Menu
I need to check all of my asp code to prevent SQL injection.
Should I check the session object, too?
How might a session be hijacked?
Thank you!!
342
No. Session data is stored on the server. The session ID is the only thing transferred back and forward between the client and the server. Therefore, unless the server is hacked or has a server-side bug, the client cannot change the session data directly.
The most common method of session hijacking is called IP spoofing, when an attacker uses source-routed IP packets to insert commands into an active communication between two nodes on a network and disguise itself as one of the authenticated users.
Sessions are NOT serverside, they are stored on the clients local machine (you can go in your cookies and look for a cookie called phpssid under your domain name). Yes they can be hacked, and this is in fact a very common method of hacking.
The $_SESSION is stored entirely on the server, so the user cannot modify it.
Session can be hijacked. If I remember correctly, Classic ASP only support cookie-based session identifier. If someone were able to steal that cookie (wire-tap) then they can gain the same session as legitimate user.
Should you check Session Object too? that depends. If you can make sure that all the object stored in sessions is "safe" (input has been sanitized), then you can skip session object. If somewhere in your application you get data from unsafe source and put it in Session object, then you must check it as well.
98
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
