How secure are session variables?

Discussion in 'ASP .Net' started by VB Programmer, Nov 15, 2004.

  1. I often use session variables to store the user's security level, and other
    important info. How secure are session variables? Can someone decrypt it
    and get the information? (This would be especially important to know if the
    session vars contain things like credit card numbers.)

    Any better, more secure alternatives? How would you store credit card
    numbers etc... temporarily if not using session vars?

    Thanks!
    VB Programmer, Nov 15, 2004
    #1
    1. Advertising

  2. VB Programmer

    John M Deal Guest

    On the first point, session variables are not something people can get
    to from the client side unless you send them to them. What you see on
    the client side is a session identifier that allows the server to
    retrieve the actual session values.

    The better way of storing sensitive data is to put it in a database in
    an encrypted format (how you decide to do that is up to you) and only
    pull it out as you need it, retrieving it each time from scratch. The
    hit of this particular retrieval is offset by the security of not
    exposing the sensitive information. However this still isn't secure
    unless you ask the user to login over a secure connection just before
    retrieving the data as an unsecured session identifier (cookie or
    querystring) can be grabbed and then used to spoof the identity of the user.

    Just remember the farther you go down the security path the more you
    have to take into account, the more threats that you need to mitigate,
    and the more expensive your solution becomes. Hope something in all of
    this helps you in some way.

    Have A Better One!

    John M Deal, MCP
    Necessity Software

    VB Programmer wrote:
    > I often use session variables to store the user's security level, and other
    > important info. How secure are session variables? Can someone decrypt it
    > and get the information? (This would be especially important to know if the
    > session vars contain things like credit card numbers.)
    >
    > Any better, more secure alternatives? How would you store credit card
    > numbers etc... temporarily if not using session vars?
    >
    > Thanks!
    >
    >
    John M Deal, Nov 15, 2004
    #2
    1. Advertising

  3. As far as I know, If important information is stored as clear text ( i.e.
    unencrypted) in session variables is open to sniffing. If a memory snap
    shot is taken by some rouge software or by some crash dump, somebody could
    examine your info even if they are in session variables.

    One of my favorite editions in MSDN is the November 2004 issue. A lot of
    gems can be learned from this one:

    http://msdn.microsoft.com/msdnmag/issues/04/11/default.aspx

    HTH


    "VB Programmer" wrote:

    > I often use session variables to store the user's security level, and other
    > important info. How secure are session variables? Can someone decrypt it
    > and get the information? (This would be especially important to know if the
    > session vars contain things like credit card numbers.)
    >
    > Any better, more secure alternatives? How would you store credit card
    > numbers etc... temporarily if not using session vars?
    >
    > Thanks!
    >
    >
    >
    =?Utf-8?B?RG90bmV0IFdhbmRlcmVy?=, Nov 15, 2004
    #3
  4. As far as I know, If important information is stored as clear text ( i.e.
    unencrypted) in session variables is open to sniffing. If a memory snap
    shot is taken by some rouge software or by some crash dump, somebody could
    examine your info even if they are in session variables.

    One of my favorite editions in MSDN is the November 2004. A lot of
    security-related lesson can be learned from this issue:

    http://msdn.microsoft.com/msdnmag/issues/04/11/default.aspx

    HTH


    "VB Programmer" wrote:

    > I often use session variables to store the user's security level, and other
    > important info. How secure are session variables? Can someone decrypt it
    > and get the information? (This would be especially important to know if the
    > session vars contain things like credit card numbers.)
    >
    > Any better, more secure alternatives? How would you store credit card
    > numbers etc... temporarily if not using session vars?
    >
    > Thanks!
    >
    >
    >

    "VB Programmer" wrote:

    > I often use session variables to store the user's security level, and other
    > important info. How secure are session variables? Can someone decrypt it
    > and get the information? (This would be especially important to know if the
    > session vars contain things like credit card numbers.)
    >
    > Any better, more secure alternatives? How would you store credit card
    > numbers etc... temporarily if not using session vars?
    >
    > Thanks!
    >
    >
    >
    =?Utf-8?B?RG90bmV0IFdhbmRlcmVy?=, Nov 15, 2004
    #4
  5. Session is a region of memory. The only entitiy that has access to it is the
    Application itself.

    --
    HTH,
    Kevin Spencer
    ..Net Developer
    Microsoft MVP
    Neither a follower
    nor a lender be.

    "VB Programmer" <Dont*NoSpam-Please*@jEmail.com> wrote in message
    news:...
    > I often use session variables to store the user's security level, and

    other
    > important info. How secure are session variables? Can someone decrypt it
    > and get the information? (This would be especially important to know if

    the
    > session vars contain things like credit card numbers.)
    >
    > Any better, more secure alternatives? How would you store credit card
    > numbers etc... temporarily if not using session vars?
    >
    > Thanks!
    >
    >
    Kevin Spencer, Nov 15, 2004
    #5
  6. Well, let me correct myself in one regard. Session State can also be stored
    in a web farm in a SQL Server database, or in memory, in a single State
    Server. In that case, the sending of Session data to and from the State
    server could be intercepted, depending upon how secure your network is.
    However, as the traffic is generally going to be confined to the immediate
    subnet, and assuming that your network admins are doing their job right, it
    is still safe.

    --
    HTH,
    Kevin Spencer
    ..Net Developer
    Microsoft MVP
    Neither a follower
    nor a lender be.

    "VB Programmer" <Dont*NoSpam-Please*@jEmail.com> wrote in message
    news:...
    > I often use session variables to store the user's security level, and

    other
    > important info. How secure are session variables? Can someone decrypt it
    > and get the information? (This would be especially important to know if

    the
    > session vars contain things like credit card numbers.)
    >
    > Any better, more secure alternatives? How would you store credit card
    > numbers etc... temporarily if not using session vars?
    >
    > Thanks!
    >
    >
    Kevin Spencer, Nov 15, 2004
    #6
  7. VB Programmer

    stevish

    Joined:
    Dec 19, 2008
    Messages:
    1
    Good info on security! MY question follows the same line, but opposite:

    I want to store security access levels in a session variable. Is it possible for anyone to somehow change the value of a session variable (and therefore make themselves an admin until the session variable is updated from the database)?
    stevish, Dec 19, 2008
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. A.M
    Replies:
    5
    Views:
    5,435
    Teemu Keiski
    Jun 8, 2004
  2. Daniel Malcolm
    Replies:
    0
    Views:
    553
    Daniel Malcolm
    Jan 24, 2005
  3. zdrakec
    Replies:
    1
    Views:
    434
    zdrakec
    Jul 25, 2005
  4. Joe
    Replies:
    5
    Views:
    957
    Steven Cheng[MSFT]
    Dec 13, 2005
  5. Giles

    How secure are session variables?

    Giles, May 28, 2005, in forum: ASP General
    Replies:
    2
    Views:
    123
    Bob Barrows [MVP]
    May 28, 2005
Loading...

Share This Page