Assign variables to an SSL connection 1

[4waystop]

Hi

I'm wandering first if its possible to assign variables (such as a username) to an SSL connection at the server-end, so that the server will know for sure which client it is talking to. And secondly how do you do it from ASP or where do I even begin to look? I'm not having much luck with my google searches thus far!

Thanks All

4waystop

 

[Tarwn]

I don't understand what your trying to do. If you simply want to keep track of which client is requesting a page when a script is running you could use a cookie or session variable to trakc them. As far as binding a connection to an ASP variable, I dohn't think thats possible (or at the very least, it would be extremely difficult and probably unnecessary).

Perhaps if you give us more information on what your trying to do we'll be able to help further,

-T

 

[4waystop]

OK, fair enough I wasn't that clear!

What I am trying to do is ensure the server knows exactly who it is talking to at all times. We're using an SSL connection at all times on this website.

I don't want to any kind of cookie because users can play about with them.

I just need a way to ensure that once a user logs-in they can't just arbitrarily change their username so the server thinks they are someone else or any other tricks like that. I was thinking that if it was possible for the SSL connection to store information about a client in a connection object, then we could always be certain as the encription keys have to match etc.

Is this only way to do it to use ASP Application objects? But surely then you would only know who is logged-in, but not who each individual user is.

If my confusion is too evident I'll try to explain again!
Many Thanks. 4waystop.

 

[DreXor]

when they log in assign a value to a session variable it's something on your side that wil expire after a certain time of inactivity, if it does, they just have to log back in again

it's comepletely volitile, and only the server can alter it.

DreX
aKa - Robert

 

[4waystop]

But isn't a session variable stored on the client-side? (Quoted from

http://www.w3schools.com/asp/asp_sessions.asp):

ASP solves this problem by creating a unique cookie for each user. The cookie is sent to the client and it contains information that identifies the user. This interface is called the Session object.

 

[Genimuse]

The ID of the session is stored on the client, the session data is stored on the server.

I've believe that, like cached page data received through an SSL connection, cookie data received through one is also encrypted.

As far as knowing which user it is, if you were able to read the data encrypted by the key the server and client co-created, then for all meaningful intents and purposes it's coming from the same client. Someone would have to hack the SSL connection to pose as that user, something that's certainly possible but is no mean feat.

 

[4waystop]

Thanks for the clarification Genimuse. Its certainly makes more sense for it to be this way. It seems my trusty w3schools.com reference let me down for once!