Discussion - Don'T Move!!!! CSI ASP!!

even if you will use several Sessions on your page...and even if the will be encrypted...
and even if you will pass a hidden variable by poss...
YOU WON'T B SAFE

sessions-

cause sessions looks at you your ip...and if you will get out from your page some one can mask his ip and enter the page you left with your ip...and the page will think that he is you and will let him do everything he wants.

post hidden variable-

you can see it on html...this is not a problem even to a bot , to copy those variables and to via post to enter some page..

what can we do?

Fantasy threads belong in the lounge, not the asp forum, and since the post is full of erroroneous information, it's moved. And besides the topic title annoyed me.

sorry hantz, but what you said is far from being true.
no idea where you learned this, you probably misread something.
if you can come with proof to what you say, be my guest.

what is not true??
man...i can't believe u deleted the topic because you do not believe or because you afraid the law??
because that's exacltly how you hack...
that's like "man in the middle" but much more simple...
you just need to mask your ip to some users ...that's easier than stilling cookies...

people i see you are great in ASP but do not attached to the hacking world...and that's kind of strange...

The topic has not been deleted, it has been moved.


I believe they are referring to this statement:-

A session does not store your IP address in the HTML code of a page or use hidden form elements to store data, which I believe is what you are suggesting. Not quite sure what relevance the code you posted has.

I don't think we understand the point you're trying to make. That you can see hidden form elements in the HTML source? That sessions create hidden form elements for you? That sessions store your IP address in the HTML code?

the topic is not deleted, it was moved to the Lounge forum.

if you're so smart, please prove your claims otherwise
don't assume what we know and what we don't know.

if I now have your IP, nothing will happen unless the code
itself is using the IP as the key - not good idea.
I won't have your cookies by having your IP.

it's like asking
"where is my car?"
and to get answer-
"you don't have a car! go away"

i won't write more about this cause i see no one know or no one want to share...
than it's my last post and it's goes like this-

you can test it in many ways-
when you getting sessions as security validation
the sessions look at your ip...and when you will close your browser in that moment some one can mask his ip to yours and to open the same page you just closed and the server will think that that is you...
that you just closed and open again the window and won't ask for validation again.

ummm....no

do whatever you wish.
session is based on something known as Session ID.
it's not IP.
the Session ID is being stored as memory-only cookie
on the browser and that's what is used to identify the
browser.

I'm unsure if you are asking a question or making a statement?

If you're asking can someone access a secure account by masking your IP address and then trying to logon to the site the exact moment you leave the site, then No. See the reply from Shadow Wizard above. If you are using IP to validate users on your own site then I suggest you change this.

No-one is trying to be difficult. You have made a technical statement that everyone on here disagrees with. If you know something that we don't, perhaps you could post an example of how/where you have achieved or read this?

Hope that makes it clearer.

there is that security breach in Gmail that allow hackers to
steal user accounts while browsing their emails - do you
mean such stuff, hantz?

even so, this is problem with their code and got nothing to
do with the system.