Cookieless and web applications?

  • Thread starter Thread starter Ily
  • Start date Start date
I

Ily

What are the issues that need to tbe taken in to donnsideration for
cookieless sessions for a web application?
 
Security. If you allow people to post active links to your
app and you render them as usable links. A user could post
a malicious link that could enable them to gain immediate
access to someone else's live session.

They post a link to a file on their own server. This file
retrieves the HTTP_REFERERR value. It will contain
the cookieless session id in the url. Their script notifies
the attacker and provides the link. They click the link
and they are instantly recognized as the original user.

Not good... And, yes it does work.

--
2004 and 2005 Microsoft MVP C#
Robbe Morris
http://www.masterado.net

Earn $$$ money answering .NET Framework
messageboard posts at EggHeadCafe.com.
http://www.eggheadcafe.com/forums/merit.asp
 
Think eBay. Remember back in the day how it would constantly forget
who you were, and you had to re-login every half dozen page clicks?
That's what you'll get if you implement cookieless sessions wrong.

Check your weblogs for statistics on the browser capabilities of your
typical user. Unless your primary target audience is paranoid
technophobes, you're probably better off doing what every other site on
the internet does to maintain session state. That is, use cookies.

Jason Kester
Expat Software Consulting Services
http://www.expatsoftware.com/
 
Back
Top