[thelist] Session Spoofing

Anthony Baratta Anthony at Baratta.com
Thu Apr 6 17:03:11 2000

Previous message: [thelist] Session Spoofing
Next message: [thelist] Form not posting?
Return to the message index sorted by: [ date ] [ thread ] [ subject ] [ author ]

Eric Engelmann wrote:
>
> I assume its possible for someone to 'spoof' the session variable by
> creating their own, somehow, setting valid=true.
> 
> Question - How tough is it to do? Is it something I need to be worried
> about? The site in question just fell into our realm, so I'm curious as to
> how much of a security risk it is.

Eric....

I'm not an ASP guru - but do think I understand the session stuff. The Session Object
works in two parts: One a "Memory" variable that holds all the data you stuff into
it. The other a cookie that is set on the browser with a unique id. The unique id's
between the cookie and the session variable must match in order for the server to
allow your asp code to access the session object.

If generation of the unique id is random enough to make guessing it impracticable
(and non-repeating), then its fairly secure. But I wouldn't put it past Microsoft to
have skimped here.

Hope this helps.
-- 
Anthony Baratta
President
KeyBoard Jockeys
                    South Park Speaks Version 3 is here!!!
                       http://www.baratta.com/southpark
                              Powered by Tsunami

Previous message: [thelist] Session Spoofing
Next message: [thelist] Form not posting?
Return to the message index sorted by: [ date ] [ thread ] [ subject ] [ author ]