Session ID Abuse

[Johnny GoLightly <mywebquestion () yahoo com au>]

Hi all,

I have some quesitons regarding session id's.

Consider the following scenario:

User requires access to a web application for a long period of time with inactivity. Therefore assume that sessionID 
never expires.

Session information stored on web server (or application server) says that this user has read-only access to the 
information shown on the page which is extracted from a database.

The application auto refreshes the page on the browser every 15 minutes with updated info that other users may have 
entered in the preceding period.

Is it possible for:

1.  Another user to change the session information on the server and change access from read only to write (by knowing 
the session id)?

2.  Knowing the session id (perhaps from info on the URL) can one create another session from another browser using the 
same session ID?

3.  How can you effectively limit concurrent access to only 1 session?

4.  If client side certificates were to be used, could you create another session from another browser once the first 
session was authenticated?  ie, how do you restrict the access to only one browser?

5.  If you are using server side validation for all user invoked queries, is it still possible to force data into the 
application to elevate your role?  Assume that user roles are clearly defined in the db.

6.  If a user with high privileges (such as write to db) leaves a workstation unattended with no session timeout, are 
there any controls that one could put in place to still validate the user is the privilged user after a period of time? 
 for example keep session active, but to make any changes application must validate information on a usb key? 

7.  How do you choose between session ID's tagged in URL, and Session IDs in cookies?  How do you restrict the 
information in either URL or cookie so that users can't use this info to abuse the application?


Thanks

Johnny