RE: IIS session cookies

1. no, you can't specify the sessionID length.
2. The session-ID is agnostic as to SSL. If SSL is enabled, all traffic, including the sessionID will be encrypted. Otherwise, it will be in cleartext.

-----Original Message-----
From: securityarchitect@hush.com [mailto:securityarchitect@hush.com] Sent: Saturday, December 07, 2002 8:52 PM To: cairnsc@securityfocus.com; kspett@spidynamics.com Cc: webappsec@securityfocus.com; secprog@securityfocus.com; mikehow@microsoft.com
Subject: Re: IIS session cookies

Not knowing much about Windows, ASP or .NET, does IIS allow you to

Set sessionID length ? If so how ?

How does it move users from a non-SSL session to a SSL session (ie does a new value get set) ?

On Fri, 06 Dec 2002 07:18:35 -0800 Kevin Spett <kspett@spidynamics.com> wrote:
>From http://www.securiteam.com/windowsntfocus/6C00L003GA.html:
/
>aspwsm.asp:

Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received on Sun Dec 8 16:53:46 2002

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek