Hide ASP.NET_SessionId Cookie
https://stackoverflow.com/questions/12570093
-
03-07-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I wrote an ASP.Net MVC app that stores Session information in the database, but I can see the session id being stored in a browser cookie "ASP.NET_SessionId". Is this a security risk? Can the id be used to hack/steal a user's session?
Solution
The session id in the cookie is used to relate a stateless web request to stored state on the server.
With regard to security I don't think the ASP.NET_SessionId contains authentication details - that's the .ASPXAUTH (if you are using the built in .NET membership providers). I think it can, in some circumstances be used to steal a users session.
A great read on this is Troy Hunt's blog, particularly this post Anatomy of an insufficient transport layer protection attack where he packet sniffs the cookies of wifi users in a McDonalds and logs in as them.
