Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Session or Cookie for login? 2

Status
Not open for further replies.

stlWebWiz

Technical User
Mar 7, 2005
12
US
Hello,

I'm trying to decide on whether using a Session variable or Cookie for my login setup.

Does anyone have any suggestions? Which one is the most secure of the two?

Thanks in advance
Stanly T. Pickford
 
I use session variables to hold authentication between pages, but cookies if people want to save their name/passwords.

Session variables are going to be more secure as they are stored on the server, not the client.

Other thoughts?
 
Session variables actually use cookies.

The difference is that a session cookie only holds a unique reference number. The server uses that reference number to know which set of variables belong to which user.

So your users will still need to accept cookies if you want to use session variables.
 
Yes, session variables do require cookies, but a single session can hold mucho data (say in the form of an array variable) and maintain state from page to page without storing it client side. This is definitely more secure and does not require the instantiation of the Cookie object.
 
Thanks to everyone....I thought in the beginning that sessions would be better and now that i have a little more input on the subject i will be using the session variable

STP
 
i want code in asp web programminf language that make a session for login?
 
samer2005,

All you have to do to store a value in a session variable is:
Session("MyVariableName") = MyValue

And then to read it on a subsequent page:
TheValue = Session("MyVariableName")

Or you can pass it to a function:
IF Len(Session("MyVariableName")) = 0 THEN
Response.Write "Value is Missing"
END IF

If you get an error, make sure that your IIS web server is configured to enable session state... use the IIS Admin tool to check.


To make a login script using session variables you need some method for keeping track of the valid username/password pairs. People often use a database with an ADO connection for this purpose but you can do it with a text file if need be. Then just build a regular HTML form that the user will use to submit their username and password to an ASP page. The ASP page will check the list and, if it is valid, assign some value to a session variable. In the pages that you wish to protect you simply add a little check for the session variable to the top of the page. If you have a lot of pages then it makes sense to put the code for this into an INCLUDE file.
 
Integrated Windows authentication doesn't seem to be used much?
Does anyone use this for an intranet site? (all pc's guaranteed to be windoze.)
 
Integrated authentication on the Intranet is not so bad as long as it isnt going to be a management nightmare to maintain the group of users that has file privilages. So if it is the Everybody group that is easy enough and if you can use an existing domain group that is fine but if the users are a subset that has to be managed it is can quickly become a pain in the butt depending on the size of your organization.

Integrated authentication on the Internet is a whole 'nuther can 'o worms.
 
Good points. I currently have no permissions required. So authentication could mainly be used for logging activity and personalising pages.

However, security will almost certainly require more granularity in the future...

It's just people will say: AAAAARGGGGHHHH ANOTHER EFFING PASSWORD TO EFFING REMEM-EFFING-BER !!!!!!
 
It's just people will say: AAAAARGGGGHHHH ANOTHER EFFING PASSWORD TO EFFING REMEM-EFFING-BER !!!!!!

Often a project you do may be on behalf of another department. Perhaps you can make an "administrative" web page to allow a member of THAT department to add/remove users. That way THEY get the blame for the password instead of you... also they won't bug you every time someone needs to be added. The downside is it reduces the organization's preceived "dependancy" on you.
 
Or... I could use a form for login, but get the webserver to authenticate the username and password against the Active Directory account.

That way I can still manage file privileges using the website acl database.

Then there will be no blame at all ! :)
 
Is there any way to secure the cookies that an asp session creates?
 
* The cookie itself is not a risk because the only data inside it is the "key" number to a set of session variables held on the server.

* If someone intercepts and reads the tcp/ip data mid stream, you've got a bigger problem than the cookie.

* Since the session will time out after 20 mins of no activity, only someone using the computer immediately following your authorized user can make any use of it. You can change the amount of time.... 20 mins is the default.

* If you are have a usuage scenario where many people use the same machine, such as an internet cafe or a corporate training room, provide a LOG OUT button that will either set all session variables to an empty string, or better yet, force the session to end.
 
I know this isn't a javascript forum, but is it possible to have client side javascript 'phone-home' a cookies' stored session id [say every 60 seconds] to an asp page that would/could 'track' the 'live' connection? If the session id isn't active for [lets say] 5 minutes, it would terminate the session? I guess a relevant question would be what would trigger session termination if the check failed?

I am no fan of javascript and use it as little as possible and therefore really don't know if something like this is even possible much less feasible for a small amount of users. I would learn if something like this worked, but really I'm just curious.

-a6m1n0

Curiosity only kills cats.
 
You can just drop the timeout down to 5 minutes instead of the default of 20. Use the IIS Admin tool to do this.
 
Couldn't it just be set on a per page basis instead of changing the global value in the IIS MMC?

Code:
<%session.timeout=5%>

-a6m1n0

Curiosity only kills cats.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top