Re: IIS6 - Can session id be manipulated?
- From: "John Hansen" <xxxx@xxxxxxxxxxx>
- Date: Mon, 4 Feb 2008 09:41:43 +0100
"Daniel Crichton" <msnews@xxxxxxxxxxxxxxxx> skrev i en meddelelse
news:usxZGfCZIHA.4476@xxxxxxxxxxxxxxxxxxxxxxx
John wrote on Thu, 31 Jan 2008 13:28:45 +0100:
Hi,
Thank you for the answer.
I don't think it's so much a case of whether you can grab another
persons session cookie from a non-secure line or not.
It's more like this:
I sit on computer A connected to server X
You sit on computer B connected to server X
If I can guess your session id and put that number in my own session
cookie, can I then get access to your session data?
Regards, John
Yes, that's right. I did say in my other reply that the hijacker would
have to guess it or determine it.
Getting access to a session isn't always a critical issue though - for
instance, on my own sites ASP sessions are only used for holding a captcha
string for a short time, no personal information is held in an ASP session
object and without a page on the sites that spits out what values the
session object contains even being able to hijack a session on my sites is
a waste of time.
Hi,
Thank you for the answer.
I must say, that I'm a bit surprised/worried it is that "easy" to take over
another persons session... just by guessing their session id.
I had expected that maybe the id was signed by the server or something like
that, so that it couldn't be manipulated.
Regards,
John
.
- Follow-Ups:
- Re: IIS6 - Can session id be manipulated?
- From: Daniel Crichton
- Re: IIS6 - Can session id be manipulated?
- Prev by Date: Re: IIS 6 und Kerberos
- Next by Date: Re: IIS6 - Can session id be manipulated?
- Previous by thread: Re: IIS 5.1 SSL Cetificate Missing
- Next by thread: Re: IIS6 - Can session id be manipulated?
- Index(es):
Relevant Pages
|
