发表新帖
发表新帖

Hacking session variables in Asp.NET

后端 未结
关注
2 561
南旧
南旧 2021-01-13 07:00

Is it possible to hack someone\'s session variables and create a new shadow user?

What are the common ways of avoiding such surprizes?

SSL certificate insta

2条回答
  • 谎友^
    谎友^ (楼主)
    2021-01-13 07:46

    Short answer... it depends.

    Session in ASP.NET can be stored in a variety of ways (InProc / SQL Server / State Server) etc... another thing to note is how the client session is maintained (query string value, cookies etc...)

    As the poster in this answer suggests

    Can we hack a site that just stores the username as a session variable?

    One thing you could do when you authenticate the user and store their name in Session, would be to also store some other information about them. e.g. Their UserAgentString, their IP Address and if a different IP or UserAgentString attempted to interact with the session, you could invalidate it.

    0 讨论(0)
 看不清?
提交回复
热议问题