Decrypt Session objects?

  • Thread starter Thread starter Stefan
  • Start date Start date
S

Stefan

Hi!
I just want to know if it's common to decrypt a Session-Object in a
ASP.NET application.
My collegue says that I have not do this because the information is
stored on the server.
Any suggestions?
 
Session state is stored on the server side, so you don't need to use any
crypto on it. The actual session id is sent down to the client in the form
of a cookie and re-read on return to the site to actually hook up the user's
Session state with the running code (Page instance).
 
So Session hijacking isn't an issue?

Justin Rogers said:
Session state is stored on the server side, so you don't need to use any
crypto on it. The actual session id is sent down to the client in the form
of a cookie and re-read on return to the site to actually hook up the user's
Session state with the running code (Page instance).
Click to expand...
 
Session hijacking is always an issue if your network traffic can be
compromised - and on the web it usually can - which is why you have
encrypted viewstate in .NET, and SSL to fall back on should you require it.
However, its not usually something you worry about unless your transactions
are mission critical or financial, then not using enhanced security is a
real foolish thing to do.

Have a read of this, its a very good explanation of your concerns.

http://msdn.microsoft.com/chats/vstudio/vstudio_121201.asp

--
Regards

John Timney (Microsoft ASP.NET MVP)
----------------------------------------------
<shameless_author_plug>
Professional .NET for Java Developers with C#
ISBN:1-861007-91-4
Professional Windows Forms
ISBN: 1861005547
Professional JSP 2nd Edition
ISBN: 1861004958
Professional JSP
ISBN: 1861003625
Beginning JSP Web Development
ISBN: 1861002092
</shameless_author_plug>
----------------------------------------------
 
many tnx!
John Timney (Microsoft MVP) said:
Session hijacking is always an issue if your network traffic can be
compromised - and on the web it usually can - which is why you have
encrypted viewstate in .NET, and SSL to fall back on should you require it.
However, its not usually something you worry about unless your transactions
are mission critical or financial, then not using enhanced security is a
real foolish thing to do.

Have a read of this, its a very good explanation of your concerns.

http://msdn.microsoft.com/chats/vstudio/vstudio_121201.asp

--
Regards

John Timney (Microsoft ASP.NET MVP)
----------------------------------------------
<shameless_author_plug>
Professional .NET for Java Developers with C#
ISBN:1-861007-91-4
Professional Windows Forms
ISBN: 1861005547
Professional JSP 2nd Edition
ISBN: 1861004958
Professional JSP
ISBN: 1861003625
Beginning JSP Web Development
ISBN: 1861002092
</shameless_author_plug>
Click to expand...
 
Back
Top