login and sessions

Discussion in 'ASP General' started by Ricardo Furtado, Aug 31, 2010.

  1. When developing web pages i usualy check if the user is logged by using
    sessions.
    Yesterday i read something about the down sides of sessions and one of them
    is when computers don't allow sessions.
    What should be the best way to check if a user is logged?
     
    Ricardo Furtado, Aug 31, 2010
    #1
    1. Advertising

  2. Ricardo Furtado

    Tim Slattery Guest

    Ricardo Furtado <> wrote:

    >When developing web pages i usualy check if the user is logged by using
    >sessions.
    >Yesterday i read something about the down sides of sessions and one of them
    >is when computers don't allow sessions.
    >What should be the best way to check if a user is logged?


    Sessions are maintained server-side. They are identified by a cookie
    that's passed back and forth between the server and client. Most
    clients will allow session cookies even if they don't allow persistent
    cookies. If the client doesn't allow session cookies, then there's
    nothing much you can do to maintain a session. (And the user has cut
    himself off from a LARGE part of the web!)

    --
    Tim Slattery

    http://members.cox.net/slatteryt
     
    Tim Slattery, Aug 31, 2010
    #2
    1. Advertising

  3. Thanks for your answer.

    So, but can i believe that sessions are the best options for this kind of
    tasks? better than passing a session ID in every URL or even global variables?

    "Tim Slattery" wrote:

    > Ricardo Furtado <> wrote:
    >
    > >When developing web pages i usualy check if the user is logged by using
    > >sessions.
    > >Yesterday i read something about the down sides of sessions and one of them
    > >is when computers don't allow sessions.
    > >What should be the best way to check if a user is logged?

    >
    > Sessions are maintained server-side. They are identified by a cookie
    > that's passed back and forth between the server and client. Most
    > clients will allow session cookies even if they don't allow persistent
    > cookies. If the client doesn't allow session cookies, then there's
    > nothing much you can do to maintain a session. (And the user has cut
    > himself off from a LARGE part of the web!)
    >
    > --
    > Tim Slattery
    >
    > http://members.cox.net/slatteryt
    > .
    >
     
    Ricardo Furtado, Aug 31, 2010
    #3
  4. Ricardo Furtado

    Evertjan. Guest

    Ricardo Furtado wrote on 31 aug 2010 in
    microsoft.public.inetserver.asp.general:
    > "Tim Slattery" wrote:
    >
    >> Ricardo Furtado <> wrote:
    >>
    >> >When developing web pages i usualy check if the user is logged by
    >> >using sessions.
    >> >Yesterday i read something about the down sides of sessions and one
    >> >of them is when computers don't allow sessions.
    >> >What should be the best way to check if a user is logged?

    >>
    >> Sessions are maintained server-side. They are identified by a cookie
    >> that's passed back and forth between the server and client. Most
    >> clients will allow session cookies even if they don't allow
    >> persistent cookies. If the client doesn't allow session cookies, then
    >> there's nothing much you can do to maintain a session. (And the user
    >> has cut himself off from a LARGE part of the web!)


    [please do not top post or quote signatures on usenet]

    > Thanks for your answer.
    >
    > So, but can i believe that sessions are the best options for this kind
    > of tasks? better than passing a session ID in every URL


    A session is passing a session ID in every request header.

    Why do you think "the best" exists?
    That is a matter of tast, not of axioms.

    > or even global variables?


    Uh? what do you mean, global where? On the server?
    As a application variable?
    Or as a session variable? [you would need a session for the latter]
    Or on the browser?
    How would you recognize a specific user with those?

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Aug 31, 2010
    #4
  5. Ricardo Furtado

    Bwig Zomberi Guest

    Ricardo Furtado wrote:
    > When developing web pages i usualy check if the user is logged by using
    > sessions.
    > Yesterday i read something about the down sides of sessions and one of them
    > is when computers don't allow sessions.
    > What should be the best way to check if a user is logged?



    Use session variables to maintain login details. Use response.cookies to
    maintain other details such user preferences, shopping cart details...

    --
    Bwig Zomberi
     
    Bwig Zomberi, Sep 2, 2010
    #5
  6. Ok, thank you all for your answers.
    I'll do that, Bwig Zomberi. Great tip

    "Bwig Zomberi" wrote:

    > Ricardo Furtado wrote:
    > > When developing web pages i usualy check if the user is logged by using
    > > sessions.
    > > Yesterday i read something about the down sides of sessions and one of them
    > > is when computers don't allow sessions.
    > > What should be the best way to check if a user is logged?

    >
    >
    > Use session variables to maintain login details. Use response.cookies to
    > maintain other details such user preferences, shopping cart details...
    >
    > --
    > Bwig Zomberi
    > .
    >
     
    Ricardo Furtado, Sep 2, 2010
    #6
  7. Ricardo Furtado

    Evertjan. Guest

    Bwig Zomberi wrote on 02 sep 2010 in
    microsoft.public.inetserver.asp.general:

    > Ricardo Furtado wrote:
    >> When developing web pages i usualy check if the user is logged by
    >> using sessions.
    >> Yesterday i read something about the down sides of sessions and one
    >> of them is when computers don't allow sessions.
    >> What should be the best way to check if a user is logged?

    >
    >
    > Use session variables to maintain login details. Use response.cookies
    > to maintain other details such user preferences, shopping cart
    > details...


    Why?

    It seems ridiculous if [as you should] you want to keep those details only
    for the session.

    Shopping cart details are part of the session and can better be kept on the
    server to prevent malicious use.

    Preferences could be kept in persistant cookies between sessions, if you
    want to save them for future use, however since you would keep login
    details on a serverside database, they are better kept in that database, to
    prevent another user on the same browser to be presented with another's
    preferences, and the same user on another browser or pc without his [or
    her's] preferences.

    So all in all, no, don't use cookies in a shopping cart environment, but
    for the asp automatic session.id cookie.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Sep 2, 2010
    #7
  8. Ricardo Furtado

    Bwig Zomberi Guest

    Evertjan. wrote:
    > Bwig Zomberi wrote on 02 sep 2010 in
    > microsoft.public.inetserver.asp.general:
    >
    >> Ricardo Furtado wrote:
    >>> When developing web pages i usualy check if the user is logged by
    >>> using sessions.
    >>> Yesterday i read something about the down sides of sessions and one
    >>> of them is when computers don't allow sessions.
    >>> What should be the best way to check if a user is logged?

    >>
    >>
    >> Use session variables to maintain login details. Use response.cookies
    >> to maintain other details such user preferences, shopping cart
    >> details...

    >
    > Why?
    >
    > It seems ridiculous if [as you should] you want to keep those details only
    > for the session.
    >
    > Shopping cart details are part of the session and can better be kept on the
    > server to prevent malicious use.
    >
    > Preferences could be kept in persistant cookies between sessions, if you
    > want to save them for future use, however since you would keep login
    > details on a serverside database, they are better kept in that database, to
    > prevent another user on the same browser to be presented with another's
    > preferences, and the same user on another browser or pc without his [or
    > her's] preferences.
    >
    > So all in all, no, don't use cookies in a shopping cart environment, but
    > for the asp automatic session.id cookie.
    >


    Cookies can be made to expire. Details stored in the cookie should be
    mapped to the user id and should be used only if the user is logged in.

    You can of course store shopping cart and other details on the server
    but that is a lot of work.;-) It is easier to maintain an activity log
    in ASP.NET.

    Session variables are a limited resource. Most websites are on shared
    servers. So, it is best to limit the use of session variables.




    --
    Bwig Zomberi
     
    Bwig Zomberi, Sep 6, 2010
    #8
  9. Ricardo Furtado

    Evertjan. Guest

    Bwig Zomberi wrote on 06 sep 2010 in
    microsoft.public.inetserver.asp.general:

    >> So all in all, no, don't use cookies in a shopping cart environment,
    >> but for the asp automatic session.id cookie.
    >>

    >
    > Cookies can be made to expire. Details stored in the cookie should be
    > mapped to the user id and should be used only if the user is logged
    > in.


    Wait!

    Do not discuss session cookies and expiring cookies in the same way.

    While the latter often are disallowed by users, the session cookies,
    that only live till the browser has stopped or the domain is no longer
    accessed are most often allowed, making the ASP session.id cookie
    possible and so the ASP session.

    > You can of course store shopping cart and other details on the server
    > but that is a lot of work.;-)


    You can see that as a joke, but it is not. The only safe programming is
    serverside programming, and a shopping cart should not be influenced by
    interfering code on the browser, like the firefox and chrome extensions.

    > It is easier to maintain an activity log
    > in ASP.NET.


    Off topic, this is a classic ASP NG.

    > Session variables are a limited resource. Most websites are on shared
    > servers. So, it is best to limit the use of session variables.


    No it is not,
    because of the simple truth that "is best" does not exist in
    programming.

    Having a shopping cart without enough resources asks for more resources
    in professional surrounding, not for unsave escape practices.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Sep 6, 2010
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. William F. Robertson, Jr.
    Replies:
    0
    Views:
    473
    William F. Robertson, Jr.
    Jul 2, 2003
  2. Ken Cox [Microsoft MVP]

    Re: Relationship between IIS Sessions and ASP.NET Sessions?

    Ken Cox [Microsoft MVP], Aug 8, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    5,424
    Luther Miller
    Aug 8, 2003
  3. Q. John Chen

    Login and No Login

    Q. John Chen, Mar 1, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    127
    Beginner
    Mar 2, 2004
  4. scottymo
    Replies:
    3
    Views:
    775
    Dominick Baier
    Sep 30, 2006
  5. Bookham Measures

    Moving from ASP Sessions to Database Sessions

    Bookham Measures, Jul 23, 2007, in forum: ASP General
    Replies:
    19
    Views:
    604
    Bookham Measures
    Aug 23, 2007
Loading...

Share This Page