Wrox Programmer Forums

Need to download code?

View our list of code downloads.

| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: ASP.NET 2.0 Instant Results ISBN: 978-0-471-74951-6
This is the forum to discuss the Wrox book ASP.NET 2.0 Instant Results by Imar Spaanjaars, Paul Wilton, Shawn Livermore; ISBN: 9780471749516
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: ASP.NET 2.0 Instant Results ISBN: 978-0-471-74951-6 section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
 
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old August 8th, 2007, 01:57 PM
run run is offline
Registered User
 
Join Date: Jul 2007
Location: , , .
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Best security practises?

I just began reading this book and is questioning the way security is handled in the first example (The online Diary and Organizer).
You just save the clear text DiaryID in a Session variable (Cookie).
Wouldn't it be extremely easy to modify the Cookie and now have access to areas you are not allowed into.
 Am I wrong here?

What is the best way to do this correctly

  #2 (permalink)  
Old August 8th, 2007, 02:09 PM
Imar's Avatar
Wrox Author
Points: 72,073, Level: 100
Points: 72,073, Level: 100 Points: 72,073, Level: 100 Points: 72,073, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

Hi there,

A Session variable is not the same as a cookie. A session variable lives *at the server*, but is identified with a cookie that lives *at the client*.

So, a session variable in clear text is only visible as clear text on the server, which makes it pretty difficult to hack.

Of course, replay attacks enable you to replay someone else's session, but that would equally apply to encrypted or hashed session variables.

So, generally, session variables are reasonably save.

Cheers,

Imar

---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
  #3 (permalink)  
Old August 8th, 2007, 03:43 PM
run run is offline
Registered User
 
Join Date: Jul 2007
Location: , , .
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I see - didn't know that. I thought session variables where similar to cookies.

  #4 (permalink)  
Old August 8th, 2007, 03:54 PM
Imar's Avatar
Wrox Author
Points: 72,073, Level: 100
Points: 72,073, Level: 100 Points: 72,073, Level: 100 Points: 72,073, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

They're related, but not the same. You can see session state as a big bag of stuff you can keep at the server. In this bag (stored in a server's memory or in a database) you can store stuff like simple strings to complex object types.

Each bag is identified by a unique ID (the Session ID). This ID is sent to the user and stored in a cookie (or in the querystring) to uniquely connect each bag of session variables to a user. With each request, the browser sends over the session ID from the cookie which ASP.NET then uses to find the right bag, containing the stuff that belongs to the current user.

Cheers,

Imar

---------------------------------------
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Code Access Security & Role Based Security robzyc C# 6 April 11th, 2008 02:31 AM
System.Security.SecurityException: Security error coolcatjk Pro VB.NET 2002/2003 4 March 2nd, 2006 06:00 PM
security mjuliao Access 1 October 16th, 2005 12:13 AM
Security MDrumm Access 9 August 2nd, 2005 10:23 AM
Security qa BOOK: Professional SQL Server Reporting Services ISBN: 0-7645-6878-7 8 June 28th, 2004 11:00 AM



All times are GMT -4. The time now is 02:13 AM.


Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.