Can MVC Session[] data be hacked?

In an MVC App, can Session[] be hacked?

How confident should a Controller Action be that the Session data is legit?

Something tells me, zero percent confident.

Is the data stored in Session[] under the same restriction as query string params? That it must be encrypted? Or does the .NET Framework take care of that?

newbiewebSr. Software EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kaufmed 👽Commented:
What kind of scenario are you envisioning this be hacked under? Session data is stored on the server--either in memory, in a database, or via some other mechanism. The only thing session-related that is shared between the client and the server is the session identifier. If you're not using SSL, then you could certainly divulge that session identifier to malicious actors sitting between you and your clients. If you're not protecting your page from XSS, then you could divulge that. If you're not protecting your cookies (which is where the session ID typically gets stored client-side), then you could divulge that.

But no, you cannot inject code into the request that would cause the server to send back additional session data. If your application was doing that, then you've coded something very badly.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
newbiewebSr. Software EngineerAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.