Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

session variable security vunrability? 1

Status
Not open for further replies.
gus121

gus121

Technical User
May 9, 2002
298
GB
The website i am supporting has the DSN database connection string (e.g password, username, database connection) stored in a session variable. Is this risky for hackers? Would an Application variable be a far better way of globaly storing this variable for performance? security?

Thanks

Angus Angus

http\\http\\
 
Sort by date Sort by votes
I suppose the advantage to using a Application var is that there would be only one copy of the DNS info, which is shared by all sessions, as opposed to a separate copy for each session, as would be the case for a Session var. As far as this being a security issue ... I don't know. I would think an App variable would be easier to hack than a Session variable, actually. I don't think either are particularly "hackable", but if a hacker knew how to get all the memory structures for a running web site, I'd have to believe it would be easier for him to find the App variables in there than the Session vars.
 
Upvote 0 Downvote
To add to what rmusgrove has said, if a hacker knew how to get all the memory structures for a running website, than I think tracking down your DSN information would be pretty far down the list considering a) how complicated that would be and b) How many more important things they would then have access to :)

Just my opinion :p [sub]01010100 01101001 01100101 01110010 01101110 01101111 01101011 00101110 01100011 01101111 01101101 [/sub]
[sup]29 3K 10 3D 3L 3J 3K 10 32 35 10 3E 39 33 35 10 3K 3F 10 38 31 3M 35 10 36 3I 35 35 10 3K 39 3D 35 10 1Q 19[/sup]
Get better results for your questions: faq333-2924
Frequently Asked ASP Questions: faq333-3048
 
Upvote 0 Downvote
As to using Application variables for connection strings - read onpnt's final reply in thread333-505276. Get the Best Answers! faq333-2924
Is this an asp FAQ? faq333-3048
Tek-Tips Best Practices: FAQ183-3179
 
Upvote 0 Downvote
No, mwolf00.

The way I read it, what onpnt is saying there is "don't store objects in App or Session vars. I don't recommend that, either. Connection strings, however, are just strings, and a case can be made that there are conditions where having a particular string available for the duration of the server "Application" is advantageous.

If there was never any good reason to use Application or Session variables for anything, I don't think they'd be around for us to use.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

penguinspeaks
  • Locked
  • Question
READ TEXT FILE BASED ON VARIABLE 1
Replies
2
Views
189
guitarzan
guitarzan
leifoet
  • Locked
  • Question
How to link a condition to a session("UID") ?
Replies
14
Views
313
leifoet
leifoet
how2trainyourdragon
  • Locked
  • Question
Request.Server variables blank for classic ASP
Replies
12
Views
496
GriffMG
GriffMG
gesrod
  • Locked
  • Question
Session variable
Replies
4
Views
122
gesrod
gesrod
DIDwebs
  • Locked
  • Question
Remaining time before the session timeout expires IIS
Replies
1
Views
122
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top