Can somebody steal your sessionID and impersonate your browser??

[galtulsa]

Can somebody listen the sessionID that the server send to the client as a cookie when a new session is created and use that session ID to impersonate a user while they are browsing the ASP application?

Thanks,
galtulsa.

 

[luciddream]

it is possible... not likely to happen though

 

[culshaja]

They have to have interecpted the transmission between you and the server. They need to have tapped the wire and used a scanner of some sort. Its a lot of work but as luciddream says it can be done.

James James Culshaw
jculshaw@active-data-solutions.co.uk

http://www.active-data-solutions.co.uk

http://www.brainbench.com/transcript.jsp?pid=193305

 

[palbano]

> They have to have interecpted the transmission between you and the server.

Not if they have a trojan horse running on your computer!

-pete

 

[GDX]

I find that hard to believe that it can be possible because all client side session IDs are obviously stored on the clients computer but if you look at the cookie itself part of it is encrypted with server information, if it has been modified it will not work, I heard even if the file itself is updated it will not work at all. I am not sure if this is a rumor though

Gordon R. Durgha
gd@vslink.net

http://www.vslink.net

http://www.brainbench.com/transcript.jsp?pid=1217371