Jump to content

How much Session is secure?


khadem1386
 Share

Recommended Posts

Usually someone can only use someone else's session if they can get the person's session cookie that has the session ID in it. You can try to send the cookie over a secure channel, there might be session settings where you can specify that. If the user has cookies disabled then it might try to send the session ID in URLs, and that can be a security problem. There might be a setting to require cookies for the session also, I know that PHP has those settings.

Link to comment
Share on other sites

Sessions use cookies. The session variables are not passed in the cookie, only a session ID. If you want to see it for yourself then delete all the cookies in your browser, log in at your site, and check for the new cookie. It will contain a session ID that the server uses to look up that user's session on disk. The server needs to have some way of associating an arbitrary user with their session data, and it uses a cookie to do that. So if someone steals your session cookie then they can put the cookie on their computer and do whatever you were able to do, like be logged in somewhere. But like I said, you should be able to specify a secure channel for session cookies, or you could also store some type of information with the session that saves the user's IP address, but that's not always foolproof or effective. Session cookies are also temporary, and the web browser should delete them anyway when it closes.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...