In Web Development, when a session state is enabled, a session ID is stored in a cookie (in the cookieless mode, the query String will be used instead). In Asp.net, session ID is automatically encrypted on the Internet There are so many topics on the Internet that you should encrypt your cookies, including session ID. I can understand why you want to encrypt personal information like DOB, But any personal information should not be stored in the cookie at the first place. So for other cookie values like session ID, what is the purpose encryption? Does it add security to everyone? It does not matter how you secure it, it will be sent back to the server for decryption.
Be more specific,
For authentication purposes,
- Close the session, I do not deal with the session time any longer Wish
- Store some type of ID value in the cookie,
- On the server side, check whether the id value exists and matches, if it is, then authenticate user .
- Allow the cookie value to expire at the end of the browser session, this way.
vs
Asp.net form authentication mechanism (this depends on session or session ID, I think)
later Provides better protection?
Attacks for a valid session id like a session session session, if you now encrypt session IDs , The attacker will only aim for encrypted session IDs and you will not have any benefits. Therefore it is useless to encrypt session ID. Remember that session ID is just a random value used to identify the session. The attackers do not need to know whether there are certain meanings of random value; They only need to know the random value.
If you want to secure your session, then use HTTPS to encrypt the entire HTTP communication via SSL and set cookies with only the flag
- Safe to send cookies only via HTTPS and
- HTTP only to deny local access through Javascript
Comments
Post a Comment