how does cookieless = true work

Grant · Aug 25, 2003

Can anyone explained to me how the session state - cookieless = true work?
Where is the information stored in the URL? I am concern hat some one can
use that to the advantage (hacker). I have session state set to stateserver
so does that make any difference?

Thanks

Grant

S. Justin Gengo · Aug 25, 2003

Grant,

Yes then the session id is stored in the url.

Normally the session id is stored in a cookie on the user's machine.

There is no difference if sessions are stored on the server or on a state
server as long as the page receives the session id from the client in one
form or another.

I'm not positive if there are any security repercussions if the session id
is in the url vs. a cookie.

Sincerely,

--
S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche

Chris Jackson · Aug 25, 2003

What you store in the URL is the session ID of the current session. The
danger is session hijacking - somebody can use your session ID to pretend to
be you. In this case, the session ID is both in plain view (in the URL) and
stored on the hard drive, neither of which is true if you are using session
cookies. So it's a little bit easier to steal somebody's session, but it's
not as if they are otherwise unable to do so. If you have a truly dedicated
hacker, sniffing packets will reveal both being sent over the wire in
unencrypted text, so if your information is valuable, make sure you are
using HTTPS. With a secure connection, everything will be encrypted.

Kevin Spencer · Aug 25, 2003

The actual Session data never leaves the server. This is true of both
Cookie-FUL and Cookieless Sessions. The only data sent back and forth from
the client is the Session ID. This identifies the Session on the server that
belongs to the client at the time. So, you don't need to be concerned at
all.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
http://www.takempis.com
The more I learn, the less I know.

Kevin Spencer · Aug 25, 2003

Exactly.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
http://www.takempis.com
The more I learn, the less I know.

Chris Jackson · Aug 26, 2003

Side-note: it's also easier to socially engineer a session hijacking using
cookieless sessions. "Can you send me a link to that?" - now, the bad guy
has hijacked your session, and, for the purpose of the application, is you.
No packet sniffing or local access needed.

--
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
--