cookieless session? Who has it working?

From: Tom Pester (tmspm_at_hotmail.com)
Date: 02/22/04

• Next message: Chipmunk: "Security issues relating to submitting href links and text:"
• Previous message: richlm: "Re: Unable to start debugging on the web server. Access is denied."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 22 Feb 2004 21:40:36 +0100

I experimented/researched cookieless sessions and tried it on my website.
I expected the switch to cookieless sessions to be transparent but this isn'
t the case at all:

1) Forms based authentication doesn't work
I read that the Whidbey release will support this and you can make it work
today:
http://www.codeproject.com/aspnet/cookieless.asp
Still, it's a showstopper for most websites

2) You can't use absolute links
I think developers use this lot (at least I do to make the link callable
from every place in the site, including other directories)
I can understand a bit why fully qualified URL's aren't supported but why is
it so hard to support absolute ones. Can anyone clarify this?
Again there is a nontransparent solution: Response.ApplyAppPathModifier

3) There is a major security risk
See:
http://builder.com.com/5100-6387-1044869.html
And
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=utf-8&safe=off&threadm=e5%24C9YK6DHA.2416%40TK2MSFTNGP10.phx.gbl&rnum=4&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3Dutf-8%26safe%3Doff%26q%3Dcookieless%2Basp.net%2Balternative%26sa%3DN%26tab%3Dwg

No workaround possible I think

(I expected more from Microsoft but as always they will fix this after some
releases.)

My questions:
- Who uses cookieless state in a production website? Are you satisfied with
the results?
- Can someone, with more experience then me, confirm my 3 points (possibly
someone from Microsoft)
- Is there a 3rd party solution that makes cookieless websites a real
choice? (No app changes is meant by this)

For now I stay away from cookieless mode since it involves application
changes and a big security risk.

Please say that I am wrong :)

• Next message: Chipmunk: "Security issues relating to submitting href links and text:"
• Previous message: richlm: "Re: Unable to start debugging on the web server. Access is denied."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages cookieless session? Who has it working? ... I experimented/researched cookieless sessions and tried it on my website. ... (microsoft.public.dotnet.framework.aspnet) Cookiekess forms authentication gives error with ASP.NET 2.0 SiteMap ... For a project I'm developing a custom ASP.NET 2.0 website. ... Cookieless forms authentication and sessionstates is enabled via ... On the MasterPage a TreeView-menu is linked to the Web.sitemap. ... ASP.NET 2.0 in combination with cookieless authentication? ... (microsoft.public.dotnet.framework.aspnet) Re: Cookieless forms authentication in Asp.Net 1.0? ... Daniel Fisher ... > website that must be cookieless, and thought that it would be a no ... > the Session_End sub, the new session that begins on the next page ... (microsoft.public.dotnet.framework.aspnet) Cookieless forms authentication in Asp.Net 1.0? ... Is cookieless forms authentication supported in asp.net 1.0? ... website that must be cookieless, and thought that it would be a no ... brainer to add forms authentication. ... the Session_End sub, the new session that begins on the next page ... (microsoft.public.dotnet.framework.aspnet) Re: cookieless session? Who has it working? ... > I wouldn't mess with this cookieless nonsense. ... >> I experimented/researched cookieless sessions and tried it on my website. ... (microsoft.public.dotnet.framework.aspnet)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint