When I came out of a site without logging out, next time i browse that site I found I am logged in there? How that server restore the session value for my browser? Is there any chance to be hacked in this process? Can that restored session value be stolen by others? please share your concept about this. thanks in advance
+4
A:
What you are seeing is the result of a cookie being stored with your browser to hang on to that session information. Can it be hacked? Depends on the site/application, but no more than it could be if you hadn't closed your browser.
Brad
2010-09-26 15:48:56
+1
A:
It uses cookies, a text-string your browser keeps on behalf of the site, either for a set time-limit, or till you close your browser.
Log out if it's a concern. Obviously, if someone else uses the same computer shortly after you they'd be able to use the site logged in as you. Always explicitly log out from public accessible computers.
Alexander Sagen
2010-09-26 15:50:44
+1
A:
In all technologies I'm aware of web-based session values are stored on the remote server. So, to hack your session values would require hacking the remote-server. What you are encountering is the fact that your session identifier is stored in a cookie (a session cookie), so that when you re-open your browser the cookie is being used to identify you and provide access to your remote session. Normally session cookies have a short TTL (time to live) before they expire and log you out, but if not then explicitly logging out should clear it. If you are really worried you can delete your cookies.
Dan Diplo
2010-09-26 15:54:51
A:
Depending on whether the server checks the IP address trying to use the token (probably a cookie, but doesn't have to be) against the one that logged in, it might be possible for a thief to use that cookie to gain access to your account.
A well-designed site will not only cause sessions to time-out but also restrict them to a single IP address (and browser user-agent, etc).
Ben Voigt
2010-09-26 16:00:42
Even checking the IP doesn't make it safe from hijacking. If both the victim and hijacker sits behind the same router, then the web server will see them as coming from the same machine (since their public IP would be the same). Browser IDs aren't secure either... they can easily be spoofed.
Gert G
2010-09-26 16:15:03
Definitely. Protecting against real-time replay attacks is difficult. It's recommended to verify IP address, etc., but one shouldn't rely on these as they aren't secure.
Ben Voigt
2010-09-26 18:44:48
A:
As others have noted this is the cookie on your machine.
The way to "hack" it would be to gain access to your machine and then take a copy of the cookie. Or take a copy of the cookie while it is being sent to the browser.
To guard against this you could:
- Send the cookie to the client over https.
- Do not store the cookie on disk (a cookie without a timeout will be stored in memory)
Locking a session to a single ip address, can cause problems, if your users are coming from a network with 2 proxy servers.
Shiraz Bhaiji
2010-09-26 16:26:38
thanks all you guys. I didn't face any problem yet. Just I was keeping myself updated.
Masud Rahman
2010-09-26 17:03:27