Can session objects be hacked 2

[ralphonzo]

Hi,

does anyone know if session objects can be intercepted? I don't want to know so I can do it, I just need to know whether it's secure or not for an app that I'm creating,

cheers,

Ralphonz

 

[Sheco]

Anything can be hacked given enough time and motivation.

In the case of hijacking a session, a hacker would need to intercept the HTTP Response from the web server, parse out the session cookie, and then generate a HTTP Request based on the cookie.

So it is still possible, but just getting the cookie doesn't give you access to the contents of the session variables. Those are stored on the web server, not in the cookie. All it allows you to do is represent yourself to the web server as if you are the client for whom the session was created. So the hacker has no more access to information than the user whose session has been hijacked.

 

[kaht]

And of course, using a security certificate will help keep the session information that is intercepted in encrypted form - making it even more difficult to hack.

-kaht

Lisa, if you don't like your job you don't strike. You just go in every day and do it really half-assed. That's the American way. - Homer Simpson

[small]<P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <.</B>[/small]

 

[ralphonzo]

Thanks the two of you, you've set my mind at rest - especially Sheco's post )