Home/ Questions/Q 9235755
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T07:07:38+00:00

My understanding is that ASP generates a cookie to authenticate a session. However, if

  • 0

My understanding is that ASP generates a cookie to authenticate a session. However, if that cookie is sent back and forth over a non https channel, can’t I spoof it simply by spoofing the cookie? Can the cookie be locked to a particular IP or other machine fingerprint?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Sessions in ASP.NET aren’t authenticated – authentication is entirely separate. By taking a session cookie and recreating it yes you can hijack the session, and if you lift an authentication cookie then you can authenticate as a user (which is why, by default, authentication cookies expire) – see http://msdn.microsoft.com/en-us/library/ms178581.aspx

    The security note is quite clear;

    SessionID values are sent in clear text, whether as a cookie or as
    part of the URL. A malicious user could get access to the session of
    another user by obtaining the SessionID value and including it in
    requests to the server. If you are storing sensitive information in
    session state, it is recommended that you use SSL to encrypt any
    communication between the browser and server that includes the
    SessionID value.

    • 0