Are Session Variables Secure

Forum Moderators: open

Message Too Old, No Replies

Are Session Variables Secure

aspdaddy

1:40 pm on Sep 21, 2006 (gmt 0)

I think most ecommerce sites work like this, you login and then view pages only accessible to you.

Somehow the server has to know that you are logged in, either by setting/checking a regular cookie, session cookie/variable, querystring or form , data is passwed betwen client and server to make this decision.

Is this secure?

I am planning on using Session variables over SSL.
Is it any more secure?

Easy_Coder

2:06 pm on Sep 21, 2006 (gmt 0)

it should be, they're encrypted even w/o ssl and should contain an encrypted guid that walks back to a hashtable that is managed by iis.

mrMister

4:50 pm on Sep 21, 2006 (gmt 0)

You pose quite an interesting question. Certainly in classic ASP, it was possible in some circumstances to predict the value of session IDs generated by the server. I don't think this is as likely in ASP.Net because they use UUIDs which shouldn't be as predictable.

Certainly it's possible for someone to intercept a Session ID over an unencrypted connection and then hijack the session.

Using SSL is more secure as it will encrypt the Session ID cookie so an eavesdropper will not be able to determine the value of the cookie. However make sure you desable cookieless sessions. If a user were to use a cookieless session, then the Session ID would be passed unencrypted, even over an SSL connection.