Wrox Programmer Forums
|
BOOK: ASP.NET 2.0 Instant Results ISBN: 978-0-471-74951-6
This is the forum to discuss the Wrox book ASP.NET 2.0 Instant Results by Imar Spaanjaars, Paul Wilton, Shawn Livermore; ISBN: 9780471749516
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: ASP.NET 2.0 Instant Results ISBN: 978-0-471-74951-6 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old August 8th, 2007, 01:57 PM
run run is offline
Registered User
  
Join Date: Jul 2007
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Best security practises?
I just began reading this book and is questioning the way security is handled in the first example (The online Diary and Organizer).
You just save the clear text DiaryID in a Session variable (Cookie).
Wouldn't it be extremely easy to modify the Cookie and now have access to areas you are not allowed into.
 Am I wrong here?

What is the best way to do this correctly
 
Old August 8th, 2007, 02:09 PM
Imar's Avatar
Wrox Author
  
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default
Hi there,

A Session variable is not the same as a cookie. A session variable lives *at the server*, but is identified with a cookie that lives *at the client*.

So, a session variable in clear text is only visible as clear text on the server, which makes it pretty difficult to hack.

Of course, replay attacks enable you to replay someone else's session, but that would equally apply to encrypted or hashed session variables.

So, generally, session variables are reasonably save.

Cheers,

Imar

---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
 
Old August 8th, 2007, 03:43 PM
run run is offline
Registered User
  
Join Date: Jul 2007
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default
I see - didn't know that. I thought session variables where similar to cookies.
 
Old August 8th, 2007, 03:54 PM
Imar's Avatar
Wrox Author
  
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default
They're related, but not the same. You can see session state as a big bag of stuff you can keep at the server. In this bag (stored in a server's memory or in a database) you can store stuff like simple strings to complex object types.

Each bag is identified by a unique ID (the Session ID). This ID is sent to the user and stored in a cookie (or in the querystring) to uniquely connect each bag of session variables to a user. With each request, the browser sends over the session ID from the cookie which ASP.NET then uses to find the right bag, containing the stuff that belongs to the current user.

Cheers,

Imar

---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004





Similar Threads
Thread Thread Starter Forum Replies Last Post
Code Access Security & Role Based Security robzyc C# 6 April 11th, 2008 02:31 AM
System.Security.SecurityException: Security error coolcatjk Pro VB.NET 2002/2003 4 March 2nd, 2006 06:00 PM
security mjuliao Access 1 October 16th, 2005 12:13 AM
Security MDrumm Access 9 August 2nd, 2005 10:23 AM
Security qa BOOK: Professional SQL Server Reporting Services ISBN: 0-7645-6878-7 8 June 28th, 2004 11:00 AM




Contact Us - Wrox - Privacy Statement - Top

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.