View Single Post
 
Old February 10th, 2008, 04:48 AM
Imar's Avatar
Imar Imar is offline
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Hi Max,

No, they can't unless you write code that enables them to.

Session variables are stored and accessed with server side code only. So, if you don't have any code that accepts user input and directly stores it in Session("abcd") you're OK.

However, it is possible to steal or hijack a session. Not an easy thing to do, though, and involves a lot of knowledge of the system and hacking in general.

But why this work-around? Why not create an Admin role and let ASP.NET handle security as it is designed to do?

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of Beginning ASP.NET 3.5 : in C# and VB, ASP.NET 2.0 Instant Results and Dreamweaver MX 2004
Want to be my colleague? Then check out this post.