Hi every one
I have a major MAJOR MAJOR problem
Ok I have been using cookies for my site for a while and now I have been
trying to use session less cookies because I find them much faster
Any way now the problem
With session less cookies since ID is embedded within URL every time
someone signs into their account and then logout if they send their link
to someone else, that other person can login into their account without
needing to know their user name and pass ok let me show you what I mean
by example
Here is my site go to my site
http://www.riseofkingdoms.org/rok
Now if you login using: UserName:d1 and password:dzl786
You be taking to your page now if you go in menu and go to Palac and
sign-out but before doing that copy the link in your browser, now
sign-out close your browser and paste your link and you be taking back
to your profile without needing to sign in
Even if you send your link to someone else they will be able to sign in
without needing to log in here is the link when I signed in you can just
go to that account using this link you dont need to sign in
http://www.riseofkingdoms.org/rok/(c4ehh345kyxu122m0xz2ij45)/ROKGame/Ris
e_Of_Kingdoms/Home.aspx
This cannot be good
I am sure there is a way around this I mean I hope, why is it doing
this?
I expire sessions when sign-out has been clicked, Session.
Remove("UserName");
Any suggestions
Best Regards
Amir
*** Sent via Developersdex http://www.examnotes.net ***
Don't just participate in USENET...get rewarded for it!You are storing the user and password data in the cookie? There is your
security problem right there. Cookies are only as secure as the data you
put in them.
You should be storing the user names and passwords in a database and
authenticating users against that database. Also, since cookies can be
"turned off" at the client level, you should never build any functionality
into them that you aren't willing to lose.
"Amir Ghezelbash" <amir_gh99@.hotmail.com> wrote in message
news:u2wVPkJKEHA.3184@.TK2MSFTNGP10.phx.gbl...
> Hi every one
> I have a major MAJOR MAJOR problem
> Ok I have been using cookies for my site for a while and now I have been
> trying to use session less cookies because I find them much faster
> Any way now the problem
> With session less cookies since ID is embedded within URL every time
> someone signs into their account and then logout if they send their link
> to someone else, that other person can login into their account without
> needing to know their user name and pass ok let me show you what I mean
> by example
> Here is my site go to my site
> http://www.riseofkingdoms.org/rok
> Now if you login using: UserName:d1 and password:dzl786
> You be taking to your page now if you go in menu and go to Palac and
> sign-out but before doing that copy the link in your browser, now
> sign-out close your browser and paste your link and you be taking back
> to your profile without needing to sign in
> Even if you send your link to someone else they will be able to sign in
> without needing to log in here is the link when I signed in you can just
> go to that account using this link you don't need to sign in
> http://www.riseofkingdoms.org/rok/(c4ehh345kyxu122m0xz2ij45)/ROKGame/Ris
> e_Of_Kingdoms/Home.aspx
> This cannot be good
> I am sure there is a way around this I mean I hope, why is it doing
> this?
> I expire sessions when sign-out has been clicked, Session.
> Remove("UserName");
> Any suggestions
>
>
> --
> Best Regards
> Amir
> *** Sent via Developersdex http://www.examnotes.net ***
> Don't just participate in USENET...get rewarded for it!
?
did you even read my question?
no i am not using cookies, passwords are saved into database
i am using cookieless sessions here
Best Regards
Amir
*** Sent via Developersdex http://www.examnotes.net ***
Don't just participate in USENET...get rewarded for it!
How are you expiring the session?
Cheers
Ken
"Amir Ghezelbash" <amir_gh99@.hotmail.com> wrote in message
news:uU3taTOKEHA.3916@.TK2MSFTNGP10.phx.gbl...
: ?
: did you even read my question?
: no i am not using cookies, passwords are saved into database
:
: i am using cookieless sessions here
:
: --
: Best Regards
: Amir
:
: *** Sent via Developersdex http://www.examnotes.net ***
: Don't just participate in USENET...get rewarded for it!
Hi Amir,
> This cannot be good
> I am sure there is a way around this I mean I hope, why is it doing
> this?
> I expire sessions when sign-out has been clicked, Session.
> Remove("UserName");
Do you check the existence of "UserName" in Session object in every method
of your code? The real session will expire not early than 20 min or whatever
you had specified for your application.
______________________________
With best wishes, Arthur Nesterovsky
Visit, please, my home page:
http://www.nesterovsky-bros.com
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment