Hi list !
I was wondering if someone can tell me if I'm right with this:
Setting up: I've got an IIS 6.0, connection through HTTPs, and ASP pages on my
IIS.
What I'm tryng to do: As many people dream about :), just track the user
through it's journey on my website ... But to avoid replay attacks and brute
force password guessing, I need to get an unique identifier for this user.
The trouble: I was thinking about some encrypted mix like HASH{user_tcp_port ||
Session.SessionID || Rnd-number || ...}.
My 2 problems are: the user port and the Session.SessionID.
- Pentesting my idea, I noticed that the user port (obviously >
TCP:1024) ... change as time goes on (I think it is normal behaviour, that's
why it is called ephemereal ports :) ) ! So I cannot rely on it :(.
- Then I thought about 'Session.SessionID', Microsoft's Docs told me it
was a unique identifier per session, so I was happy with it ... But it seems
that this number is unique if you have cookies enabled on your browser, and as
some people disable them ... So this identifier cannot be reliable, even
whithin the same connection, and moreover it seems to increase +1 at each next
session, so a little bit preditable :(
I saw with ASP a beautiful Cert.Cookie(still Request.ServerVariables) ... But
it seems NULL in my case :(
So my question was: within an https connection, is there any ID that will be
UNIQUE from the beginning to the end of the same session ? There is probably
one, so my question would be turned in "how can I catch it?"
I know my question is not new :(
Thanks a lot list, am quite stuck with this :(
