Re: IIS6 - Can session id be manipulated?

"Daniel Crichton" <msnews@xxxxxxxxxxxxxxxx> skrev i en meddelelse
John wrote on Thu, 31 Jan 2008 13:28:45 +0100:


Thank you for the answer.
I don't think it's so much a case of whether you can grab another
persons session cookie from a non-secure line or not.
It's more like this:
I sit on computer A connected to server X
You sit on computer B connected to server X

If I can guess your session id and put that number in my own session
cookie, can I then get access to your session data?

Regards, John

Yes, that's right. I did say in my other reply that the hijacker would
have to guess it or determine it.

Getting access to a session isn't always a critical issue though - for
instance, on my own sites ASP sessions are only used for holding a captcha
string for a short time, no personal information is held in an ASP session
object and without a page on the sites that spits out what values the
session object contains even being able to hijack a session on my sites is
a waste of time.


Thank you for the answer.
I must say, that I'm a bit surprised/worried it is that "easy" to take over
another persons session... just by guessing their session id.
I had expected that maybe the id was signed by the server or something like
that, so that it couldn't be manipulated.



Relevant Pages

  • Re: Strange Problem in dot net framework 2.0
    ... I think it is not session time out issue. ... We are using htmlinput file control to upload files and storing this ... uploaded files across multiple post back in session object which is working ... server so I assume you mean that the session object is null on a server ...
  • Re: Reality Check: Session Hijacking
    ... The user is always challenged when he starts to use a secure app, ... And NOT from the session. ... rest of the http response, so he also has the required post data. ... > exposes his session cookie over unencrypted http. ...
  • Re: AJAX UpdatePanel not resetting IIS Session
    ... XMLHTTPRequest will send the session cookie, but on response it does not read and update the browser's session cookie, so after 20 mins the session cookie times out and is no longer sent to ... you can switch to cookieless sessions or update the browser cookie using a server request via an img or iframe. ... Thus, if the default IIS Session Timeout of 20 minutes is used, our logged-in users are always receving Session timeout in 20 minutes, regardless of what UpdatePanel activity is happening on the .aspx page. ...
  • Re: PHP Session not persisting with only some users
    ... If session data isn't set properly, ... session cookie is getting lost. ... anytime I redirect or load a view. ... This time I have ensured my server clock is correct. ...
  • Re: Session Object
    ... I think you have different applications running on same server. ... specific for each application unless you modify session state at ... >I have a strange problem with the Session Object and wondered if anyone ... > application from the development server to the operational server and it ...