M
MattC
Hi,
I have an open question regarding any issues anyone has had regarding a
cookieless session managment on a webfarm. My concern is that we had a user
able to see the contents of another users session, their basket effectively.
Set up:
Two webservers running IIS6.
enableviewstatemac has been left in default state of on.
Identical machine key settings.
Identical website ID's in IIS.
Identical Web.config as the websites are load balance over a distributed
filesystem.
Both using out-of-proc state management on a third server.
Server has had registry altered to allow remote connection to aspnet_state
service.
I don't understand, short of a random bug in the session service, how one
user can get anothers without ( and here's the caveat ), sending their URL
munged querystring to the other user.
I would really appreciate any advice and/or experiences any of you have had
with maintaining a secure out of process session while attempting to not
rely on cookies for sessionID storage.
Worst case scenario I will return to using a cookie based management method.
TIA
MattC
I have an open question regarding any issues anyone has had regarding a
cookieless session managment on a webfarm. My concern is that we had a user
able to see the contents of another users session, their basket effectively.
Set up:
Two webservers running IIS6.
enableviewstatemac has been left in default state of on.
Identical machine key settings.
Identical website ID's in IIS.
Identical Web.config as the websites are load balance over a distributed
filesystem.
Both using out-of-proc state management on a third server.
Server has had registry altered to allow remote connection to aspnet_state
service.
I don't understand, short of a random bug in the session service, how one
user can get anothers without ( and here's the caveat ), sending their URL
munged querystring to the other user.
I would really appreciate any advice and/or experiences any of you have had
with maintaining a secure out of process session while attempting to not
rely on cookies for sessionID storage.
Worst case scenario I will return to using a cookie based management method.
TIA
MattC