Re: IIS6 - Can session id be manipulated?
- From: "Daniel Crichton" <msnews@xxxxxxxxxxxxxxxx>
- Date: Tue, 29 Jan 2008 15:00:16 -0000
Kim wrote on Tue, 29 Jan 2008 12:59:41 +0100:
Hi,
I have gotten a question about how IIS6 handles the session id
(cookie).
I've got a very persistent customer who claims, that you can just
hijack another session by changing the session id in your own session
cookie.
I'm no security expert, but I find that very hard to believe. All
though I haven't been able to find documentation about how the IIS
handles the session id in a secure way, so it can't be manipulated.
Does anyone have some links to MS descriptions or something like that,
so I can show the customer you can just hijack another persons
session?
Thanks,
John
I'm pretty sure that your customer is right - otherwise you'd get all sorts
of issues with customers on dynamically changing IP addresses or proxies
hiding other possibly identifiable information to tie the cookie to. Of
course, the hijacker would have to actually guess or determine the session
cookie that they want to hijack, and if they manage to intercept the cookie
then hijacking a session could be the least of your, or your customers,
problems as they'd likely also be able to just dump all the packets and view
what is being passed back and forth anyway.
I don't use the ASP sessions except for the odd occassion where it makes it
easy to handle some non-critical temporary data (like generated captcha
values for subsequent comparison in forms), all the sites I run use a custom
session handling system that combines a variety of factors to determine
possible hijacking of the cookies used.
--
Dan
.
- References:
- IIS6 - Can session id be manipulated?
- From: Kim Hellan
- IIS6 - Can session id be manipulated?
- Prev by Date: IIS6 - Can session id be manipulated?
- Next by Date: Re: IIS6 - Can session id be manipulated?
- Previous by thread: IIS6 - Can session id be manipulated?
- Next by thread: Re: IIS6 - Can session id be manipulated?
- Index(es):
Relevant Pages
|
|
