If using sessionstate cookieless="useuri" then what is security threads ?

Question

0.00/5 (No votes)

See more:

I am using <sessionstate cookieless="UseUri"> in this case a session identifier is appended with url in query string .

I just want to know If session identifier will show in url then-- what is the security issue ,Is it right way to use above setting to manage multiple session of same application in multiple browser's tab.

What I have tried:

I have achieve the multiple session in same browser in multiple tab by using below setting--

<sessionstate cookieless="UseUri">

Posted 5-Mar-19 21:31pm

suneel kumar gupta

Updated 6-Mar-19 0:13am

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

MadMyche · Answer 1 · 2019-03-06T00:14:00

Solution 1

Yes the session info show in the address bar, and can be copy/pasted to another address bar.
That copy/paste ability could be seen as a security vulnerability as you could copy/paste into an email just as easily

Posted 6-Mar-19 0:14am

MadMyche

Comments

suneel kumar gupta 6-Mar-19 7:24am

Thankyou so much for your reply. Yes I Agree that by copy/paste session id in another address bar we can access other user session but I think we can do this inside same browser and same device , not in different browser and device.

MadMyche 6-Mar-19 7:41am

Have you tried and confirmed this?
Read this: https://brockallen.com/2012/04/08/cookieless-session-considered-dangerous/

suneel kumar gupta 6-Mar-19 23:27pm

ok ,But How to manage session for multiple users in multiple tab in same browser?

MadMyche 7-Mar-19 6:58am

There really is no way you can do it programming wise; it is an unreasonable expectation to expect security when you have two or more people using the same program on the same machine simultaneously