security issue in asp

[Luke]

Hi

Recently I was looking at someone else code written in asp,
at start of the page there was condition checking if some
session variable has been set, if so, the rest of the code
were executed normaly. If this session object was not
set, script was redirecting to "Access denied" page.
My question is: is this realy secure?
Can client set some session object, are they encrypted
somehow? Where are they between requests? in cookie?
hidden fields?

thanks for any answers, im just curious
Lu

 

[MS News \(MS ILM\)]

Session objects are in memory on the server

 

[Rick Strahl [MVP]]

Hi Luke,

Session object run on the server and the actual data that you store them are
stored there. The only thing that lives on the client is the Session Cookie
or ID which maybe either in an HTTP Cookie or some sort of ID that is stored
as part of the URL or QueryString (cookieless Sessions in ASP.Net for
example use URL injection to inject the cookie into the URL path).

Secure is always a relative term <g>. It's secure as long as nobody hi-jacks
the Cookie in some way. Once the cookie is compromised and the attacker has
the tools to set this cookie for his browser session he can impersonate the
user. But grabbing the cookie is not certainly not easy, especially if you
use SSL, or without someway to filter network traffic and know what you're
looking for.

+++ Rick ---

--

Rick Strahl
West Wind Technologies
http://www.west-wind.com/
http://www.west-wind.com/weblog/