Kevin,

We are building a public form based wizard using the "ACTIONS Tag", "Action Side Redirects" and Sessions.

Our concern is that by placing form variables into Sessions and then perfoming redirects creates an environment that might be ripe for DoS attacks.

i.e. Spawning new sessions, and therefore creating a memory consumption based DoS.

Is there a way to pass the "ACTIONS" redirect or "ACTION side Redirect" as a FORM POST? It is our belief that this would eliminate the creation of new sessions (as sessions live at minimum 20 minutes if not kept alive) as the form value is only present on the POST.

Is there a usage of the "VIEWSTATE" rather than Session based storage that might accomodate this as well?

Although it's my understanding that the "VIEWSTATE" is not maintained through an "ACTIONS" or "ACTION SIDE" redirect.

Your thought here would be greatly apprieciated. We consider the vunerability to DoS attacks to be of real concern to larger, public type service applications.

Thanks,

Interesting question, but I may be missing something here. ListX is storing the Session information and retaining for use within your system. The DoS attack is really only avoidable by not maintaining a session for incoming requests. With this said, that means - no session what-so-ever. There are always a few little nuggets of information stored within the runtime session of your users, and - in most cases - even if no name/value pairs are contained within the session - a session object still exists as it was created in the http context.

The main question here is - are you aborting the use of sessions completely? ViewState, while usable, has it's own limitations most obviously in the bloated size of the page itself. ViewStates are not maintained within redirects - because the ViewState is the Page state, and would not apply to page X when coming from page Y.

What type of model do you have in mind here?