I was wondering now try and keep up with me the simple part is how secure is Session Security??

Heres my thought say you have a website that uses login & password blah blah blah and when you have succesfully logged in it tells your browser that you have a usersession=2 ok so when you goto the members page which checks to see if the browser has the usersession=2 or not and if it does it lets you in!

Ok so I was wondering say I decieded to use my own IIS to create an asp page that gives me usersession=2 and then I goto the members page of that site I have usersession=2 so does the website in question give me access or not???

Basically is there a unique string of code that goes with that usersession=2 that is unique to the website or not???

:cool: just curious if anyone has any Idea!

User sessions are stored in temporary cookies based on URL/IP address so if you create a user session on your local IIS it shouldn't authenticate on a live server in another location...

dominicall

Dominicall is right.

I think the 'only' way to set or alter sessionvariabels, is serversided. So the main concerns is that you dont allow users to alter values through the querystring or in a cookie stored on the clientside.

I don't know this (need to check this some day) but i don't think that the sessionobject is applicationspeciffic. Meaning: say a user logs in into application 1 on server X. An instance of the session is created. A serverside script sets a sessionvarible profile=2. The user then goes to a page of application 2 on the same server X. This page checks if session("profile") = 2. What will happen then? Is the instance of the session-object applicationspeciffic or will it read that sessionvariable and allow access?
Anyone ever tested this?