how does cookieless = true work

G

Grant

Can anyone explained to me how the session state - cookieless = true work?
Where is the information stored in the URL? I am concern hat some one can
use that to the advantage (hacker). I have session state set to stateserver
so does that make any difference?



Thanks

Grant
 
S

S. Justin Gengo

Grant,

Yes then the session id is stored in the url.

Normally the session id is stored in a cookie on the user's machine.

There is no difference if sessions are stored on the server or on a state
server as long as the page receives the session id from the client in one
form or another.

I'm not positive if there are any security repercussions if the session id
is in the url vs. a cookie.

Sincerely,

--
S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche
 
C

Chris Jackson

What you store in the URL is the session ID of the current session. The
danger is session hijacking - somebody can use your session ID to pretend to
be you. In this case, the session ID is both in plain view (in the URL) and
stored on the hard drive, neither of which is true if you are using session
cookies. So it's a little bit easier to steal somebody's session, but it's
not as if they are otherwise unable to do so. If you have a truly dedicated
hacker, sniffing packets will reveal both being sent over the wire in
unencrypted text, so if your information is valuable, make sure you are
using HTTPS. With a secure connection, everything will be encrypted.
 
K

Kevin Spencer

The actual Session data never leaves the server. This is true of both
Cookie-FUL and Cookieless Sessions. The only data sent back and forth from
the client is the Session ID. This identifies the Session on the server that
belongs to the client at the time. So, you don't need to be concerned at
all. :)

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
http://www.takempis.com
The more I learn, the less I know.
 
C

Chris Jackson

Side-note: it's also easier to socially engineer a session hijacking using
cookieless sessions. "Can you send me a link to that?" - now, the bad guy
has hijacked your session, and, for the purpose of the application, is you.
No packet sniffing or local access needed.

--
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
--
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

<sessionState cookieless="true" /> 13
CSS File does not really work? 1
How does creating connection pooling work with multiple client requests? 0
How do I make this craftinfsystem Work 1
How does DataFrame.interpolation() work (in its source code)? 0
SQL Server session state not working unless cookieless=true 1
Cookieless sessions - ISAPI dll failing? 5
sessionState cookieless and forms cookieless 2

Members online

No members online now.
Total: 27 (members: 0, guests: 27)
Robots: 316

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,007
Latest member
obedient dusk

Latest Threads

Top