A
anshul
Can somebody tell me about state management in asp.net
using Query Strings.
I am just unable to understand this.
Anshul
using Query Strings.
I am just unable to understand this.
Anshul
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
C
Chris Jackson
Can somebody tell me about state management in asp.net
Here's how it works:
You want to remember a couple of things about a user - for example, their
favorite color and their atm card pin.
Now, you could use both in the query string, having:
http://www.mysite.com/default.aspx?color=orange&atm=0000
However, your users probably don't want to be sending their atm card pin
number back and forth across the wire, or showing up in all of their URLs.
They would rather keep that quiet. So, you create a little mailbox on the
server to store this information, and the only thing you have to do in order
to figure out which mailbox to go to is the mail box ID.
So, I create a mailbox #5150 for you. I then store in this mailbox two
variables: color=orange and atm=0000. Now, I just need you to tell me what
mailbox to go to - I no longer send this information back and forth.
Traditionally, you would store this information in a cookie - a small bit of
text that is transmitted back and forth with each request to a particular
site. But, a lot of people turn cookies off, and this could break your site.
Consequently, people figure out other ways to send this mailbox ID back and
forth. One way is to put it into a hidden form field. the other is to put it
into the querystring. Now, your querystring is:
http://www.mysite.com/default.apsx?mailboxID=5150
Once I get to the server, I know exactly which mailbox to open and get the
information about you.
Now, just call those mailboxes Sessions, and there you have it.
Of course, you can also see the security implications. You can't just grab
information off of the wire. However, using cookies, you could sniff packets
to see what the Session ID is, and then create a new cookie using this
session ID. It's hard, but not impossible. With a hidden form field
solution, all you have to do is view source - a little bit easier to craft a
request like this if you want to hijack somebody's session. With a
QueryString solution, all you have to do is convince somebody to send you a
link to something. If you aren't thinking, or aren't aware of this important
tidbit of information existing in that link, you could very easily hand
somebody over the ability to be you on that application without even having
to try very hard.
If you want to prevent hackers from session hijacking, you need to consider
SSL as part of your total solution.
--
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
--
using Query Strings.
I am just unable to understand this.
Here's how it works:
You want to remember a couple of things about a user - for example, their
favorite color and their atm card pin.
Now, you could use both in the query string, having:
http://www.mysite.com/default.aspx?color=orange&atm=0000
However, your users probably don't want to be sending their atm card pin
number back and forth across the wire, or showing up in all of their URLs.
They would rather keep that quiet. So, you create a little mailbox on the
server to store this information, and the only thing you have to do in order
to figure out which mailbox to go to is the mail box ID.
So, I create a mailbox #5150 for you. I then store in this mailbox two
variables: color=orange and atm=0000. Now, I just need you to tell me what
mailbox to go to - I no longer send this information back and forth.
Traditionally, you would store this information in a cookie - a small bit of
text that is transmitted back and forth with each request to a particular
site. But, a lot of people turn cookies off, and this could break your site.
Consequently, people figure out other ways to send this mailbox ID back and
forth. One way is to put it into a hidden form field. the other is to put it
into the querystring. Now, your querystring is:
http://www.mysite.com/default.apsx?mailboxID=5150
Once I get to the server, I know exactly which mailbox to open and get the
information about you.
Now, just call those mailboxes Sessions, and there you have it.
Of course, you can also see the security implications. You can't just grab
information off of the wire. However, using cookies, you could sniff packets
to see what the Session ID is, and then create a new cookie using this
session ID. It's hard, but not impossible. With a hidden form field
solution, all you have to do is view source - a little bit easier to craft a
request like this if you want to hijack somebody's session. With a
QueryString solution, all you have to do is convince somebody to send you a
link to something. If you aren't thinking, or aren't aware of this important
tidbit of information existing in that link, you could very easily hand
somebody over the ability to be you on that application without even having
to try very hard.
If you want to prevent hackers from session hijacking, you need to consider
SSL as part of your total solution.
--
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
--
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.
Similar Threads
Forum statistics
Latest Threads
-
Stephanie Beaudeau Emsworth is Running a Prostitution Ring
- Started by verona
-
Reverse search for a website
- Started by DRCM
-
What are the key advantages of using a SaaS (Software as a Service) model for application development?
- Started by remotedevelopers
-
How to build a database-driven web page
- Started by av3mar1a153
-
Hola
- Started by luuciefer
-
Using a DTSX file with GoDaddy
- Started by IBMJunkman
-
Hello Everyone
- Started by welly