I wrote an ASP.Net MVC app that stores Session information in the database, but I can see the session id being stored in a browser cookie “ASP.NET_SessionId”. Is this a security risk? Can the id be used to hack/steal a user’s session?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I wrote an ASP.Net MVC app that stores Session information in the database, but I can see the session id being stored in a browser cookie “ASP.NET_SessionId”. Is this a security risk? Can the id be used to hack/steal a user’s session?
The session id in the cookie is used to relate a stateless web request to stored state on the server.
With regard to security I don’t think the ASP.NET_SessionId contains authentication details – that’s the .ASPXAUTH (if you are using the built in .NET membership providers). I think it can, in some circumstances be used to steal a users session.
A great read on this is Troy Hunt’s blog, particularly this post Anatomy of an insufficient transport layer protection attack where he packet sniffs the cookies of wifi users in a McDonalds and logs in as them.