through a vulnerability in preprocessing.In order to have a secure session you should only use cookies, not append the session ID to any URLs. The session cookies should only be used over a secure connection. If you want to recycle the session ID periodically, depending on your application, that might help avoid session attacks also. Again though, these aren't ASP-specific, just general guidelines. If you want to read about good security practices in web applications there are quite a few books available on the subject.