I wrote an ASP.Net MVC app that stores Session information in the database, but I can see the session id being stored in a browser cookie "ASP.NET_SessionId". Is this a security risk? Can the id be used to hack/steal a user's session?
Asked
Active
Viewed 2,468 times
0
-
1possible duplicate of [Can some hacker steal the cookie from a user and login with that name on a web site?](http://stackoverflow.com/questions/2498599/can-some-hacker-steal-the-cookie-from-a-user-and-login-with-that-name-on-a-web-s) – Dennis Traub Sep 24 '12 at 17:51
1 Answers
0
The session id in the cookie is used to relate a stateless web request to stored state on the server.
With regard to security I don't think the ASP.NET_SessionId contains authentication details - that's the .ASPXAUTH (if you are using the built in .NET membership providers). I think it can, in some circumstances be used to steal a users session.
A great read on this is Troy Hunt's blog, particularly this post Anatomy of an insufficient transport layer protection attack where he packet sniffs the cookies of wifi users in a McDonalds and logs in as them.
Neil Thompson
- 6,356
- 2
- 30
- 53