Menu
Is it possible to hack someone's session variables and create a new shadow user?
What are the common ways of avoiding such surprizes?
SSL certificate installation or ....?
533
No. Session data is stored on the server. The session ID is the only thing transferred back and forward between the client and the server.
Session state is kept entirely server-side, no matter which storage method you use (in-memory, session state server or database). So unless your server is hacked, Session variables are safe.
Secure methods of Session management replace this default cookie. Rename the default Session cookie – The ASP. NET_SessionId name reveals the name of the language as part of its SessionID characters and this gives away the security of the application to attackers.
Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application.
Short answer... it depends.
Session in ASP.NET can be stored in a variety of ways (InProc / SQL Server / State Server) etc... another thing to note is how the client session is maintained (query string value, cookies etc...)
As the poster in this answer suggests
Can we hack a site that just stores the username as a session variable?
One thing you could do when you authenticate the user and store their name in Session, would be to also store some other information about them. e.g. Their UserAgentString, their IP Address and if a different IP or UserAgentString attempted to interact with the session, you could invalidate it.
128
Anything is possible, however by default it's hard.
Generally you hijack a session by stealing the session cookie and recreating it on another machine. However in order to do this the web site must be vulnerable to Cross Site Scripting (which you can mitigate against with Server.HtmlEncode when you echo user input back). If if you do end up vulnerable the ASP.NET session cookie is marked as HTTP Only, which means, if a browser supports it, it is not accessible to access from client side scripts (although Safari ignores this setting).
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
