Home/ Questions/Q 873341
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T10:55:08+00:00

I am developing the application that stores current user and user’s role to session

  • 0

I am developing the application that stores current user and user’s role to session state (System.Web.SessionState.HttpSessionState Page.Session).

        if (Session["username"] == null)
            Session.Add("username", User.Identity.Name);

        if (Session["isAdministrator"] == null)
            Session.Add("isAdministrator", User.IsInRole(domain + "\\Domain Admins"));

After I check these session states in code behind for granting permissions to some excecution:

    if ((bool)Session["isAdministrator"] || computer.Administrators.Contains(Session["username"].ToString()))

My question is next: how safe that mechanism is? Is it possible to change the session states using some JavaScript for example or some how else?

Thanks 🙂

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It is not possible to change the session state using javascript or other client-side mechanisms, as the state is only stored on the server. However, it is, as others have pointed out, possible for a malicious user to hijack a session by getting hold of the contents of the session cookie.

    ASP.NET is designed with this weakness in mind – the session ID is suitably long and hard to predict. Also, the session cookie is marked as HTTP ONLY, which means that most modern browsers will not allow javascript code to access it.

    • 0