[thelist] Session Spoofing

Scott Dexter sgd at ti3.com
Thu Apr 6 17:19:31 2000

Previous message: [thelist] Form not posting?
Next message: [thelist] Beta Browser Battle: New IE 5.5 Beta Released
Return to the message index sorted by: [ date ] [ thread ] [ subject ] [ author ]

you can't.

The session object resides in the web server memory, and the only thing back
and forth to the browser is a 32 character Session ID cookie.

Basically, the browser has no idea or access into what you're storing in the
Session object....

sgd
--
think safely

> -----Original Message-----
> From: Eric Engelmann [mailto:eric@geonetric.com]
> 
> 
> Let's say I have a site that's protected by the presence (or 
> lack of ) of a
> session variable, in this case, via ASP:
> 
> if NOT Session("valid")=true then
> 	redirect "/loginerror.htm"
> end if
> 
> I assume its possible for someone to 'spoof' the session variable by
> creating their own, somehow, setting valid=true.

Previous message: [thelist] Form not posting?
Next message: [thelist] Beta Browser Battle: New IE 5.5 Beta Released
Return to the message index sorted by: [ date ] [ thread ] [ subject ] [ author ]