Invalidating a session in
a 24-character string consisting of characters a-z and 0-5.
If the client does not provide a session ID or provides an invalid session ID, ASP. If the client supplies a valid session ID and there’s no session associated with that ID on the server, ASP.
This is well-documented behaviour: How and why session IDs are reused in ASP. While reading it, keep in mind though that it’s a rather old article (applies to Microsoft . As a side note, please don’t follow the advice in that article on issuing a Forms Authentication cookie.
With that approach, you’d give users access to a valid authentication cookie for the user "test" every time they log in.
The Session State Module on the other hand manages the ASP.
Since these are session modifiable, it is not as simple as setting them in the initialization parameters.
OWASP recently released their Top Ten 2013 list of web application vulnerabilities.
If you compare the list to the 2010 version you’ll see that Broken Authentication and Session Management has moved up to second place, pushing Cross Site Scripting (XSS) down to third place.
We can set them in the initialization parameters but they then only affect the server and not the client side.
The following PL/SQL was used for a search screen: This is a great example of using case insensitive data inside Oracle and creating a case insensitive index to allow queries to me made in initcap, upper or lower, all without invalidating the index.
Search for invalidating a session in:
Apparently authentication and session related issues are moving up in the world!