View Full Version : don't move!!! CSI ASP!

10-02-2007, 03:02 AM
even if you will use several Sessions on your page...and even if the will be encrypted...
and even if you will pass a hidden variable by poss...


cause sessions looks at you your ip...and if you will get out from your page some one can mask his ip and enter the page you left with your ip...and the page will think that he is you and will let him do everything he wants.

post variable-

<input type="hidden" name="rwerfsrf3434" value="ewrwerwf3343">
you can see it on html...this is not a problem even to a bot , to copy those variables and to via post to enter some page..

what can we do?:rolleyes:

Whatever Jr.
10-02-2007, 11:11 AM
Oh my,

Thanks for the warning.

10-02-2007, 11:17 AM
log in to some session secure page that you made...than change your ip try again...you won't be logged in...that when you got the new IP, use a simple ip masking prog and mask to the the ip you had before...
i suggest using the MascHack v6.3...it's difficult to get but the best...
it not like "man in the middle" but much more simple...

10-02-2007, 02:19 PM
Here's a simple way around this -- Don't use session variables based on IPs!

If you do use them, you are bound to run into issues like this.

Also, whenever you are done with a page (like a logout page, or a redirect to the login page), use the Session.Contents.Remove("") command. That way, not only do you set the session variable to EMPTY (as empty and NULL are different), you also remove the Session Name from memory.