c# - XSS to change ASP.NET session state -
I am developing an application that is the current user and the user's role of session status (System.Web.SessionState.HttpSessionState Page.Session). ).
if (session ["user name"] == faucet) session. Add ("User Name", User.Identity.Name); If session ("Administrator"] == is empty) session. Add ("Administrator", user.install (domain + "\\ domain administrator"));
After checking the code behind these sessions to allow for some exsitions:
if ((bool) session ["Administrator"] (Session "[user name"]. ToString ()))
My question is the next: how safe is the system? For example, is it possible to change the states of session using some javascript or something else?
thanks :)
using JavaScript or other client-side mechanisms < It is not possible to change the session> state session, because the state is only stored on the server, however, as it has been said by others that the session is for malicious user to hijack the session by hitting the content of the cookie possible.
ASP.NET has been designed in mind with this weakness - session ID is appropriate and long time hard. Also, the session cookie is only marked as HTTP, which means that most modern browsers will not allow JavaScript code to access it.
Comments
Post a Comment