Session Vars vs. Hidden Fields and SSL

[Jeff]

....still new to .net 2005 using VB.

Do I understand correctly that the value of a session variable is actually stored in the server's ram, but relies on the asp.net
session ID cookie that temporarily is placed on the client's machine until the session ends? ...so that you can't use session
variables if the client has disabled cookies on their browser? So, this makes session vars much more secure than hidden fields,
which are transmitted to the client's browser and can be viewed simply by opening "view source." So, the hidden fields or query
string methods of passing values across pages will work with cookies disabled, but session vars won't?

Can SSL be used in cases where the client has their cookies completely disabled? If not, then I would assume that there is no
advantage (assuming adequate server ram) to using hidden fields instead of session vars where SSL will eventually be used?

Thanks

jeff

 

[Scott M.]

Do I understand correctly that the value of a session variable is actually

stored in the server's ram, but relies on the asp.net
session ID cookie that temporarily is placed on the client's machine until
the session ends?

Yes, and this cookie is not like a normal cookie. A "session" cookie is not
written to the client's hard drive it is also held in RAM of the client by
the browser.

...so that you can't use session variables if the client has disabled
cookies on their browser?
Yes.

So, this makes session vars much more secure than hidden fields,

I'm not sure that secure is the word for it, since hidden field values are
typically established at the client and sent to the server, not the other
way around.

which are transmitted to the client's browser and can be viewed simply by
opening "view source." So, the hidden fields or query
string methods of passing values across pages will work with cookies
disabled, but session vars won't?
Yes.

Can SSL be used in cases where the client has their cookies completely
disabled?

Yes. SSL has nothing to do with cookies. It has to do with a security
certificate being installed on the server and the https protocol being used
for data transmission that will encrypt what is sent from client to server.

If not, then I would assume that there is no advantage (assuming adequate
server ram) to using hidden fields instead of session vars where SSL will
eventually be used?

SSL really doesn't have anything to do with session variables and cookies.
The former is an encryption technology and the latter are data persistence
schemes.

 

[Jeff]

Thanks

Yes, and this cookie is not like a normal cookie. A "session" cookie is not
written to the client's hard drive it is also held in RAM of the client by
the browser.