Quantcast
Channel: Security
Viewing all articles
Browse latest Browse all 4737

PCI: Session-ID should no longer be in the url. How to treat user when cookies are disabeld?

$
0
0

we have an order-web-application without login. The session-data are stored in a cookie. When user have disabled cookies they will be redirected to the same application in a different folder where only the web.config session setting is different. There is the setting cookieless="UseUri". Well, now the Session-ID is in the URL, when cookies are disabled.

Now, for PCI certification there are new standards. They will no longer accept session in the url if you want to get certified.

So we could turning off our “session-id in url” – Version. But now, we will lose some Customer, because they can no longer use our application.

Are there any other option to save global values in an ASP.NET application? Viewstate is possible during one aspx.page, but global? Any ideas?

Greeting Mike


Viewing all articles
Browse latest Browse all 4737

Latest Images

Trending Articles



Latest Images

<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>