473,399 Members | 4,177 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp / active server pages > questions > how secure are session variables?

Join Bytes to post your question to a community of 473,399 software developers and data experts.

How secure are session variables?

Example:
session("IsLoggedIn")=false

Can this be changed on the user's machine by editing the cookie directly?
(Please tell me it can't!).
If so, will ASP know it has been tampered with, and refuse to "accept" it if
changed to "true" ?
Thanks
Giles
Jul 22 '05 #1
3 2051
Session cookies are stored in the servers memory, not on the client machine.

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

"Giles" <Gi***@NoSpam.com> wrote in message news:Oe**************@TK2MSFTNGP15.phx.gbl...
Example:
session("IsLoggedIn")=false

Can this be changed on the user's machine by editing the cookie directly?
(Please tell me it can't!).
If so, will ASP know it has been tampered with, and refuse to "accept" it if
changed to "true" ?
Thanks
Giles



Jul 22 '05 #2
Giles wrote:
Example:
session("IsLoggedIn")=false

Can this be changed on the user's machine by editing the cookie
directly? (Please tell me it can't!).
If so, will ASP know it has been tampered with, and refuse to
"accept" it if changed to "true" ?
Thanks
Giles

Session variables are not stored on the client pc: they are stored in the
server's memory, which is one reason indiscriminate use of session variables
can impair performance.

The only thing stored on the client is a session cookie containing the
session id.

Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Jul 22 '05 #3
Steven Burn wrote:
Session cookies are stored in the servers memory,
not on the client machine.


Not quite. The *variables* are stored on the server. The *cookie* is kept on
the client (and passed in the request/response headers). Session cookies are
transient, so they typically are kept in memory until the browser closes,
BUT...

How the client handles transient cookies is completely beyond the server's
(and thus the application's) control.
--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Jul 22 '05 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
a secure log-in system
by: ojorus | last post by:
Hello! I want to make a login system as secure as possible on a website I develop. * The user shall log on using a Username and a password (which is stored in a mySQL database) *The server...
PHP
1
Is session enough secure?
by: opt_inf_env | last post by:
Hello, I have a page such that each user can see only a corresponding (personal) part of the page. In the beginning I wanted to perform initialization of users (by asking there names and...
PHP
18
Help - Secure page by remembering user?
by: | last post by:
Please help. After a number of wrong turns and experiments I need advice on login management system to secure our web pages without inconveniencing our visitors or our internal staff. What I...
ASP / Active Server Pages
4
Logout form secure site
by: gary thomson | last post by:
Apologies if this is not quite the correct ng to be asking this question and sorry to be so vague in what I'm asking, but can anyone give me any pointers to implementing a logout button from a...
HTML / CSS
7
Session Scope, over domains and secure connections
by: Seth | last post by:
I have noticed that the id of my session object changes when I switch from a non-secure to a secure connection. What I'm trying to do: I have a cookie that is built on the non-secure side of...
ASP.NET
5
How secure are session variables?
by: VB Programmer | last post by:
I often use session variables to store the user's security level, and other important info. How secure are session variables? Can someone decrypt it and get the information? (This would be...
ASP.NET
5
Share session between secure and non-secure applications
by: Joe | last post by:
I have an application which runs in a non-secure environment. I also have an application that runs in a secure environment (both on the same machine). Is there any way to share the session data for...
ASP.NET
5
are server variables secure?
by: wolfing1 | last post by:
I'm working on a shopping cart page. In page A (checkout) the user enters their credit card information. On postback, if everything is correct, it sends the user to page B (confirmation). My...
ASP / Active Server Pages
1
Secure way to share session between ASP and ASP.net
by: Chris | last post by:
Hi I have to share session state between asp and asp.net. I am looking at code examples and it looks doable but my major concern is most of the methods that grab the ASP session involve posting to...
.NET Framework
14
Secure login tutorial
by: knal | last post by:
Hi there, I'm looking for a secure login script for a sort-of-community site... (PHP, MySQL, sessions, or maybe something else ... ) I know there are a lot of scripts out there, but none of them...
PHP
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
0
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!