Is it possible to hack someone’s session variables and create a new shadow user?
What are the common ways of avoiding such surprizes?
SSL certificate installation or ….?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it possible to hack someone’s session variables and create a new shadow user?
What are the common ways of avoiding such surprizes?
SSL certificate installation or ….?
Short answer… it depends.
Session in ASP.NET can be stored in a variety of ways (InProc / SQL Server / State Server) etc… another thing to note is how the client session is maintained (query string value, cookies etc…)
As the poster in this answer suggests
Can we hack a site that just stores the username as a session variable?
One thing you could do when you authenticate the user and store their name in Session, would be to also store some other information about them. e.g. Their UserAgentString, their IP Address and if a different IP or UserAgentString attempted to interact with the session, you could invalidate it.