Re: Cannot access a disposed object

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

> I always thought that data stored in the session object was not
> particularly
> safe and that it could easily be exposed to people who new what they were
> doing. That's why I'm encrypting it. That way it would at least be a bit
> more difficult for hackers to get access to it since they would have to
> use
> the decrypting object stored in application to decrypt the data. But if
> you
> say that it has no purpose then I will take you word for it and stop using
> it.

Now, how is a hacker supposed to get at anything stored in System Memory?
Now, if you were using SQL Server for Session, I suppose it is remotely
possible, assuming that Security on the SQL Server was screwed up well
enough by the DBA, to access the Session data in the database. But by
default, Session State is stored in System Memory.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Paranoia is just a state of mind.

"Shawn" <bossman100@xxxxxxxxxxx> wrote in message
news:eQCzQG9oFHA.3256@xxxxxxxxxxxxxxxxxxxxxxx
> Hi Karl.
> I'm not disposing the object myself. I'm just using its (only) two
> methods -encrypt and decrypt- through out my code.
>
> I always thought that data stored in the session object was not
> particularly
> safe and that it could easily be exposed to people who new what they were
> doing. That's why I'm encrypting it. That way it would at least be a bit
> more difficult for hackers to get access to it since they would have to
> use
> the decrypting object stored in application to decrypt the data. But if
> you
> say that it has no purpose then I will take you word for it and stop using
> it.
>
> PS. I saw this method used in an article once, that's why I implemented
> it.
> Can't remember where I read the article though.
>
> Thanks,
> Shawn
>
>
> "Karl Seguin" <karl REMOVE @ REMOVE openmymind REMOVEMETOO . ANDME net>
> wrote in message news:uXyWxiyoFHA.3068@xxxxxxxxxxxxxxxxxxxxxxx
>> My first and only guess is that somewhere you are simply disposing of the
>> object yourself, perhaps via using or something and you don't realize it.
>> The fact that it happens at inconsistent intervals could simply mean it's
>> along a codepath not frequently executed.
>>
>> I do have to question the encrypting session thing though. This is
>> something I've never done or heard of. Why encrypt the data? Seems like
>> fake security on top of actually locking down your machine. It seems to
> me
>> that anyone who's gotten access to the machine will be able to get access
> to
>> the data (heck, they'll grab the dll that has the decrypting code in it
>> or
>> something).
>>
>> Karl
>> --
>> MY ASP.Net tutorials
>> http://www.openmymind.net/ - New and Improved (yes, the popup is
>> annoying)
>> http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
>> come!)
>> "Shawn" <bossman100@xxxxxxxxxxx> wrote in message
>> news:uK8zGAyoFHA.2580@xxxxxxxxxxxxxxxxxxxxxxx
>> > Hi.
>> > In my application I store information about the user in the session
>> > object.
>> > Since I'm storing sensitive information I encrypt it before storing and
>> > decrypt it when I need to use it again. The encryption object I use is
>> > stored in the Application object. My problem is that after a while the
>> > encryption object becomes unusable. When I retrieve the object from
>> > Application and call the decrypt method I get an exception saying
> "Cannot
>> > access a disposed object". Sometimes it works fine for 2 weeks and
>> > sometimes it only works for a day or two. Has anyone experienced a
>> > similar
>> > problem? I'm guessing the web server is to blame, I just don't know
>> > how
>> > to
>> > fix it.
>> >
>> > Any help is greatly appreciated!
>> >
>> > Shawn
>> >
>> >
>> >
>>
>>
>
>


.

Relevant Pages

  • Re: Lets talk about HTTPS Everywhere
    ... even just a session ID - which can be just a random number with no ... I think the problem is that online services rely just on cookies ... but there are also cross-site scripting attacks that are not ... Encrypting the contents of the HD can ...
    (Debian-User)
  • Re: Lets talk about HTTPS Everywhere
    ... The problem is not that cookies contain sensitive data, but rather that even just a session ID - which can be just a random number with no meaning other than identifying in the server data related to that user, even if has nothing sensitive, can be used to hijack the session if another uses gets hold of that ID, depending on how the server side is implemented. ... Encrypting the contents of the HD can limit somewhat what someone can do, ... even if a new protocol is proposed, browsers won't rush to support it because no sites will be using it, and no sites will use it because few browsers support the new protocol. ...
    (Debian-User)
  • Re: Tethereal-Sniffed Data Query-Light Hearted
    ... > Also with my provider. ... TLS is a way of encrypting application session information. ...
    (Fedora)
  • Re: ssh .vs. rsh
    ... >> If you're not worried about encrypting the X session then just turn off ... >> the cypher or select none on your client. ... If you are using a private key for authentication than it is secure to ...
    (SSH)
  • Re: OT(kinda): Texas Plane Crash - The Note
    ... told us all no one's possessions are safe while Congress is in session.. ... that of his fathers has acquired too much, ...
    (sci.electronics.design)