Hacking session variables in Asp.NET

Question

Is it possible to hack someone\'s session variables and create a new shadow user?

What are the common ways of avoiding such surprizes?

SSL certificate insta

Answer 1

Anything is possible, however by default it's hard.

Generally you hijack a session by stealing the session cookie and recreating it on another machine. However in order to do this the web site must be vulnerable to Cross Site Scripting (which you can mitigate against with Server.HtmlEncode when you echo user input back). If if you do end up vulnerable the ASP.NET session cookie is marked as HTTP Only, which means, if a browser supports it, it is not accessible to access from client side scripts (although Safari ignores this setting).