O'Reilly logo

Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB by Stefan Schackow, Bilal Haidar

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

8.12. Summary

Although session state is usually considered just a handy item in the developer's arsenal of ASP.NET tools, there are a number of subtle security issues to keep in mind. ASP.NET 2.0 and ASP.NET 3.5 include cookieless support for the session state feature. However, as with other features that support cookieless behavior, the potential to accidentally leak cookieless tickets is a risk. As a result, if you choose cookieless sessions, do not store any private or privileged information inside session state; this minimizes the impact of other users accidentally reusing a cookieless session ticket.

Session state has the concept of session ID reuse. In cookied modes, session IDs are shared across all applications running under a common DNS host name. This means that even if you call Session.Abandon in one application, the session identifier remains in the cookie and the identifier continues to be used by all applications. However, in the application where Abandon was called, the session data is deleted, so you end up with fresh session data the next time the user returns to that specific application.

For applications that use cookieless session identifiers, ASP.NET session state doesn't reuse session identifiers by default. Instead, if you call Abandon or access an application with an expired session identifier, session state detects this and issues a new session identifier. This behavior is intended to minimize the potential for a user to accidentally or intentionally use ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required