Hacking session variables in Asp.NET

Question

Is it possible to hack someone\'s session variables and create a new shadow user?

What are the common ways of avoiding such surprizes?

SSL certificate insta

Answer 1

Anything is possible, however by default it's hard.

Generally you hijack a session by stealing the session cookie and recreating it on another machine. However in order to do this the web site must be vulnerable to Cross Site Scripting (which you can mitigate against with Server.HtmlEncode when you echo user input back). If if you do end up vulnerable the ASP.NET session cookie is marked as HTTP Only, which means, if a browser supports it, it is not accessible to access from client side scripts (although Safari ignores this setting).

Answer 2

Short answer... it depends.

Session in ASP.NET can be stored in a variety of ways (InProc / SQL Server / State Server) etc... another thing to note is how the client session is maintained (query string value, cookies etc...)

As the poster in this answer suggests

Can we hack a site that just stores the username as a session variable?

One thing you could do when you authenticate the user and store their name in Session, would be to also store some other information about them. e.g. Their UserAgentString, their IP Address and if a different IP or UserAgentString attempted to interact with the session, you could invalidate it.