I've developed a website which has a secure logon, and utilising SSL.
Currently the way I maintain a state, is using the SessionID - I do not
store objects or data directly in the Session object, but have a server
side session table held on SQL linked via sessionID. The data held in this
table is also encrypted. My main question is, is using the SessionID to
provide a link between user and server secure? I've read stuff briefly on
Session cookie hijacking etc. The fact that I validate my users within
each function (in vb COM) against the SessionID, I would like to know if
using this is secure. If not I presume generating a session token on
website entry and holding it in the querystring is the best way.
thanks in advance