Results 1 to 2 of 2

Thread: ASP session objects

  1. #1

    ASP session objects

    Can Session object protected sites be hacked?
    For example:

    <!--This is the login page. If the correct uid and pwd
    are entered then a session object is created-->
    If Request("User") = "Tom" And Request("Pwd") = "secret" Then
    Session(Access") = "Granted"
    End If

    Then at the top private.asp

    If Session(Access") <> "Granted" Then
    End If



  2. #2
    Senior Member
    Join Date
    Jan 2002
    Quite often, yes, but not via the session object.

    The session object is secure *unless* you do a cross-site scripting attack and steal cookies
    (which is tricky and you need to be able to inject HTML into the pages of the site)

    Most often there are some pages which fail to properly check the contents of the session object, or the login pages are themselves flawed,

    one which I see most often is doing an SQL query with failure to properly escape quotes, so watch for that.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts