(Hopefully) Quick Question about Session Variables

D

DLN

Hello all,

I apologize for the naivety of this question, but I'm wondering whether
session variables can ever be modified (somehow) by a client without having
to go through code that I write. If I read in user input from a web form,
sanitize the input to make sure there isn't any injected data, and then
store the sanitized input in a session variable, is there any way for that
session variable to be modified by the client afterwards? I would prefer to
not have to re-validate a session variable every time I use it and instead
just do the validation once, when session variable is set. However, is it
guaranteed that the client accessing web application has no way of
"injecting" (for lack of a better word) their own session variables? I'm
not interested in how it can be done, just how to protect my applications
against it or is this even possible to begin with?

Thanks,

dln
 
B

bruce barker

your application is the api to session variables (or databases). anyone
can write an app to post whatever data they want to your postback pages.
its up to your page code to not change session variables without full
validation.


-- bruce (sqlwork.com)
 
D

Damien

Hello all,

I apologize for the naivety of this question, but I'm wondering whether
session variables can ever be modified (somehow) by a client without having
to go through code that I write. If I read in user input from a web form,
sanitize the input to make sure there isn't any injected data, and then
store the sanitized input in a session variable, is there any way for that
session variable to be modified by the client afterwards? I would prefer to
not have to re-validate a session variable every time I use it and instead
just do the validation once, when session variable is set. However, is it
guaranteed that the client accessing web application has no way of
"injecting" (for lack of a better word) their own session variables? I'm
not interested in how it can be done, just how to protect my applications
against it or is this even possible to begin with?

Thanks,

dln
Click to expand...

Session variables are stored either in the memory of your server
(InProc or StateServer) or in a database (SQL). At no point are the
variables sent out to the client, nor is there a mechanism for a
client to send new values/variables in. The only way for Session
variables to be modified is for a piece of your code to perform the
action.

So, if you've already sanitised some data and you place it in a
session variable, then yes, you can trust that data at a later point,
provided none of the rest of *your* code can change that variable.
However, if you've got a function somewhere like:

Session(Request("Key")) = Request("Value")

then all bets are off :)

Damien
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Question about data persistence in Public variables 7
How to protect session variables in this case? 1
static variables vs. session variables in ASP.NET 4
Session variables and frames 2
Session variables disappear in relation to a file upload 4
Question about Session variables and Redirects 14
Asp.net Important Topics. 0
Unable to Validate Data 1

Top