Re: IIS6 - Can session id be manipulated?




"Daniel Crichton" <msnews@xxxxxxxxxxxxxxxx> skrev i en meddelelse
news:usxZGfCZIHA.4476@xxxxxxxxxxxxxxxxxxxxxxx
John wrote on Thu, 31 Jan 2008 13:28:45 +0100:

Hi,

Thank you for the answer.
I don't think it's so much a case of whether you can grab another
persons session cookie from a non-secure line or not.
It's more like this:
I sit on computer A connected to server X
You sit on computer B connected to server X

If I can guess your session id and put that number in my own session
cookie, can I then get access to your session data?

Regards, John

Yes, that's right. I did say in my other reply that the hijacker would
have to guess it or determine it.

Getting access to a session isn't always a critical issue though - for
instance, on my own sites ASP sessions are only used for holding a captcha
string for a short time, no personal information is held in an ASP session
object and without a page on the sites that spits out what values the
session object contains even being able to hijack a session on my sites is
a waste of time.


Hi,

Thank you for the answer.
I must say, that I'm a bit surprised/worried it is that "easy" to take over
another persons session... just by guessing their session id.
I had expected that maybe the id was signed by the server or something like
that, so that it couldn't be manipulated.

Regards,
John


.