Last post Sep 22, 2013 01:45 PM by speshulk926
Sep 03, 2013 03:59 PM|GIDLIBRARY|LINK
I have a website where I store a ID from a database table in a session variable. That ID in turn gives access to private data to each user. Now my question is, how easy is it to steal or tamper with a session cookie (I use SSL on the site). II would think
if a PC had spyware on it, then all cookies, including the session cookie, could be stolen, but apart from that situation, how hard is it to break into someone elses data?
Sep 03, 2013 04:22 PM|bbcompent1|LINK
Personally, since you are using SSL, I doubt your session cookies could be compromised unless like you said the computer was infected with Spyware/malware. But you may want to consider instead of using cookies, use session variables since I think they are
a bit more secure (caveat, I could be wrong). I have always preferred session variables to cookies. Session variables disappear when the session ends. Some cookies you have to destroy to make them go away if I recall correctly.
If you do, somebody (your ISP for instance) can intercept the HTTP requests and steal the user credentials.
is just an identifier string that is used as key to store and retrieve session variables on the server side.
So, if somebody steals the user session cookie, he may pretend to be the original user but may not obtain the session variable values
directly. Ideally you should redirect the user browser to access an authenticated user to SSL encrypted version of your site pages, but
even SSL can be worked around with sophisticated tricks. Nevertheless using sessions (if possible over SSL) is more secure than just using
cookies to store user sensitive data.
Sep 03, 2013 04:48 PM|BrockAllen|LINK
Session cookies are not marked as secure (meaning they require SSL) by default, so any non-SSL requests (for like static CSS, JS, etc) could leak the cookie. Also, it's possible (without great care) that a user's session state could get accidently leaked
to the next user logging in if users use the same browser (think of a shared computer in a public library). It's not impossible to prevent this, it's just that you have to take the extra step to prevent it.
Are your users authenticated? Why not just link the item in the DB to the logged in username?
Sep 04, 2013 07:02 AM|GIDLIBRARY|LINK
When I say "session cookies", I mean a session variable. But as was pointed out, sessions themselves are stored as a session cookie on the user's computer.
I do use user-authentication. However, if, lets say, 20 users are given "administrator privileges", that means that all 20 of them have access to the same "top secret" webpages. So if they can tamper with the cookie on their computer that points to the
session, they might be able to get to someone else's session, and therefore to his session variables.
I could do a test as follows: on every page, I could check my sql-server database to see if the session variables being used are the ones that belong to the current user ( with the user-authentication-userid). I could do this in the 'master page' so that
I don't have to duplicate the code a lot. However, it seems to me that this slows down the website.
It also seems to me that Microsoft should add a option so that cookies pointing to sessions can not leak to non-ssl requests.
Sep 04, 2013 09:00 AM|BrockAllen|LINK
As for an option to SSL protect cookies, they do have an option (you just need to look for it):
Sep 17, 2013 10:29 AM|ghirst|LINK
If you are using sessions you might want to consider clearing them out on login/log out. The below is code I use on the log out screen. (I also run it on the login page before the submit authentication.
'' if user is signing out....
Sep 22, 2013 01:45 PM|speshulk926|LINK
Sessions are stored on the server, not the client machine. As I understand it, unless you write them out, they are not available to the browser. Anyone have any document somewhere that says otherwise? I realize that the Login Cookie is stored locally,
but not the Session("test") variables.