Session hijacking is always an issue if your network traffic can be
compromised - and on the web it usually can - which is why you have
encrypted viewstate in .NET, and SSL to fall back on should you require it.
However, its not usually something you worry about unless your transactions
are mission critical or financial, then not using enhanced security is a
real foolish thing to do.
Have a read of this, its a very good explanation of your concerns.
http://msdn.microsoft.com/chats/vstu...dio_121201.asp
--
Regards
John Timney (Microsoft ASP.NET MVP)
----------------------------------------------
<shameless_author_plug>
Professional .NET for Java Developers with C#
ISBN:1-861007-91-4
Professional Windows Forms
ISBN: 1861005547
Professional JSP 2nd Edition
ISBN: 1861004958
Professional JSP
ISBN: 1861003625
Beginning JSP Web Development
ISBN: 1861002092
</shameless_author_plug>
----------------------------------------------
"Stefan" <sh****@steffsworld.ch> wrote in message
news:#2**************@tk2msftngp13.phx.gbl...
So Session hijacking isn't an issue?
"Justin Rogers" <Ju****@games4dotnet.com> wrote in message
news:uh**************@TK2MSFTNGP12.phx.gbl... Session state is stored on the server side, so you don't need to use any
crypto on it. The actual session id is sent down to the client in the
form of a cookie and re-read on return to the site to actually hook up the
user's Session state with the running code (Page instance).
--
Justin Rogers
DigiTec Web Consultants, LLC.
"Stefan" <sh****@steffsworld.ch> wrote in message
news:eE**************@TK2MSFTNGP11.phx.gbl... Hi!
I just want to know if it's common to decrypt a Session-Object in a
ASP.NET application.
My collegue says that I have not do this because the information is
stored on the server.
Any suggestions?
