1

Just wondering, since the session id is stored in a cookie client side, i can easily modify that cookie and change the session id value to that of another user session id. Allowing the first one to obtain data from the second user. If session was used to store a "log in session", a user could be logged in as if it was another user, so are sessions that easily "hackable"? I tried it myself, and i could easily navigate with another users session, maybe this only worked because both sessions were from the same ip and computer, but does ASP MVC engine provide any security checks to avoid this?

Cristiano Coelho
  • 1,675
  • 4
  • 27
  • 50

1 Answers1

1

You should not use session to store a "log in session". The .ASPXAUTH cookie is used to store the authenticated user's information and this cookie is encrypted with the machine key that you either set or is auto-generated by IIS.

If you are concerned about session hijacking (depending on your application, you should be) then you should use a combination of the authentication cookie (userId) and the information in session to ensure that the values indeed match.

The two concepts of Session and Authentication are typically confused and mixed up, but they should not be. One identifies the user to the application and confirms that the user actually has been authenticated (Forms Auth Ticket/Cookie), the other simply stores data between web request.

Here is some more information surrounding the Forms Authentication Ticket and Cookie for .NET

Also, please see this Q&A that is somewhat related to your question - it may provide some more insights into how things work and help you achieve what you need.

Community
  • 1
  • 1
Tommy
  • 39,592
  • 10
  • 90
  • 121
  • I know i should be using the AuthCookie provided by asp mvc, however, in this app, i need to simulate "2 sessions", i need to keep two separate user sessions in the same page, in a way that he can log in either of them, and loging out from one doesnt interfere with the other. So i have ended up using the framework session to achieve this. Otherwise i think i should make my own session cookies? – Cristiano Coelho May 08 '13 at 23:22
  • That is some weird requirement action you have there that I do not fully understand. However, you could issue your own cookie with encrypted information that would enable you to both be secure and achieve what you want. AFAIK, you cannot have two sessions from one client anyways, so...my knowledge on that is going to be limited. However, to your original question, no, the session id will just be stored in plain text. – Tommy May 08 '13 at 23:26
  • Added a tad more at the end that might help you out – Tommy May 08 '13 at 23:28