469,926 Members | 2,296 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,926 developers. It's quick & easy.

How secure are session variables?

I often use session variables to store the user's security level, and other
important info. How secure are session variables? Can someone decrypt it
and get the information? (This would be especially important to know if the
session vars contain things like credit card numbers.)

Any better, more secure alternatives? How would you store credit card
numbers etc... temporarily if not using session vars?

Thanks!
Nov 18 '05 #1
5 8659
On the first point, session variables are not something people can get
to from the client side unless you send them to them. What you see on
the client side is a session identifier that allows the server to
retrieve the actual session values.

The better way of storing sensitive data is to put it in a database in
an encrypted format (how you decide to do that is up to you) and only
pull it out as you need it, retrieving it each time from scratch. The
hit of this particular retrieval is offset by the security of not
exposing the sensitive information. However this still isn't secure
unless you ask the user to login over a secure connection just before
retrieving the data as an unsecured session identifier (cookie or
querystring) can be grabbed and then used to spoof the identity of the user.

Just remember the farther you go down the security path the more you
have to take into account, the more threats that you need to mitigate,
and the more expensive your solution becomes. Hope something in all of
this helps you in some way.

Have A Better One!

John M Deal, MCP
Necessity Software

VB Programmer wrote:
I often use session variables to store the user's security level, and other
important info. How secure are session variables? Can someone decrypt it
and get the information? (This would be especially important to know if the
session vars contain things like credit card numbers.)

Any better, more secure alternatives? How would you store credit card
numbers etc... temporarily if not using session vars?

Thanks!

Nov 18 '05 #2
As far as I know, If important information is stored as clear text ( i.e.
unencrypted) in session variables is open to sniffing. If a memory snap
shot is taken by some rouge software or by some crash dump, somebody could
examine your info even if they are in session variables.

One of my favorite editions in MSDN is the November 2004 issue. A lot of
gems can be learned from this one:

http://msdn.microsoft.com/msdnmag/is...1/default.aspx

HTH
"VB Programmer" wrote:
I often use session variables to store the user's security level, and other
important info. How secure are session variables? Can someone decrypt it
and get the information? (This would be especially important to know if the
session vars contain things like credit card numbers.)

Any better, more secure alternatives? How would you store credit card
numbers etc... temporarily if not using session vars?

Thanks!

Nov 18 '05 #3

As far as I know, If important information is stored as clear text ( i.e.
unencrypted) in session variables is open to sniffing. If a memory snap
shot is taken by some rouge software or by some crash dump, somebody could
examine your info even if they are in session variables.

One of my favorite editions in MSDN is the November 2004. A lot of
security-related lesson can be learned from this issue:

http://msdn.microsoft.com/msdnmag/is...1/default.aspx

HTH
"VB Programmer" wrote:
I often use session variables to store the user's security level, and other
important info. How secure are session variables? Can someone decrypt it
and get the information? (This would be especially important to know if the
session vars contain things like credit card numbers.)

Any better, more secure alternatives? How would you store credit card
numbers etc... temporarily if not using session vars?

Thanks!
"VB Programmer" wrote:
I often use session variables to store the user's security level, and other
important info. How secure are session variables? Can someone decrypt it
and get the information? (This would be especially important to know if the
session vars contain things like credit card numbers.)

Any better, more secure alternatives? How would you store credit card
numbers etc... temporarily if not using session vars?

Thanks!

Nov 18 '05 #4
Session is a region of memory. The only entitiy that has access to it is the
Application itself.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Neither a follower
nor a lender be.

"VB Programmer" <Do*****************@jEmail.com> wrote in message
news:ec**************@tk2msftngp13.phx.gbl...
I often use session variables to store the user's security level, and other important info. How secure are session variables? Can someone decrypt it
and get the information? (This would be especially important to know if the session vars contain things like credit card numbers.)

Any better, more secure alternatives? How would you store credit card
numbers etc... temporarily if not using session vars?

Thanks!

Nov 18 '05 #5
Well, let me correct myself in one regard. Session State can also be stored
in a web farm in a SQL Server database, or in memory, in a single State
Server. In that case, the sending of Session data to and from the State
server could be intercepted, depending upon how secure your network is.
However, as the traffic is generally going to be confined to the immediate
subnet, and assuming that your network admins are doing their job right, it
is still safe.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Neither a follower
nor a lender be.

"VB Programmer" <Do*****************@jEmail.com> wrote in message
news:ec**************@tk2msftngp13.phx.gbl...
I often use session variables to store the user's security level, and other important info. How secure are session variables? Can someone decrypt it
and get the information? (This would be especially important to know if the session vars contain things like credit card numbers.)

Any better, more secure alternatives? How would you store credit card
numbers etc... temporarily if not using session vars?

Thanks!

Nov 18 '05 #6

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by Selden McCabe | last post: by
4 posts views Thread by Abraham Luna | last post: by
7 posts views Thread by Japhy | last post: by
5 posts views Thread by Chenky | last post: by
9 posts views Thread by sheldonlg | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.