----------------------------------------------------------- New Message on BDOTNET
----------------------------------------------------------- From: BanwariLal Message 1 in Discussion Hello All, I am always in a confusion while authenticating/authorizing in ASP.NET. Since .net provides so many ways to do this, things are messed-up in my mind. If someone may help me in this regard, it will be great. 1. To use Simple cookies, It doesn't have any performance overhead in my opinion. But people say its not good practice as it might compromise security. okay, What if I am sending cookies after encryption. Still are there reasons not to use this approach? Well .Net provides readymade class in form of FormsAuthentication. 2. Simple Session variables. I generally need user id, name and privilege to be stored. Will it be too heavy with an assumption of at most 100 concurrent users. While I was reading ASP.NET KickStart, it says sessions too relies on cookies!!! Hence sessions won't work if user has disabled cookies in the browser, is it correct ??? 3. Cookieless sessions or secure http. what is the need of it, I haven't seen this approach in the practical world except (Gmail, Orkut etc.) Another strange thing is that, I wrote a page in which I used FormsAuthentication class, I appended cookie into the response, and I logged in. Then I went to the IE options and deleted all the cookies, files and history. Now practically my authenticity should be invalidated as happens in gmail, yahoo etc. But it wasn't, and I was able to access all the protected pages. Why ??? This all is getting me confused. Please solve all this. Regards -- Banwari Lal Sharma, Software Developer, Veracious Solutions, Bhopal ----------------------------------------------------------- To stop getting this e-mail, or change how often it arrives, go to your E-mail Settings. http://groups.msn.com/bdotnet/_emailsettings.msnw Need help? If you've forgotten your password, please go to Passport Member Services. http://groups.msn.com/_passportredir.msnw?ppmprop=help For other questions or feedback, go to our Contact Us page. http://groups.msn.com/contact If you do not want to receive future e-mail from this MSN group, or if you received this message by mistake, please click the "Remove" link below. On the pre-addressed e-mail message that opens, simply click "Send". Your e-mail address will be deleted from this group's mailing list. mailto:[EMAIL PROTECTED]
