security issues concerning session variables?

[taval]

I have designed an asp page that takes session variables that hold passwords (for databases), I was wondering how safe this is, is it easy to hack and retrive the passwords this way? [sig][/sig]

 

[Karl Blessing]

Sesssion Variables are held on the Serverside, so they're not as unsecure as Cookies(client side) however one think I've done is that have a login page with the password hardcoded serverside, and if the user logs in correctly, I create a boolean session variable, True if they are loged in(password matched) false, or non-existing if they didnt log in. [sig]<p>Karl<br><a href=mailto:kb244@kb244.com>kb244@kb244.com</a><br><a href=

http://kb244.com>

</a><br>Experienced in : C++(both VC++ and Borland),VB1(dos) thru VB6, Delphi 3 pro, HTML, Visual InterDev 6(ASP(WebProgramming/Vbscript)<br>

http://www.brainbench.com/transcript.jsp?pid=629151

[/sig]

 

[NickBulka]

Technically, Karl's answer is not exactly right. Although session variables are only available from client code, they are stored in cookies, which means they're there on the client side. However, a user won't be able to see the password inside the session variable cookie.
[sig]<p>nick bulka<br><a href=mailto: > </a><br><a href=

http://www.bulka.com>

</a><br>Get your technical books at Bulka's Books<br>

http://www.vstorebooks.com/bulkasbooks

[/sig]