Security Issue: pass vars in URL

[eramgarden]

Currently, I'm using session vars to pass my vars between pages...

 

I need to make a design change where users can launch a new window from the main window and do more stuff..

 

I tested this, it works but sessions in the 2 windows get mixed up ..

 

So, I think i need to remove sessions from my app altogether and pass vars using URL

 

Would this cause a security issue? Is there a better way of doing this?

[bri189a]

I can see some concerns...by putting things in a query string your letting the user know some of the filtering information, a fellow programmer, such as myself, surfing the site, can start changing those passed variables and 'guesstimated' values to try and uncover a hole or get into something they shouldn't. These things aren't usually a problem and just a sorting feature, or they pull up a page they could of gotton to by other means, but sometimes they are problem. If you are concerned you could encrypt the value in the query string and the decrypt it later, then if it isn't within a valid range you know someone altered it and throw them to your 404 page.

 

I deffinitely think there is a better way to do it, however I'm not experianced enough to know what it is if it exists, I'll be watching this thread too.

[eramgarden]

ex-coworker said to encrypt and decrypt but not sure how to do that...

 

Anyone else with ideas?

[eramgarden]

maybe instead of passing vars via session or URL, I can declare global variables,

 

doable?

[bri189a]

Again, experiance isn't as much as everyone esle's, so I maybe incorrect about this. With global application variable's, I believe your still going to have the same problem, if not worse because I think application variables are used by all instances of the application - I may be wrong on that though.

[eramgarden]

hmm, i dont know either, this is my first asp.net app..

 

I dont want to remove sessions, have global and run into the same issue..

 

the search continues..

[wessamzeidan]

what do you mean by "sessions in the 2 windows get mixed up"? How do they get mixed up????

[eramgarden]

This is what I mean:

User logs in, does a search for an ID, goes to a page and looks at the IDs detail. Id=12345.

 

Now, on this page, they want to have a link and open another window to do more ID-Searches..

 

I added that Link...

 

In that new window, they do a search for another ID=88999. They look at the detail of this ID.

 

So far so Good

 

Now, when I go back to the first window , and for example , try to do something with that ID=12345, the detail and stuff for the new ID=88999 shows up.

 

so, now both windows have the same data

 

I use sessions to pass IDs from page to page. So looks like in the second window , the session is set to ID=88999 and the first window also gets the same session ID...

 

Thanks for help. I hope I can still use sessions and not make a huge change to my app...

[PlausiblyDamp]

A session will be shared over all pages - this is by design. If you need to maintain seperate state information per page you may want to go with your idea of query strings;

[eramgarden]

Thanks for the response. Good, at least now I know what to do.

 

I also found this about encrypt/dycrpt URL stuff if anyone else needs it:

 

http://www.dotnetjunkies.com/how%20to/99201486-ACFD-4607-A0CC-99E75836DC72.dcik

[bri189a]

Good stuff, thanks eramgarden

[anpalmer]

Thanks for the link on encryption/decryption, I was looking for similar stuff myself.

 

Ash