Wrox Programmer Forums
Go Back   Wrox Programmer Forums > ASP.NET and ASP > ASP.NET 2.0 > ASP.NET 2.0 Professional
| Search | Today's Posts | Mark Forums Read
ASP.NET 2.0 Professional If you are an experienced ASP.NET programmer, this is the forum for your 2.0 questions. Please also see the Visual Web Developer 2005 forum.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 2.0 Professional section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
  #1 (permalink)  
Old February 9th, 2008, 10:28 PM
Friend of Wrox
 
Join Date: Mar 2006
Location: , , Portugal.
Posts: 310
Thanks: 0
Thanked 0 Times in 0 Posts
Default Security: Could someone falsificate session vars?

Suppose that I put this on my page_load:

if not session("abcd") = true then
  redirect(*to other page*)
end if

If someone knows that this page only is accessible with this session var, could this person find a way to create this session form outside and see the page?

Forgive this newbie question but i need to be sure!

I want to make an admin page without the custom login and security verifications...

Thanks!
Max


  #2 (permalink)  
Old February 10th, 2008, 04:48 AM
Imar's Avatar
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Hi Max,

No, they can't unless you write code that enables them to.

Session variables are stored and accessed with server side code only. So, if you don't have any code that accepts user input and directly stores it in Session("abcd") you're OK.

However, it is possible to steal or hijack a session. Not an easy thing to do, though, and involves a lot of knowledge of the system and hacking in general.

But why this work-around? Why not create an Admin role and let ASP.NET handle security as it is designed to do?

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of Beginning ASP.NET 3.5 : in C# and VB, ASP.NET 2.0 Instant Results and Dreamweaver MX 2004
Want to be my colleague? Then check out this post.
  #3 (permalink)  
Old February 11th, 2008, 09:18 AM
Authorized User
 
Join Date: Jan 2007
Location: Islamabad, Punjab, Pakistan.
Posts: 93
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to aliirfan84
Default

I agree with Imar Spaanjaars.

Regards,
Ali Irfan
  #4 (permalink)  
Old February 11th, 2008, 01:12 PM
planoie's Avatar
Friend of Wrox
Points: 16,481, Level: 55
Points: 16,481, Level: 55 Points: 16,481, Level: 55 Points: 16,481, Level: 55
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Aug 2003
Location: Clifton Park, New York, USA.
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

A more important factor here is that you are simply redirecting a user to a page based on some session data.

If you do not put some security mechanism on the secure page, I could simply navigate to it directly (of course I need to know what that page is). I don't need to know anything about the session variables or how to hack them. I could simply put in the URL of the supposedly "secure" page and navigate directly to it. This is Imar's point. Use the security mechanism built into ASP.NET and you'll eliminate a lot of the security vulnerabilities.

-Peter
  #5 (permalink)  
Old February 12th, 2008, 07:43 PM
Friend of Wrox
 
Join Date: Mar 2006
Location: , , Portugal.
Posts: 310
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks Imar!

It's a page where I see/delete the custom Logevents generated by my application!
If I use my login administrator I need to spend some time reading other stuff! It's complicated and I can't explain this very well.

Quote:
quote:Originally posted by planoie
If you do not put some security mechanism on the secure page, I could simply navigate to it directly (of course I need to know what that page is). I don't need to know anything about the session variables or how to hack them. I could simply put in the URL of the supposedly "secure" page and navigate directly to it. This is Imar's point.
Now I don't understand!
Suppose that my page www.mydomain.com/page1.aspx has one line of code with this on page_load or page_init:

if NOT session("xxx") = "yyy" then response.redirect("www.otherplace.com")

How can you enter in my page? You can try but you'll redirect at once to out of there!

But could you make one page on your server, generate/create my session var (if you know which is) and put on your page a link to mine and preserve the session var?
(I hope you understand my doubt)

Thanks,
Max
  #6 (permalink)  
Old February 13th, 2008, 12:06 PM
planoie's Avatar
Friend of Wrox
Points: 16,481, Level: 55
Points: 16,481, Level: 55 Points: 16,481, Level: 55 Points: 16,481, Level: 55
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Aug 2003
Location: Clifton Park, New York, USA.
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

Looking back I think I understand what you were explaining in your first post. You are putting in a session variable check to send the users AWAY from the secure page(s). So as Imar suggested, because the session data is on the server, there is no way that a user can fabricate it without your code doing so.

-Peter


Similar Threads
Thread Thread Starter Forum Replies Last Post
Insert New Row from Session Vars iceandrews VB Databases Basics 1 May 12th, 2008 08:16 AM
passing vars cassius_b C# 1 July 17th, 2006 07:10 AM
Pass session vars from C# to VB.Net khamutari ASP.NET 1.0 and 1.1 Basics 5 November 11th, 2004 11:43 PM
Session Management / Security / Redirects justinhume Beginning PHP 5 March 3rd, 2004 08:43 PM
Why is it bad to put Objects into Session Vars? treycarroll Beginning PHP 3 August 18th, 2003 12:44 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.