Security in HttpSession [Discussion]
we use the HttpSession in our web applications.the most example of using the HttpSession is login procedure.If the user has been loged in the web application create new HttpSession in the system.This HttpSession has unique id.This id will store in that user browser as a cookie (there is another ways to store it).So if the user requests information again the web application check that "if this user has been loged in or not" by checking if the user has HttpSession id in his request.
I want to discuss with you about the security of this procedure.
let start with these questions:
1.If a hacker hack the user computer that has been logged in.And the hacker take the user cookie.can the hacker use it?why?how we solve this if yes?
2.Is there a relation between a HttpSession id and user IP.or the developer must store the user ip in the HttpSession manually?
3.suppose that the web application store the IP Address of the request in the HttpSession to check the next request is come from the same user or not.but the hacker that i took about in question #1 in the same local network (has the same IP address) .can the hacker success?why?how we solve this if yes?can we check the IP and the port?how?
4.can we know the mac address of the HttpRequest?how if yes?
5.I heard that "Some way to know the most site that users entered is fetching the users cookies".if this true how can a site fetch user cookies for another site.Is it a legal procedures or it is a bug in some browsers.