Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Session or Cookie for login? 2
- Thread starter stlWebWiz
- Start date
-
2
- #4
Session variables actually use cookies.
The difference is that a session cookie only holds a unique reference number. The server uses that reference number to know which set of variables belong to which user.
So your users will still need to accept cookies if you want to use session variables.
The difference is that a session cookie only holds a unique reference number. The server uses that reference number to know which set of variables belong to which user.
So your users will still need to accept cookies if you want to use session variables.
Yes, session variables do require cookies, but a single session can hold mucho data (say in the form of an array variable) and maintain state from page to page without storing it client side. This is definitely more secure and does not require the instantiation of the Cookie object.
- Thread starter
- #6
samer2005,
All you have to do to store a value in a session variable is:
Session("MyVariableName") = MyValue
And then to read it on a subsequent page:
TheValue = Session("MyVariableName")
Or you can pass it to a function:
IF Len(Session("MyVariableName")) = 0 THEN
Response.Write "Value is Missing"
END IF
If you get an error, make sure that your IIS web server is configured to enable session state... use the IIS Admin tool to check.
To make a login script using session variables you need some method for keeping track of the valid username/password pairs. People often use a database with an ADO connection for this purpose but you can do it with a text file if need be. Then just build a regular HTML form that the user will use to submit their username and password to an ASP page. The ASP page will check the list and, if it is valid, assign some value to a session variable. In the pages that you wish to protect you simply add a little check for the session variable to the top of the page. If you have a lot of pages then it makes sense to put the code for this into an INCLUDE file.
All you have to do to store a value in a session variable is:
Session("MyVariableName") = MyValue
And then to read it on a subsequent page:
TheValue = Session("MyVariableName")
Or you can pass it to a function:
IF Len(Session("MyVariableName")) = 0 THEN
Response.Write "Value is Missing"
END IF
If you get an error, make sure that your IIS web server is configured to enable session state... use the IIS Admin tool to check.
To make a login script using session variables you need some method for keeping track of the valid username/password pairs. People often use a database with an ADO connection for this purpose but you can do it with a text file if need be. Then just build a regular HTML form that the user will use to submit their username and password to an ASP page. The ASP page will check the list and, if it is valid, assign some value to a session variable. In the pages that you wish to protect you simply add a little check for the session variable to the top of the page. If you have a lot of pages then it makes sense to put the code for this into an INCLUDE file.
Integrated authentication on the Intranet is not so bad as long as it isnt going to be a management nightmare to maintain the group of users that has file privilages. So if it is the Everybody group that is easy enough and if you can use an existing domain group that is fine but if the users are a subset that has to be managed it is can quickly become a pain in the butt depending on the size of your organization.
Integrated authentication on the Internet is a whole 'nuther can 'o worms.
Integrated authentication on the Internet is a whole 'nuther can 'o worms.
Good points. I currently have no permissions required. So authentication could mainly be used for logging activity and personalising pages.
However, security will almost certainly require more granularity in the future...
It's just people will say: AAAAARGGGGHHHH ANOTHER EFFING PASSWORD TO EFFING REMEM-EFFING-BER !!!!!!
However, security will almost certainly require more granularity in the future...
It's just people will say: AAAAARGGGGHHHH ANOTHER EFFING PASSWORD TO EFFING REMEM-EFFING-BER !!!!!!
Often a project you do may be on behalf of another department. Perhaps you can make an "administrative" web page to allow a member of THAT department to add/remove users. That way THEY get the blame for the password instead of you... also they won't bug you every time someone needs to be added. The downside is it reduces the organization's preceived "dependancy" on you.
Or... I could use a form for login, but get the webserver to authenticate the username and password against the Active Directory account.
That way I can still manage file privileges using the website acl database.
Then there will be no blame at all !
That way I can still manage file privileges using the website acl database.
Then there will be no blame at all !
* The cookie itself is not a risk because the only data inside it is the "key" number to a set of session variables held on the server.
* If someone intercepts and reads the tcp/ip data mid stream, you've got a bigger problem than the cookie.
* Since the session will time out after 20 mins of no activity, only someone using the computer immediately following your authorized user can make any use of it. You can change the amount of time.... 20 mins is the default.
* If you are have a usuage scenario where many people use the same machine, such as an internet cafe or a corporate training room, provide a LOG OUT button that will either set all session variables to an empty string, or better yet, force the session to end.
* If someone intercepts and reads the tcp/ip data mid stream, you've got a bigger problem than the cookie.
* Since the session will time out after 20 mins of no activity, only someone using the computer immediately following your authorized user can make any use of it. You can change the amount of time.... 20 mins is the default.
* If you are have a usuage scenario where many people use the same machine, such as an internet cafe or a corporate training room, provide a LOG OUT button that will either set all session variables to an empty string, or better yet, force the session to end.
I know this isn't a javascript forum, but is it possible to have client side javascript 'phone-home' a cookies' stored session id [say every 60 seconds] to an asp page that would/could 'track' the 'live' connection? If the session id isn't active for [lets say] 5 minutes, it would terminate the session? I guess a relevant question would be what would trigger session termination if the check failed?
I am no fan of javascript and use it as little as possible and therefore really don't know if something like this is even possible much less feasible for a small amount of users. I would learn if something like this worked, but really I'm just curious.
-a6m1n0
Curiosity only kills cats.
I am no fan of javascript and use it as little as possible and therefore really don't know if something like this is even possible much less feasible for a small amount of users. I would learn if something like this worked, but really I'm just curious.
-a6m1n0
Curiosity only kills cats.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
- Locked
- Question