1

I'm exploring cookies and sessions [I'm using them with respect to ASP.NET C# microsoft framework]

Learnt how sessions and cookies work here and here.

My take on it is like,

  1. Once a user logs in and establishes a session, he or she is given a session id to track them further.

  2. Also, this sessionId can be stored on a Server, like SQL Server or a InProc, meaning it is stored on the issuing server or on a cache, Redis Cache.

My question is like,

I can understand that the sessionId is stored in a memory and being sent with every request (since HttpSessions are stateless) as HttpHeaders.

  1. When we talk about storing sessions in a memory, which memory are we talking about ?
  2. If we are storing them in a cookie, what If I go and modify the cookie ?
  3. If I can modify them, what If I change the sessionId and supply in a new sessionId ?
Alexei Levenkov
  • 98,904
  • 14
  • 127
  • 179
now he who must not be named.
  • 9,166
  • 26
  • 81
  • 144
  • 1 is duplicate of https://stackoverflow.com/questions/3801675/where-cookies-are-stored-in-system, 2/3 - not really sure what you are asking about - if you modify cookie it will be different... so can you clarify what exactly unclear in that case? – Alexei Levenkov Jan 29 '18 at 06:18
  • What If I modify the cookie which contains the `sessionId` and supply a new `sessionId` ? – now he who must not be named. Jan 29 '18 at 06:19
  • What happened when you tried? Changing cookie values is trivial https://stackoverflow.com/questions/7215547/how-to-update-and-delete-a-cookie – Alexei Levenkov Jan 29 '18 at 06:32
  • `Once a user logs in and establishes a session` - Logging in has absolutely nothing to do with session state or the session id, as authentication and session state are 2 independent things. It is usually better (when possible) to use authentication *without* using session state as pointed out in [Think twice about using session state](https://brockallen.com/2012/04/07/think-twice-about-using-session-state/). – NightOwl888 Jan 29 '18 at 08:49

2 Answers2

1

1. When we talk about storing sessions in a memory, which memory are we talking about ?

Ans: InProc mode, which stores session state in memory on the Web server (RAM). This is the default.

2. If we are storing them in a cookie, what If I go and modify the cookie ?

Ans : Only session id is stored in cookie. If you don't want to use cookies for session tracking, asp.net framework also supports it by appending it in the URL. If you change the cookie value, the server will not be able to identify the request with the stored session data. You need to understand the http is a stateless protocol, sessionid is the identifier of a browser for the request during roundtrips. If you change the cookie value, server will not be able to identify the request.

By luck if you supply a valid sessionid, server will serve the content stored in session against that id. This is called session hijacking

https://en.wikipedia.org/wiki/Session_hijacking

3. If I can modify them, what If I change the sessionId and supply in a new sessionId ?

Ans: If you are taking about the SessionId of System.Web.SessionState. It can't be changed as it is readonly. But you are free to change anything at the client side (Cookie or URL)

Namespace: System.Web.SessionState

Assembly: System.Web (in System.Web.dll)

public string SessionID { get; }
PSK
  • 17,547
  • 5
  • 32
  • 43
  • 1
    "If you disable the cookies for session tracking, asp.net framework will append it in the URL by default." - really? There is no way for server to know if cookies disabled... And there is no automatic fallback to insecure storing session id in the url... – Alexei Levenkov Jan 29 '18 at 06:27
  • 1
    " If you change the cookie value, server will not be able to identify the request." - server indeed will be able to identify request... to whatever value you set the cookie to. If you change it to valid id new session will be created (or you sneak into someone else sessions) – Alexei Levenkov Jan 29 '18 at 06:28
  • Same thing i have mentioned "Session Hijacking" – PSK Jan 29 '18 at 06:30
  • "You can’t change the sessionid, it’s readonly."??? SessionId is simply value of a cookie, you even yourself said it can be changed... Indeed you can change it and indeed you can change it to some other valid session (unless you are talking about something else, but OP seem to be asking about values in cookies) – Alexei Levenkov Jan 29 '18 at 06:30
  • @PSK: Is Session state is stored in browser's memory ? – now he who must not be named. Jan 29 '18 at 06:31
  • @nowhewhomustnotbenamed. does not your question already contains answer "InProc, meaning it is stored on the issuing server "? (And this answer repeats the same in 1)... Can you clarify what exactly causing confusion? – Alexei Levenkov Jan 29 '18 at 06:34
  • 1
    @AlexeiLevenkov, I have updated and made it more clear. – PSK Jan 29 '18 at 06:35
  • @AlexeiLevenkov: Got it now. Thanks. – now he who must not be named. Jan 29 '18 at 06:35
  • 1
    @nowhewhomustnotbenamed. no, Session state is stored in server memory not on the browser. – PSK Jan 29 '18 at 06:36
1
  1. The session data is stored on the server, either in memory or in a database. This data is looked up with a sessionId that is stored in a cookie.

2/3. Modifying the sessionId is known as session hijacking, and allows you to "be" that user. This is commonly exploited with attacks like cross-site scripting (XSS).

To protect against hijacking make sure that:

  • The cookie is encrypted. There are ways for ASP.NET to do this for you, but this way it cannot be tampered with
  • The cookie is set to HttpOnly. This ensures that the cookie can only be sent over http requests and things like javascript - and thus XSS attacks - don't have access to the cookie.
  • If you are using something like ASP.NET Session State, change the default name of the cookie so it is not easily recognizable
Kyle Dodge
  • 834
  • 7
  • 17