Security issue? pass vars in URL

Results 1 to 3 of 3

Thread: Security issue? pass vars in URL

  1. #1
    Join Date
    Dec 1969

    Default Security issue? pass vars in URL

    Currently, I&#039;m using session vars to pass my vars between pages...<BR><BR>I need to make a design change where users can launch a new window from the main window and do more stuff..<BR><BR>I tested this, it works but sessions in the 2 windows get mixed up ..<BR><BR>So, I think i need to remove sessions from my app altogether and pass vars using URL <BR><BR>Would this cause a security issue? Is there a better way of doing this?

  2. #2
    Join Date
    Dec 1969

    Default RE: Security issue? pass vars in URL

    It depends. Do you care if users change the variables? If you do, then yes, passing them in the querystring is a security issue. If not, then no, it isn&#039;t. <BR><BR>Better way of doing what? What do you mean by the windows get "mixed up"?

  3. #3
    Join Date
    Dec 1969

    Default Yes, they will...

    It all depends on HOW the browser launches a new window. If it just uses another thread in the same process, then the two windows will share Session variables. If it uses a new process, they won&#039;t. Since you don&#039;t have control of the browser&#039;s window launchings, you have to plan for both possibilities.<BR><BR>But what&#039;s wrong with using &#060;FORM METHOD=POST&#062; and passing the stuff in hidden form fields??? After all, that&#039;s what ASP.NET is going to do, anyway, to a large part.<BR><BR>Of course, there *is* a simple answer: Don&#039;t use session variables with the SAME NAMES in the two windows. But see my other warning, above: *ALSO* do NOT assume that the popup window will be able to see *any* session info from the main window. It&#039;s out of your control.<BR><BR>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts