-----------------------------------------------------------

New Message on BDOTNET

-----------------------------------------------------------
From: AnupPS
Message 2 in Discussion



Hi,

I agree with others that session variables are prone to hacking. But this used 
to be much of concern in the older days (3-4 years back) when the developers 
were concerned more about the growth of ecommerce and not its security aspects.


For eg. From those times, I remember yahoo sending unecrypted password on the 
wire. Today this is not a problem. (although most mail providers still dont 
take care)

Session variables can be a problem, because session ids are actually stored in 
cookies. If the session was not destroyed, the ID is still valid and this ID 
can be used by anybody(site) to access the data regarding the session. (Session 
ID is required because without that server does not know which client is being 
referred)


ASP.NET also gives you an option of not storing the Session ID in the cookie. 
Instead it is sent in the Query String. With HTTPS, this is a very powerful 
combination.


In Internet explorer, session IDs are not shared between windows (except that 
the other window(s) are Ctrl+N / child windows). Thats why you can open 
multiple yahoo accounts in Internet explorer.

The same is not possible with most of the other famous browsers. 

Users must log out so that the session are not accessed when they go to other 
sites. Else any site has access to the cookies related to the browser window, 
where it can get the session ID.

Regarding posting data between pages, yes it is a good way. But I remember 
having seen a question for that at bdotnet quite long back. There was a 
solution to do so without sessions. It was complicated, so I cant remember it 
(using HTTP context).

Therz a piece of advice. Everything that goes on the wire is prone to hacking. 
Its up to you to make it as difficult as possible, so that the cracker gives up 
before actually cracking it. Even the most secure protocols arent crack proof. 
They are just extremely difficult to crack bcoz we dont have the computing 
power today. 

 
Also it is important to evaluate the cost (and time) of security implementation 
against the kind of data being secured.

Regards,
Anup Shinde.


 


-----------------------------------------------------------

To stop getting this e-mail, or change how often it arrives, go to your E-mail 
Settings.
http://groups.msn.com/bdotnet/_emailsettings.msnw

Need help? If you've forgotten your password, please go to Passport Member 
Services.
http://groups.msn.com/_passportredir.msnw?ppmprop=help

For other questions or feedback, go to our Contact Us page.
http://groups.msn.com/contact

If you do not want to receive future e-mail from this MSN group, or if you 
received this message by mistake, please click the "Remove" link below. On the 
pre-addressed e-mail message that opens, simply click "Send". Your e-mail 
address will be deleted from this group's mailing list.
mailto:[EMAIL PROTECTED]

Reply via email to