khadem1386 Posted September 11, 2007 Share Posted September 11, 2007 HiI transfer some PassWord and other important Variable between asp pages by SESSION.How much Session is secure?and can any body Hack or spy SESSION?and what is your Proffer for a secure method instead SESSION?How much Session is secure?Thanks for your lead? Link to comment Share on other sites More sharing options...
justsomeguy Posted September 11, 2007 Share Posted September 11, 2007 Usually someone can only use someone else's session if they can get the person's session cookie that has the session ID in it. You can try to send the cookie over a secure channel, there might be session settings where you can specify that. If the user has cookies disabled then it might try to send the session ID in URLs, and that can be a security problem. There might be a setting to require cookies for the session also, I know that PHP has those settings. Link to comment Share on other sites More sharing options...
khadem1386 Posted September 12, 2007 Author Share Posted September 12, 2007 I don't use any Cookies.I use session like thisCode: session("password") = request.querystring("password") I think session only save in RAM In Server and use between pages for varible manager.I don't write any thing in users Hard even cookies.Thanks Link to comment Share on other sites More sharing options...
justsomeguy Posted September 12, 2007 Share Posted September 12, 2007 Sessions use cookies. The session variables are not passed in the cookie, only a session ID. If you want to see it for yourself then delete all the cookies in your browser, log in at your site, and check for the new cookie. It will contain a session ID that the server uses to look up that user's session on disk. The server needs to have some way of associating an arbitrary user with their session data, and it uses a cookie to do that. So if someone steals your session cookie then they can put the cookie on their computer and do whatever you were able to do, like be logged in somewhere. But like I said, you should be able to specify a secure channel for session cookies, or you could also store some type of information with the session that saves the user's IP address, but that's not always foolproof or effective. Session cookies are also temporary, and the web browser should delete them anyway when it closes. Link to comment Share on other sites More sharing options...
Synook Posted September 15, 2007 Share Posted September 15, 2007 Just on this topic, can a third party write a session for a site, without going through its interface? Link to comment Share on other sites More sharing options...
justsomeguy Posted September 17, 2007 Share Posted September 17, 2007 The session is saved on the server, the only thing a user has access to is the session ID. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.