How secure are session variables?

[VB Programmer]

I often use session variables to store the user's security level, and other
important info. How secure are session variables? Can someone decrypt it
and get the information? (This would be especially important to know if the
session vars contain things like credit card numbers.)

Any better, more secure alternatives? How would you store credit card
numbers etc... temporarily if not using session vars?

Thanks!

 

[John M Deal]

On the first point, session variables are not something people can get
to from the client side unless you send them to them. What you see on
the client side is a session identifier that allows the server to
retrieve the actual session values.

The better way of storing sensitive data is to put it in a database in
an encrypted format (how you decide to do that is up to you) and only
pull it out as you need it, retrieving it each time from scratch. The
hit of this particular retrieval is offset by the security of not
exposing the sensitive information. However this still isn't secure
unless you ask the user to login over a secure connection just before
retrieving the data as an unsecured session identifier (cookie or
querystring) can be grabbed and then used to spoof the identity of the user.

Just remember the farther you go down the security path the more you
have to take into account, the more threats that you need to mitigate,
and the more expensive your solution becomes. Hope something in all of
this helps you in some way.

Have A Better One!

John M Deal, MCP
Necessity Software

 

[Guest]

As far as I know, If important information is stored as clear text ( i.e.
unencrypted) in session variables is open to sniffing. If a memory snap
shot is taken by some rouge software or by some crash dump, somebody could
examine your info even if they are in session variables.

One of my favorite editions in MSDN is the November 2004 issue. A lot of
gems can be learned from this one:

http://msdn.microsoft.com/msdnmag/issues/04/11/default.aspx

HTH

 

[Guest]

As far as I know, If important information is stored as clear text ( i.e.
unencrypted) in session variables is open to sniffing. If a memory snap
shot is taken by some rouge software or by some crash dump, somebody could
examine your info even if they are in session variables.

One of my favorite editions in MSDN is the November 2004. A lot of
security-related lesson can be learned from this issue:

http://msdn.microsoft.com/msdnmag/issues/04/11/default.aspx

HTH

 

[Kevin Spencer]

Session is a region of memory. The only entitiy that has access to it is the
Application itself.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Neither a follower
nor a lender be.

 

[Kevin Spencer]

Well, let me correct myself in one regard. Session State can also be stored
in a web farm in a SQL Server database, or in memory, in a single State
Server. In that case, the sending of Session data to and from the State
server could be intercepted, depending upon how secure your network is.
However, as the traffic is generally going to be confined to the immediate
subnet, and assuming that your network admins are doing their job right, it
is still safe.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Neither a follower
nor a lender be.

 

[stevish]

Good info on security! MY question follows the same line, but opposite:

I want to store security access levels in a session variable. Is it possible for anyone to somehow change the value of a session variable (and therefore make themselves an admin until the session variable is updated from the database)?