T
Tom Pester
I experimented/researched cookieless sessions and tried it on my website.
I expected the switch to cookieless sessions to be transparent but this isn'
t the case at all:
1) Forms based authentication doesn't work
I read that the Whidbey release will support this and you can make it work
today:
http://www.codeproject.com/aspnet/cookieless.asp
Still, it's a showstopper for most websites
2) You can't use absolute links
I think developers use this lot (at least I do to make the link callable
from every place in the site, including other directories)
I can understand a bit why fully qualified URL's aren't supported but why is
it so hard to support absolute ones. Can anyone clarify this?
Again there is a nontransparent solution: Response.ApplyAppPathModifier
3) There is a major security risk
See:
http://builder.com.com/5100-6387-1044869.html
And
http://groups.google.com/groups?hl=...&q=cookieless+asp.net+alternative&sa=N&tab=wg
No workaround possible I think
(I expected more from Microsoft but as always they will fix this after some
releases.)
My questions:
- Who uses cookieless state in a production website? Are you satisfied with
the results?
- Can someone, with more experience then me, confirm my 3 points (possibly
someone from Microsoft)
- Is there a 3rd party solution that makes cookieless websites a real
choice? (No app changes is meant by this)
For now I stay away from cookieless mode since it involves application
changes and a big security risk.
Please say that I am wrong
I expected the switch to cookieless sessions to be transparent but this isn'
t the case at all:
1) Forms based authentication doesn't work
I read that the Whidbey release will support this and you can make it work
today:
http://www.codeproject.com/aspnet/cookieless.asp
Still, it's a showstopper for most websites
2) You can't use absolute links
I think developers use this lot (at least I do to make the link callable
from every place in the site, including other directories)
I can understand a bit why fully qualified URL's aren't supported but why is
it so hard to support absolute ones. Can anyone clarify this?
Again there is a nontransparent solution: Response.ApplyAppPathModifier
3) There is a major security risk
See:
http://builder.com.com/5100-6387-1044869.html
And
http://groups.google.com/groups?hl=...&q=cookieless+asp.net+alternative&sa=N&tab=wg
No workaround possible I think
(I expected more from Microsoft but as always they will fix this after some
releases.)
My questions:
- Who uses cookieless state in a production website? Are you satisfied with
the results?
- Can someone, with more experience then me, confirm my 3 points (possibly
someone from Microsoft)
- Is there a 3rd party solution that makes cookieless websites a real
choice? (No app changes is meant by this)
For now I stay away from cookieless mode since it involves application
changes and a big security risk.
Please say that I am wrong