I get that regular ASP finagles statefullness using viewstate, but MVC doesn't try to perpetuate the bold-faced lie of statefulness. So how is it able to maintain sessions?
5
-
4A cookie contains the session ID.CodesInChaos– CodesInChaos2013-05-11 15:42:43 +00:00Commented May 11, 2013 at 15:42
-
Ah, so if cookies are disabled, then there is no session. Is it possible to spoof a cookie?sircodesalot– sircodesalot2013-05-11 15:44:09 +00:00Commented May 11, 2013 at 15:44
-
Yes, you can spoof nearly anythingppetrov– ppetrov2013-05-11 15:46:29 +00:00Commented May 11, 2013 at 15:46
-
1@sircodesalot The client can manipulate the cookie as it likes. But if the server does implement sessions correctly, then guessing a valid session id is practically impossible. I don't know how ASP.net does it, but a popular mechanism is generating a random 128 bit value as session ID.CodesInChaos– CodesInChaos2013-05-11 15:49:37 +00:00Commented May 11, 2013 at 15:49
-
Maintaining state and session are 2 different things. ASP.NET and ASP.NET MVC can handle SessionState. ASP.NET has ViewState for statefull pages.Mathias F– Mathias F2013-05-11 19:48:44 +00:00Commented May 11, 2013 at 19:48
Add a comment
|
2 Answers
By default it stores a randomly generated number in a cookie and stores that in memory. If the browser says it doesn't support cookies, asp.net will then instead add the session key in the url, it will show up like http://myurl.com/(S(rpfa4y3c5oe2c555ljanprek))/Controller/Action
Comments
It is using a Session ID to identify a user, stored in Cookies. Spoofing is possible if your know the victim's ID, and if other security measurements won't interfere (e.g IP based authentication).
4 Comments
ppetrov
you also can use a fake IP in some circumstances
sircodesalot
Wow, I'm familiar with desktop programming, but I'm fairly new to web development. Sounds like web security is fairly complex. Any resources I can turn to to learn more?
marc_s
@sircodesalot: the OWASP Top 10 Project is probably you're best starting point
Mark Segal
@sircodesalot actually, not really. It's all about sanitizing input, just like in every server based programming.