473,320 Members | 1,856 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

security issue in asp

Hi

Recently I was looking at someone else code written in asp,
at start of the page there was condition checking if some
session variable has been set, if so, the rest of the code
were executed normaly. If this session object was not
set, script was redirecting to "Access denied" page.
My question is: is this realy secure?
Can client set some session object, are they encrypted
somehow? Where are they between requests? in cookie?
hidden fields?

thanks for any answers, im just curious
Lu
Nov 18 '05 #1
2 844
Session objects are in memory on the server

"Luke" <jo*****@op.pl> wrote in message
news:Sa****************@news.chello.at...
Hi

Recently I was looking at someone else code written in asp,
at start of the page there was condition checking if some
session variable has been set, if so, the rest of the code
were executed normaly. If this session object was not
set, script was redirecting to "Access denied" page.
My question is: is this realy secure?
Can client set some session object, are they encrypted
somehow? Where are they between requests? in cookie?
hidden fields?

thanks for any answers, im just curious
Lu

Nov 18 '05 #2
Hi Luke,

Session object run on the server and the actual data that you store them are
stored there. The only thing that lives on the client is the Session Cookie
or ID which maybe either in an HTTP Cookie or some sort of ID that is stored
as part of the URL or QueryString (cookieless Sessions in ASP.Net for
example use URL injection to inject the cookie into the URL path).

Secure is always a relative term <g>. It's secure as long as nobody hi-jacks
the Cookie in some way. Once the cookie is compromised and the attacker has
the tools to set this cookie for his browser session he can impersonate the
user. But grabbing the cookie is not certainly not easy, especially if you
use SSL, or without someway to filter network traffic and know what you're
looking for.

+++ Rick ---

--

Rick Strahl
West Wind Technologies
http://www.west-wind.com/
http://www.west-wind.com/weblog/
----------------------------------
Making waves on the Web
"Luke" <jo*****@op.pl> wrote in message
news:Sa****************@news.chello.at...
Hi

Recently I was looking at someone else code written in asp,
at start of the page there was condition checking if some
session variable has been set, if so, the rest of the code
were executed normaly. If this session object was not
set, script was redirecting to "Access denied" page.
My question is: is this realy secure?
Can client set some session object, are they encrypted
somehow? Where are they between requests? in cookie?
hidden fields?

thanks for any answers, im just curious
Lu

Nov 18 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

28
by: grahamd | last post by:
Who are the appropriate people to report security problems to in respect of a module included with the Python distribution? I don't feel it appropriate to be reporting it on general mailing lists.
11
by: TC | last post by:
Hello All, I have recently had the pleasure of installing Norton Internet Security 2005 and finding that I can no longer create or open a web-based application in Visual Studio .Net. The IDE...
5
by: Ken Cox [Microsoft MVP] | last post by:
MS has posted this here: http://www.asp.net/faq/ms03-32-issue.aspx Fix for: 'Server Application Unavailable' Error after Applying Security Update for IE...
1
by: Earl Teigrob | last post by:
Background: When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is...
5
by: cdlipfert | last post by:
Our intranet is running under windows integrated security. We have domain users that want to access our intranet site via ssl vpn. SSL VPN can not authenticate against services that run under...
0
by: Charles Leonard | last post by:
I am having yet another issue with Windows Server 2003. This time, the web service (a file import web service) appears to run except for one odd message: "ActiveX component can't create object". ...
0
by: Jay C. | last post by:
Jay 3 Jan. 11:38 Optionen anzeigen Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements Von: "Jay" <p.brunm...@nusurf.at> - Nachrichten dieses Autors suchen Datum: 3 Jan...
10
by: Richard MSL | last post by:
I am having problems working with .net security. I have been attempting to use the Microsoft .Net Framework 2.0 Configuration tool (version 2.0.50727.42), but it won't work for me. I have a simple...
1
by: WebServiceSecurity | last post by:
The issue involves the following technologies: - 1. .NET 2.0 Framework 2. WSE2.0 (WS-Security) 3. X.509 certificates 4. BEA Weblogic 8.1.5
0
by: Anthony Baxter | last post by:
SECURITY ADVISORY Buffer overrun in repr() for UCS-4 encoded unicode strings http://www.python.org/news/security/PSF-2006-001/ Advisory ID: PSF-2006-001 Issue Date: October 12, 2006...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.