Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > How secure are session variables?

Reply
Thread Tools

How secure are session variables?

 
 
VB Programmer
Guest
Posts: n/a
 
      11-15-2004
I often use session variables to store the user's security level, and other
important info. How secure are session variables? Can someone decrypt it
and get the information? (This would be especially important to know if the
session vars contain things like credit card numbers.)

Any better, more secure alternatives? How would you store credit card
numbers etc... temporarily if not using session vars?

Thanks!


 
Reply With Quote
 
 
 
 
John M Deal
Guest
Posts: n/a
 
      11-15-2004
On the first point, session variables are not something people can get
to from the client side unless you send them to them. What you see on
the client side is a session identifier that allows the server to
retrieve the actual session values.

The better way of storing sensitive data is to put it in a database in
an encrypted format (how you decide to do that is up to you) and only
pull it out as you need it, retrieving it each time from scratch. The
hit of this particular retrieval is offset by the security of not
exposing the sensitive information. However this still isn't secure
unless you ask the user to login over a secure connection just before
retrieving the data as an unsecured session identifier (cookie or
querystring) can be grabbed and then used to spoof the identity of the user.

Just remember the farther you go down the security path the more you
have to take into account, the more threats that you need to mitigate,
and the more expensive your solution becomes. Hope something in all of
this helps you in some way.

Have A Better One!

John M Deal, MCP
Necessity Software

VB Programmer wrote:
> I often use session variables to store the user's security level, and other
> important info. How secure are session variables? Can someone decrypt it
> and get the information? (This would be especially important to know if the
> session vars contain things like credit card numbers.)
>
> Any better, more secure alternatives? How would you store credit card
> numbers etc... temporarily if not using session vars?
>
> Thanks!
>
>

 
Reply With Quote
 
 
 
 
=?Utf-8?B?RG90bmV0IFdhbmRlcmVy?=
Guest
Posts: n/a
 
      11-15-2004
As far as I know, If important information is stored as clear text ( i.e.
unencrypted) in session variables is open to sniffing. If a memory snap
shot is taken by some rouge software or by some crash dump, somebody could
examine your info even if they are in session variables.

One of my favorite editions in MSDN is the November 2004 issue. A lot of
gems can be learned from this one:

http://msdn.microsoft.com/msdnmag/is...1/default.aspx

HTH


"VB Programmer" wrote:

> I often use session variables to store the user's security level, and other
> important info. How secure are session variables? Can someone decrypt it
> and get the information? (This would be especially important to know if the
> session vars contain things like credit card numbers.)
>
> Any better, more secure alternatives? How would you store credit card
> numbers etc... temporarily if not using session vars?
>
> Thanks!
>
>
>

 
Reply With Quote
 
=?Utf-8?B?RG90bmV0IFdhbmRlcmVy?=
Guest
Posts: n/a
 
      11-15-2004

As far as I know, If important information is stored as clear text ( i.e.
unencrypted) in session variables is open to sniffing. If a memory snap
shot is taken by some rouge software or by some crash dump, somebody could
examine your info even if they are in session variables.

One of my favorite editions in MSDN is the November 2004. A lot of
security-related lesson can be learned from this issue:

http://msdn.microsoft.com/msdnmag/is...1/default.aspx

HTH


"VB Programmer" wrote:

> I often use session variables to store the user's security level, and other
> important info. How secure are session variables? Can someone decrypt it
> and get the information? (This would be especially important to know if the
> session vars contain things like credit card numbers.)
>
> Any better, more secure alternatives? How would you store credit card
> numbers etc... temporarily if not using session vars?
>
> Thanks!
>
>
>

"VB Programmer" wrote:

> I often use session variables to store the user's security level, and other
> important info. How secure are session variables? Can someone decrypt it
> and get the information? (This would be especially important to know if the
> session vars contain things like credit card numbers.)
>
> Any better, more secure alternatives? How would you store credit card
> numbers etc... temporarily if not using session vars?
>
> Thanks!
>
>
>

 
Reply With Quote
 
Kevin Spencer
Guest
Posts: n/a
 
      11-15-2004
Session is a region of memory. The only entitiy that has access to it is the
Application itself.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Neither a follower
nor a lender be.

"VB Programmer" <Dont*NoSpam-Please*@jEmail.com> wrote in message
news:(E-Mail Removed)...
> I often use session variables to store the user's security level, and

other
> important info. How secure are session variables? Can someone decrypt it
> and get the information? (This would be especially important to know if

the
> session vars contain things like credit card numbers.)
>
> Any better, more secure alternatives? How would you store credit card
> numbers etc... temporarily if not using session vars?
>
> Thanks!
>
>



 
Reply With Quote
 
Kevin Spencer
Guest
Posts: n/a
 
      11-15-2004
Well, let me correct myself in one regard. Session State can also be stored
in a web farm in a SQL Server database, or in memory, in a single State
Server. In that case, the sending of Session data to and from the State
server could be intercepted, depending upon how secure your network is.
However, as the traffic is generally going to be confined to the immediate
subnet, and assuming that your network admins are doing their job right, it
is still safe.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Neither a follower
nor a lender be.

"VB Programmer" <Dont*NoSpam-Please*@jEmail.com> wrote in message
news:(E-Mail Removed)...
> I often use session variables to store the user's security level, and

other
> important info. How secure are session variables? Can someone decrypt it
> and get the information? (This would be especially important to know if

the
> session vars contain things like credit card numbers.)
>
> Any better, more secure alternatives? How would you store credit card
> numbers etc... temporarily if not using session vars?
>
> Thanks!
>
>



 
Reply With Quote
 
stevish stevish is offline
Junior Member
Join Date: Dec 2008
Posts: 1
 
      12-19-2008
Good info on security! MY question follows the same line, but opposite:

I want to store security access levels in a session variable. Is it possible for anyone to somehow change the value of a session variable (and therefore make themselves an admin until the session variable is updated from the database)?
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Secure your digital information assets with Secure Auditor. SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:53 AM
Secure your digital information assets with Secure Auditor SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:52 AM
Share session between secure and non-secure applications Joe ASP .Net 5 12-13-2005 01:49 PM
Sharing Session state over secure / non-secure requests Daniel Malcolm ASP .Net 0 01-24-2005 04:45 PM



Advertisments