Geek Answers Handbook

Is the session cookie secure enough to hold the user id?

I use a session cookie (rather than a persistent one) to save the user id to find out if the user is registered.

basically, the user logs in, we check the credentials, and then set the cookie session user ID userID = 37 (for this particular user, the other user will have 73 or 69, etc.)

Session.Add("UserID", 37);

my question is: is it possible for a registered user to somehow change this session cookie from 37 to 73 and thus trick the server into thinking that he is actually user 73? if yes, then what am I doing wrong, how to deal with this case? it seems insane to insert the user session user id and password and check them EVERY TIME ??

we use this userid value also in requests later to restrict them.

I am sorry if this is not a question of EXACT code, but it is very appropriate for my code.

+7
source share
4 answers

The session cookie contains only the session identifier. It is used to identify the user. It does not contain anything else. Actual information for this session is stored on the server. So it is safe. The user can never change the value that was saved on the server. The user cannot change his identifier if you saved it inside the session.

However, when dealing with user IDs, you can use form authentication to track authenticated users, instead of reinventing the wheels with a session.

+6
source

ASP.NET session state provides an important security advantage over client state management methods, since the actual state is stored on the server side and is not displayed on the client and other network objects along the HTTP request path . However, there are several important aspects of the session state operation that must be considered to ensure application security. The best security methods fall into three main categories: preventing spoofing and injection of session identifiers, protecting the state store in the background, and securing session state deployment in dedicated or shared environments.

Read: Session State Protection

+3
source

This is not a cookie, and it is absolutely safe because the user cannot change it. The only thing that is stored on the server side in the cookie is the session identifier.

+2
source

As other answers noted, the actual value (37 in the example) is stored on the server, not on the client, but this does not mean that you are immune to potential attacks. This mechanism is still vulnerable to cross-site scripting attacks. Basically, what is stored in the client's cookie is a large long identifier. If someone other than the actual user receives this identifier, he can put this in his own cookie and essentially claim the role of this user. You can explore cross-site scripting more on your own (Iā€™m not an expert on this) to see some of the common ways an attacker will try to look at other user's cookies and try to set them as their own, as well as ways to protect against such attacks (some of which, I am sure, will be made for you by browsers and ASP).

0
source

More articles:


All Articles