there are only a couple of ways to pass a session key
1) in a cookie (asp.net)
2) in the url
3) hidden field (though a url is often required for bootstrap)
your worried about how easy it is to hijack someone's session. in all the
above techinques the session key can be discovered by a network sniffer. so
now that i have the key, how easy is to use. a sample of a bad session key,
is an incrementing number, these are easy to hijack.
-- bruce (sqlwork.com)
"A.M" <IH*******@sapm123.com> wrote in message
news:#F**************@TK2MSFTNGP11.phx.gbl...
Hi,
In Architecture and Design Review Security Checklist at following link:
http://msdn.microsoft.com/library/en...es.asp?frame=t
rue&_r=1
I don't underestand following two items:
1) Session state is protected from unauthorized access.
2) Session identifiers are not passed in query strings.
How an unauthorized access to session state can happen and why would i
pass session identifier in query string ?
Thanks,
Ali