----------------------------------------------------------- New Message on BDOTNET
----------------------------------------------------------- From: AnupPS Message 2 in Discussion Hi, I agree with others that session variables are prone to hacking. But this used to be much of concern in the older days (3-4 years back) when the developers were concerned more about the growth of ecommerce and not its security aspects. For eg. From those times, I remember yahoo sending unecrypted password on the wire. Today this is not a problem. (although most mail providers still dont take care) Session variables can be a problem, because session ids are actually stored in cookies. If the session was not destroyed, the ID is still valid and this ID can be used by anybody(site) to access the data regarding the session. (Session ID is required because without that server does not know which client is being referred) ASP.NET also gives you an option of not storing the Session ID in the cookie. Instead it is sent in the Query String. With HTTPS, this is a very powerful combination. In Internet explorer, session IDs are not shared between windows (except that the other window(s) are Ctrl+N / child windows). Thats why you can open multiple yahoo accounts in Internet explorer. The same is not possible with most of the other famous browsers. Users must log out so that the session are not accessed when they go to other sites. Else any site has access to the cookies related to the browser window, where it can get the session ID. Regarding posting data between pages, yes it is a good way. But I remember having seen a question for that at bdotnet quite long back. There was a solution to do so without sessions. It was complicated, so I cant remember it (using HTTP context). Therz a piece of advice. Everything that goes on the wire is prone to hacking. Its up to you to make it as difficult as possible, so that the cracker gives up before actually cracking it. Even the most secure protocols arent crack proof. They are just extremely difficult to crack bcoz we dont have the computing power today. Also it is important to evaluate the cost (and time) of security implementation against the kind of data being secured. Regards, Anup Shinde. ----------------------------------------------------------- To stop getting this e-mail, or change how often it arrives, go to your E-mail Settings. http://groups.msn.com/bdotnet/_emailsettings.msnw Need help? If you've forgotten your password, please go to Passport Member Services. http://groups.msn.com/_passportredir.msnw?ppmprop=help For other questions or feedback, go to our Contact Us page. http://groups.msn.com/contact If you do not want to receive future e-mail from this MSN group, or if you received this message by mistake, please click the "Remove" link below. On the pre-addressed e-mail message that opens, simply click "Send". Your e-mail address will be deleted from this group's mailing list. mailto:[EMAIL PROTECTED]
