tags:

views:

1704

answers:

4
+2  Q: 

Hacking session variables in Asp.NET

Is it possible to hack someone's session variables and create a new shadow user?

What are the common ways of avoiding such surprizes?

SSL certificate installation or ....?

A: 

See this post.

RichardOD  2009-06-05 10:07:30
That post specifically has to do with Session Storage in PHP not in ASP.NET
Eoin Campbell  2009-06-05 10:11:14
Thanks Eoin- I posted the wrong link by mistake. Too much of a late one last night. :-)
RichardOD  2009-06-05 11:49:26
+4  A: 

Short answer... it depends.

Session in ASP.NET can be stored in a variety of ways (InProc / SQL Server / State Server) etc... another thing to note is how the client session is maintained (query string value, cookies etc...)

As the poster in this answer suggests

http://stackoverflow.com/questions/477649/can-we-hack-a-site-that-just-stores-the-username-as-a-session-variable/477660#477660

One thing you could do when you authenticate the user and store their name in Session, would be to also store some other information about them. e.g. Their UserAgentString, their IP Address and if a different IP or UserAgentString attempted to interact with the session, you could invalidate it.

Eoin Campbell  2009-06-05 10:15:29
One thing: storing IP against session is good, but not foolproof, the problem being that a common form of session hacking is against someone within the same IP group (i.e. within a company or AOL). Similar concerns for UserAgent (only with much higher commonality!)
annakata  2009-06-05 10:31:09
+1  A: 

Anything is possible, however by default it's hard.

Generally you hijack a session by stealing the session cookie and recreating it on another machine. However in order to do this the web site must be vulnerable to Cross Site Scripting (which you can mitigate against with Server.HtmlEncode when you echo user input back). If if you do end up vulnerable the ASP.NET session cookie is marked as HTTP Only, which means, if a browser supports it, it is not accessible to access from client side scripts (although Safari ignores this setting).

blowdart  2009-06-05 10:17:16
A: 

Hello, In my website I am maintaining log of users in which I am storing some user's information such as user machine IP number,SessionId,UserName etc.and able to show the list of current and past users in webpage.

I want to share a browser session of my current users.suppose there are many users who is accesing my site and if I click any perticular user then we can find the user's session and able to know the working of users. Is it possiable,if yes then how ? Please tell me......

Thanks to all.

 2010-04-06 08:18:20

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps