Re: IIS6 - Can session id be manipulated?

Hi,

Thank you for the answer.
I don't think it's so much a case of whether you can grab another persons
session cookie from a non-secure line or not.
It's more like this:
I sit on computer A connected to server X
You sit on computer B connected to server X

If I can guess your session id and put that number in my own session cookie,
can I then get access to your session data?

Regards,
John


"Daniel Crichton" <msnews@xxxxxxxxxxxxxxxx> wrote in message
news:OUuKyhoYIHA.6068@xxxxxxxxxxxxxxxxxxxxxxx

Hi,

I have gotten a question about how IIS6 handles the session id
(cookie).
I've got a very persistent customer who claims, that you can just
hijack another session by changing the session id in your own session
cookie.
I'm no security expert, but I find that very hard to believe. All
though I haven't been able to find documentation about how the IIS
handles the session id in a secure way, so it can't be manipulated.

Does anyone have some links to MS descriptions or something like that,
so I can show the customer you can just hijack another persons
session?

Thanks,
John


For a bit more info, try this:
http://www.microsoft.com/technet/security/Bulletin/MS00-080.mspx

it describes a patch for IIS4 and IIS5 to ensure that the session id
cookie used on secure (SSL) pages wasn't also used when viewing non-secure
pages. This helps to reduce the possibilty of a hijack if you allow
customers to view both secure and non-secure pages on your site. It still
doesn't solve the problem, as it requires that two different session IDs
are used for secure and non-secure pages, so the non-secure one could
still be hijacked.

If you're really worried about session hijacking, run everything over
SSL - while it won't completely prevent it, it reduces the risk because in
order to get the session cookie the hijacker would have to intercept the
data when it's unencrypted (either at the customer's browser, or the
server) and if that happens then you've got a lot more to worry about that
session cookies.

--
Dan



.

Relevant Pages

  • Re: Reality Check: Session Hijacking
    ... The user is always challenged when he starts to use a secure app, ... And NOT from the session. ... rest of the http response, so he also has the required post data. ... > exposes his session cookie over unencrypted http. ...
    (comp.lang.php)
  • Re: Where is SID?
    ... > and SID echoes as an empty string. ... server, and you'll see the session cookie being set, ... an appropriate session cookie. ...
    (comp.lang.php)
  • Re: PHP Session not persisting with only some users
    ... If session data isn't set properly, ... session cookie is getting lost. ... anytime I redirect or load a view. ... This time I have ensured my server clock is correct. ...
    (comp.lang.php)
  • Re: Automated testing of cgi / perl
    ... ID in a session cookie. ... The regression testing tool in Unix is expect which is command-line only. ... Said connection can input information into fields, even store cookies for session ID between pages. ...
    (comp.lang.perl.misc)
  • Re: seeing who is using the site..
    ... If you demand them to log in, you know WHO they are, as opposed to unknown visitors that happen to start a session with your site. ... If you store the session in a db, they will get deleted after that timeout has expired. ... A browser keeps a session cookie untill *all* instances of that browser is closed. ...
    (comp.lang.php)