Sunday, May 22, 2005
With or Without Cookie!
In his latest article on MSDN, Dino Esposito discusses when it is useful to have Cookieless sessions in your ASP.NET application such as:
"With cookieless sessions, you can now deploy stateful applications that work regardless of the user's preferences about cookies. As of ASP.NET 1.x, though, cookies are still required to implement forms authentication. The good news is that in ASP.NET 2.0 forms authentication can optionally work in a cookieless fashion."
and discusses when it can be a problem to use Cookieless sessions:
"With cookieless sessions, you can now deploy stateful applications that work regardless of the user's preferences about cookies. As of ASP.NET 1.x, though, cookies are still required to implement forms authentication. The good news is that in ASP.NET 2.0 forms authentication can optionally work in a cookieless fashion."
and discusses when it can be a problem to use Cookieless sessions:
- "Connect to a Web site that uses cookieless sessions—for example, MapPoint—and get a map. At this point, the address is stored in the session state.
- Grab the URL up to the page name. Don't include the query string but make sure the URL includes the session ID.
- Save the URL to a file and copy/send the file to another machine.
- On the second machine, open the file and paste the URL in a new instance of the browser.
- The same map shows up as long as the session timeout is still valid.
With cookieless sessions, stealing session IDs is easier than ever. "
Read the complete article here
# posted by Zubair.NET! @ 10:27 AM 
