2

How can i be sure that a session is valid? What happen if an user change his aspnet sessionid cookie and guess the id of another logged user?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
sparrows81
  • 431
  • 3
  • 6
  • 19
  • possible duplicate of [Can some hacker steal the cookie from a user and login with that name on a web site?](http://stackoverflow.com/questions/2498599/can-some-hacker-steal-the-cookie-from-a-user-and-login-with-that-name-on-a-web-s) – Aristos May 16 '13 at 14:55

2 Answers2

1

If I've understood the question correctly, it's regarding someone opening their ASP.NET session cookie manually, changing the value and then sending it off and having their updated value recognised as someone else's session, logging them in as that person.

There's a bit of a mix up here between the session cookie and the authentication cookie. Guessing the session id of someone who's logged on will 'get' you their session, but you won't be logged on as them unless you also have their authentication cookie.

Guessing or brute-forcing either of these values is effectively impossible, the session id c12ylm55kp3uirruo4is5sm5 or the ASP.NET authentication cookie value:

3C886BA2344099338361C921C846EAF4E02F2A88E5E7EDE6838705928F7BB7C6FF469D35FE
B1532C44B81DB38F200DEE08B6ED0E6121B945C659E932D8CE8B69FFF09E7B59DBE4820873
DBD7891DD6B6BC4A486F35A2F99849017A6C72D9C6A44517D9AFDC731B3A3C55596E797328
06F7DDDF9F

...would take an impractical amount of time to guess - tens to hundreds of thousands of years.

Steve Wilkes
  • 7,085
  • 3
  • 29
  • 32
  • Do you have see this question ?: http://stackoverflow.com/questions/2448720/different-users-get-the-same-cookie-value-in-aspxanonymous – Aristos May 16 '13 at 15:30
  • yes you've understood me , but i think it is easy to guess a code like this: c12ylm55kp3uirruo4is5sm5. So what can we do? i'm looking for a solution to add more security. I was thinking about to check user ip/proxy ip and ask to insert password if the same token is associated with onhoter ip, but it is tedious for those user who doesn't have static ip – sparrows81 May 16 '13 at 15:33
  • eg. i can make a brute force attak: i can generate random cookie session id, then i can make a web request to the server and check if the response has the word "Welcome". – sparrows81 May 16 '13 at 15:40
  • @Aristos - I'd not seen that question, but this question is about authenticated users so I'm not sure it applies? user2236886 - I've updated my answer. – Steve Wilkes May 16 '13 at 18:40
  • @SteveWilkes The question says that there are cases that the cookie is the same. And there are also the case to steal the cookie - it did not matter how it do it, but he can. (the session cookie, not the authentication cookie) Now in your answer you have mix the auth cookie with the session cookie - there are not the same! – Aristos May 16 '13 at 18:44
  • @Aristos ah yes, fair point - I was reflecting the mix up in the question, honest :) I've updated my answer. Yes, cookies can be stolen, but that's not what this question is about. – Steve Wilkes May 17 '13 at 05:49
0

There are two cookies that we need to talk about.

  1. Is the cookie that is connecte with the session
  2. Is the cookie that hold the authentication.

Are not the same, and the issue here is what to do to prevent someone to stole the authentication - Can some hacker steal the cookie from a user and login with that name on a web site?

The most important to me points are.

  1. Require SSL to store the authentication cookie
  2. When the user logged out (Base on that article), set a flag to session to block this authentication cookie. Even better keep the logged out authenticator cookie on a database as logged out.

Now if you also like to protect and the session cookie you should use SSL pages on all page. Or else you keep not important informations on the session cookie. Where and how to use the SSL

Community
  • 1
  • 1
Aristos
  • 66,005
  • 16
  • 114
  • 150