Cannot access a disposed object

[Shawn]

Hi.
In my application I store information about the user in the session object.
Since I'm storing sensitive information I encrypt it before storing and
decrypt it when I need to use it again. The encryption object I use is
stored in the Application object. My problem is that after a while the
encryption object becomes unusable. When I retrieve the object from
Application and call the decrypt method I get an exception saying "Cannot
access a disposed object". Sometimes it works fine for 2 weeks and
sometimes it only works for a day or two. Has anyone experienced a similar
problem? I'm guessing the web server is to blame, I just don't know how to
fix it.

Any help is greatly appreciated!

Shawn

 

[Karl Seguin]

My first and only guess is that somewhere you are simply disposing of the
object yourself, perhaps via using or something and you don't realize it.
The fact that it happens at inconsistent intervals could simply mean it's
along a codepath not frequently executed.

I do have to question the encrypting session thing though. This is
something I've never done or heard of. Why encrypt the data? Seems like
fake security on top of actually locking down your machine. It seems to me
that anyone who's gotten access to the machine will be able to get access to
the data (heck, they'll grab the dll that has the decrypting code in it or
something).

Karl
--
MY ASP.Net tutorials
http://www.openmymind.net/ - New and Improved (yes, the popup is
annoying)
http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)

 

[Shawn]

Hi Karl.
I'm not disposing the object myself. I'm just using its (only) two
methods -encrypt and decrypt- through out my code.

I always thought that data stored in the session object was not particularly
safe and that it could easily be exposed to people who new what they were
doing. That's why I'm encrypting it. That way it would at least be a bit
more difficult for hackers to get access to it since they would have to use
the decrypting object stored in application to decrypt the data. But if you
say that it has no purpose then I will take you word for it and stop using
it.

PS. I saw this method used in an article once, that's why I implemented it.
Can't remember where I read the article though.

Thanks,
Shawn

 

[Kevin Spencer]

I always thought that data stored in the session object was not

particularly
safe and that it could easily be exposed to people who new what they were
doing. That's why I'm encrypting it. That way it would at least be a bit
more difficult for hackers to get access to it since they would have to
use
the decrypting object stored in application to decrypt the data. But if
you
say that it has no purpose then I will take you word for it and stop using
it.

Now, how is a hacker supposed to get at anything stored in System Memory?
Now, if you were using SQL Server for Session, I suppose it is remotely
possible, assuming that Security on the SQL Server was screwed up well
enough by the DBA, to access the Session data in the database. But by
default, Session State is stored in System Memory.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Paranoia is just a state of mind.