I wrote an ASP.Net MVC app that stores Session information in the database, but I can see the session id being stored in a browser cookie "ASP.NET_SessionId". Is this a security risk? Can the id be used to hack/steal a user's session?
Hide ASP.NET_SessionId Cookie
2.6k Views Asked by user1513030 At
1
There are 1 best solutions below
Related Questions in ASP.NET-MVC-3
- Routing Url that has no action name
- ObjectContext is disposed, can not longer used
- Image Gallery control not loading
- Skip login on MVC 3 application (SSO)
- JSON object passed to Controller is NULL
- What is the best practice for maintain a menu after a page reload? I have this custom code which feels wrong
- RedirectToAction doesn't happen when I start with an AJAX call
- Create view for a child-master relationship
- How to create edit view with a dropdownlist
- Pathname modified with IE
- Getting the property send by api in mvc
- How to create a dynamic dropdown in mvc
- set font awesome icon into textbox
- MVC3 POST model binding not working for particular complex model
- check for value null on razor syntax
Related Questions in COOKIES
- Scrapy encountered http status <521>
- NodeJS not getting cookie
- How to accept cookies when using a webservice - Android?
- I Want to get the page count using cookie
- Superagent share session / cookie info with actual browser
- CookieContainer does not store cookies for internationalized domain names
- Setting a cookie in Wordpress functions.php - cant echo it using an other function
- JavaScript's document.cookie does not replace cookie in the subdomain
- How to assign cookie expiry date?
- How to read a JavaScript cookie?
- How can I redirect to an error page in my Play app?
- Python - Cookies & BeautifulSoup
- Express.js CookieParser does not get Angular.js $cookies
- Check Cookies AND Session in Same IF Statement
- How do I read the value of a cookie that comes with a cross domain image?
Related Questions in SESSION-COOKIES
- Internet explorer 11 browser cannot display the expires value of the session cookie from my app
- Server side PHP session is not working in android
- Can JWT be a replacement for session based authentication for web application?
- ActionDispatch nil value for env[ENV_SESSION_OPTIONS_KEY]
- Where does Jetty store information about authenticated user?
- How to use HTTP/2 connection instead of session cookies?
- Play Framework not setting cookie on initial page load
- How to add keep me logged in using PHP?
- How to achieve a persistent HTTP session in MATLAB?
- How to pass a modified or custom session while making request in testing flask applications?
- Multiple users with unique session IDs in jmeter
- $_SERVER['HTTP_COOKIE'] return's two PHPSESSID
- TokenMismatchException in VerifyCsrfToken.php line 53 in Laravel 5.1
- Very strange session issue with Opencart and PHP
- JSessionID changes on resource request after login which invalidates the session
Related Questions in SESSIONID
- What is the purpose of using a session id when csrf protection is already implemented?
- Response.write only shows the first record from the database (this.session.sessionid)
- How to remove session id "/?___SID=U" from home page URL using .htaccess
- Django generates a new session ID on every API call
- PHP/MySQL code won't insert userid and password into table
- Object moved to here in response of Jmeter request
- Explanation for session_regenerate_id() proper usage
- Disable session id based on cookies in RAP to use multiple browsers and tabbed browsing
- Jquery File Upload change session id
- Display sql database values in textboxes using the session id
- How to get the session ID of session in a remote machine?
- SRTServletRequest getSession(true) returns HttpSession with same sessionId
- ASP.Net session behavior in Internet Explorer
- Loosin session id over SSL
- Solution for handling Spring security session Id in different wed apps
Related Questions in SQL-SESSION-STATE
- Share session between multiple applications using .net core
- SQL Server Session State, web farm, and IIS configuration
- SQL Server Session for an Asp.Net MVC application
- Is it possible to store extra data in session store on DB ASP.NET?
- ASP.NET SessionState SQL Server Issue
- How to get the session details in servicestack application from SQLServer using session id sent from mvc application?
- How to share Session in ASP.NET Core 3 between 2 servers?
- SqlSessionState: Unable to cast object of type System.DBNull to type System.Byte[]
- Is it posible to use SQL Server Session Context with Azure elastic queries
- How to share session between UI and Web Api?
- Sharing ASP.NET State databases between multiple apps
- Web Host has strange settings, need alternative session state suggestions
- ASP.NET SessionState with allowCustomSqlDatabase="true" doesn't call specified database
- How does SQL Server session state persistence work?
- How to get session length in minute in SQL Server
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
The session id in the cookie is used to relate a stateless web request to stored state on the server.
With regard to security I don't think the ASP.NET_SessionId contains authentication details - that's the .ASPXAUTH (if you are using the built in .NET membership providers). I think it can, in some circumstances be used to steal a users session.
A great read on this is Troy Hunt's blog, particularly this post Anatomy of an insufficient transport layer protection attack where he packet sniffs the cookies of wifi users in a McDonalds and logs in as them.