After learning asp.net for a few months and viewing this forum for a few weeks, I have started to get confused with the setting and security issues of asp.net. Hope someone could answer me.
I am curious why we have to encrypt connection string, appsetting and more in the web.config file even though file listing is set to "not allowed" on server setting. Does it mean some strangers can still view and steal such file from server?
I know that session id is sort of protected but could hacker be able to change the information inside ? Let say hacker browser my webpage and some data are stored in the session cookies, could they change the information inside the session cookies?
Thank you very much and I greatly appreciate your help.
View Complete Post