cookieless session? Who has it working?

Discussion in 'ASP .Net Security' started by Tom Pester, Feb 22, 2004.

  1. Tom Pester

    Tom Pester Guest

    I experimented/researched cookieless sessions and tried it on my website.
    I expected the switch to cookieless sessions to be transparent but this isn'
    t the case at all:

    1) Forms based authentication doesn't work
    I read that the Whidbey release will support this and you can make it work
    today:
    http://www.codeproject.com/aspnet/cookieless.asp
    Still, it's a showstopper for most websites

    2) You can't use absolute links
    I think developers use this lot (at least I do to make the link callable
    from every place in the site, including other directories)
    I can understand a bit why fully qualified URL's aren't supported but why is
    it so hard to support absolute ones. Can anyone clarify this?
    Again there is a nontransparent solution: Response.ApplyAppPathModifier

    3) There is a major security risk
    See:
    http://builder.com.com/5100-6387-1044869.html
    And
    http://groups.google.com/groups?hl=...&q=cookieless+asp.net+alternative&sa=N&tab=wg

    No workaround possible I think


    (I expected more from Microsoft but as always they will fix this after some
    releases.)

    My questions:
    - Who uses cookieless state in a production website? Are you satisfied with
    the results?
    - Can someone, with more experience then me, confirm my 3 points (possibly
    someone from Microsoft)
    - Is there a 3rd party solution that makes cookieless websites a real
    choice? (No app changes is meant by this)

    For now I stay away from cookieless mode since it involves application
    changes and a big security risk.

    Please say that I am wrong :)
    Tom Pester, Feb 22, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Carpe Diem
    Replies:
    3
    Views:
    7,129
    Carpe Diem
    Feb 23, 2004
  2. Tom Pester

    cookieless session? Who has it working?

    Tom Pester, Feb 22, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    393
    .NET Follower
    Feb 23, 2004
  3. Hope Paka
    Replies:
    0
    Views:
    567
    Hope Paka
    Jun 7, 2005
  4. Replies:
    2
    Views:
    3,252
    Ravi Singh (UCSD)
    May 10, 2006
  5. MPF
    Replies:
    1
    Views:
    1,001
Loading...

Share This Page