|
Home > Archive > IIS ASP > May 2005 > How secure are session variables?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How secure are session variables?
|
|
|
| Example:
session("IsLoggedIn")=false
Can this be changed on the user's machine by editing the cookie directly?
(Please tell me it can't!).
If so, will ASP know it has been tampered with, and refuse to "accept" it if
changed to "true" ?
Thanks
Giles
| |
| Steven Burn 2005-05-28, 7:47 am |
| Session cookies are stored in the servers memory, not on the client =
machine.
--=20
Regards
Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk
Keeping it FREE!
"Giles" <Giles@NoSpam.com> wrote in message =
news:OexoDz3YFHA.2076@TK2MSFTNGP15.phx.gbl...
> Example:
> session("IsLoggedIn")=3Dfalse
>=20
> Can this be changed on the user's machine by editing the cookie =
directly?=20
> (Please tell me it can't!).
> If so, will ASP know it has been tampered with, and refuse to "accept" =
it if=20
> changed to "true" ?
> Thanks
> Giles=20
>=20
>=20
| |
| Bob Barrows [MVP] 2005-05-28, 7:47 am |
| Giles wrote:
> Example:
> session("IsLoggedIn")=false
>
> Can this be changed on the user's machine by editing the cookie
> directly? (Please tell me it can't!).
> If so, will ASP know it has been tampered with, and refuse to
> "accept" it if changed to "true" ?
> Thanks
> Giles
Session variables are not stored on the client pc: they are stored in the
server's memory, which is one reason indiscriminate use of session variables
can impair performance.
The only thing stored on the client is a session cookie containing the
session id.
Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
| |
| Dave Anderson 2005-05-28, 7:47 am |
| Steven Burn wrote:
> Session cookies are stored in the servers memory,
> not on the client machine.
Not quite. The *variables* are stored on the server. The *cookie* is kept on
the client (and passed in the request/response headers). Session cookies are
transient, so they typically are kept in memory until the browser closes,
BUT...
How the client handles transient cookies is completely beyond the server's
(and thus the application's) control.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
|
|
|
|
|