Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Regular Coder
    Join Date
    Sep 2007
    Posts
    179
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Exclamation don't move!!! CSI ASP!

    even if you will use several Sessions on your page...and even if the will be encrypted...
    and even if you will pass a hidden variable by poss...
    YOU WON'T B SAFE

    sessions-
    Code:
    Session("sd233asd2334asdf342sdf")="sdsdsd343fsd34234"
    cause sessions looks at you your ip...and if you will get out from your page some one can mask his ip and enter the page you left with your ip...and the page will think that he is you and will let him do everything he wants.

    post variable-
    Code:
    <input type="hidden" name="rwerfsrf3434" value="ewrwerwf3343">
    you can see it on html...this is not a problem even to a bot , to copy those variables and to via post to enter some page..

    what can we do?
    By the time u recognize this moment, This moment will be gone.

  • #2
    Regular Coder
    Join Date
    Sep 2007
    Posts
    120
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Oh my,

    Thanks for the warning.

  • #3
    Regular Coder
    Join Date
    Sep 2007
    Posts
    179
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Exclamation and that means??

    log in to some session secure page that you made...than change your ip try again...you won't be logged in...that when you got the new IP, use a simple ip masking prog and mask to the the ip you had before...
    i suggest using the MascHack v6.3...it's difficult to get but the best...
    it not like "man in the middle" but much more simple...
    Last edited by sasha85; 10-02-2007 at 10:30 AM.
    By the time u recognize this moment, This moment will be gone.

  • #4
    Regular Coder
    Join Date
    Mar 2007
    Posts
    505
    Thanks
    1
    Thanked 19 Times in 19 Posts
    Here's a simple way around this -- Don't use session variables based on IPs!

    If you do use them, you are bound to run into issues like this.

    Also, whenever you are done with a page (like a logout page, or a redirect to the login page), use the Session.Contents.Remove("") command. That way, not only do you set the session variable to EMPTY (as empty and NULL are different), you also remove the Session Name from memory.
    To say my fate is not tied to your fate is like saying, 'Your end of the boat is sinking.' -- Hugh Downs
    Please, if you found my post helpful, pay it forward. Go and help someone else today.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •