Can somebody tell me about state management in asp.net
using Query Strings.
I am just unable to understand this.
Here's how it works:
You want to remember a couple of things about a user - for example, their
favorite color and their atm card pin.
Now, you could use both in the query string, having:
http://www.mysite.com/default.aspx?color=orange&atm=0000
However, your users probably don't want to be sending their atm card pin
number back and forth across the wire, or showing up in all of their URLs.
They would rather keep that quiet. So, you create a little mailbox on the
server to store this information, and the only thing you have to do in order
to figure out which mailbox to go to is the mail box ID.
So, I create a mailbox #5150 for you. I then store in this mailbox two
variables: color=orange and atm=0000. Now, I just need you to tell me what
mailbox to go to - I no longer send this information back and forth.
Traditionally, you would store this information in a cookie - a small bit of
text that is transmitted back and forth with each request to a particular
site. But, a lot of people turn cookies off, and this could break your site.
Consequently, people figure out other ways to send this mailbox ID back and
forth. One way is to put it into a hidden form field. the other is to put it
into the querystring. Now, your querystring is:
http://www.mysite.com/default.apsx?mailboxID=5150
Once I get to the server, I know exactly which mailbox to open and get the
information about you.
Now, just call those mailboxes Sessions, and there you have it.
Of course, you can also see the security implications. You can't just grab
information off of the wire. However, using cookies, you could sniff packets
to see what the Session ID is, and then create a new cookie using this
session ID. It's hard, but not impossible. With a hidden form field
solution, all you have to do is view source - a little bit easier to craft a
request like this if you want to hijack somebody's session. With a
QueryString solution, all you have to do is convince somebody to send you a
link to something. If you aren't thinking, or aren't aware of this important
tidbit of information existing in that link, you could very easily hand
somebody over the ability to be you on that application without even having
to try very hard.
If you want to prevent hackers from session hijacking, you need to consider
SSL as part of your total solution.
--
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
--