Session alternatives and hacks?

Discussion in 'ASP General' started by John, Mar 4, 2005.

  1. John

    John Guest

    Ok, so Session is less than desirable, at least that's what I'm always
    reading. So what are real, practical alternatives? Querystrings? an
    endless chain of hidden form fields??

    Here are the things I'm looking for specifically....

    1). I need to identify users uniquely as clients in some kind of
    maintainable state.

    2). I need to track anonymous user page views, etc. I'm guessing
    Application level but don't know how to track users individually doing this.
    Page views maybe, but not the succession in which they're viewed

    Is there a way to do this without Session that isn't a pain in the a#*? Or
    is Session just not that bad? I've used it a lot with users that manage
    their "own" content but now I need to manage "all" users.

    Oh, and how "safe" is Session? I need to know how hackers get into sites
    that use the plain old "If userID <> Session("userID").....". Is there a
    way that hackers can create their own session and get by this?

    Thanks!
     
    John, Mar 4, 2005
    #1
    1. Advertising

  2. John

    Jeff Cochran Guest

    On Fri, 04 Mar 2005 13:11:06 GMT, "John"
    <> wrote:

    >Ok, so Session is less than desirable, at least that's what I'm always
    >reading. So what are real, practical alternatives? Querystrings? an
    >endless chain of hidden form fields??


    Why are sessions less than desirable?

    >Here are the things I'm looking for specifically....
    >
    >1). I need to identify users uniquely as clients in some kind of
    >maintainable state.
    >
    >2). I need to track anonymous user page views, etc. I'm guessing
    >Application level but don't know how to track users individually doing this.
    >Page views maybe, but not the succession in which they're viewed
    >
    >Is there a way to do this without Session that isn't a pain in the a#*? Or
    >is Session just not that bad? I've used it a lot with users that manage
    >their "own" content but now I need to manage "all" users.
    >
    >Oh, and how "safe" is Session? I need to know how hackers get into sites
    >that use the plain old "If userID <> Session("userID").....". Is there a
    >way that hackers can create their own session and get by this?


    Okay, that's not sessions. That's security. If your issue is
    maintaining security state through sessions you have a different set
    of questions. Though you may find that hackers get into sites without
    having to spoof a session a lot easier.

    Jeff
     
    Jeff Cochran, Mar 4, 2005
    #2
    1. Advertising

  3. "John" <> wrote in message
    news:K7ZVd.62127$...
    > Ok, so Session is less than desirable, at least that's what I'm always
    > reading. So what are real, practical alternatives? Querystrings? an
    > endless chain of hidden form fields??


    Sessions are not undesirable. It's only that the scalability gets limited if
    you store the session in RAM.
    If you use 'hidden form fields' you'll have something like ASP.NET which
    uses a ViewState mechanism. If you start talking about that, there are
    people that swear against :)

    --
    compatible web farm Session replacement for Asp and Asp.Net
    http://www.nieropwebconsult.nl/asp_session_manager.htm


    > Here are the things I'm looking for specifically....
    >
    > 1). I need to identify users uniquely as clients in some kind of
    > maintainable state.
    >
    > 2). I need to track anonymous user page views, etc. I'm guessing
    > Application level but don't know how to track users individually doing
    > this.
    > Page views maybe, but not the succession in which they're viewed
    >
    > Is there a way to do this without Session that isn't a pain in the a#*?
    > Or
    > is Session just not that bad? I've used it a lot with users that manage
    > their "own" content but now I need to manage "all" users.
    >
    > Oh, and how "safe" is Session? I need to know how hackers get into sites
    > that use the plain old "If userID <> Session("userID").....". Is there a
    > way that hackers can create their own session and get by this?
    >
    > Thanks!
    >
    >
     
    Egbert Nierop \(MVP for IIS\), Mar 5, 2005
    #3
  4. John

    Tony Proctor Guest

    RAM-based ASP Session state is not good in circumstances such as "recycling"
    in IIS 6, and web farms. These newsgroups are full of posts such as
    "...help!...all my session variables have disappeared" due to people being
    suckered into the simplicity of ASP Sessions.

    Tony Proctor

    "Egbert Nierop (MVP for IIS)" <> wrote in
    message news:#...
    > "John" <> wrote in message
    > news:K7ZVd.62127$...
    > > Ok, so Session is less than desirable, at least that's what I'm always
    > > reading. So what are real, practical alternatives? Querystrings? an
    > > endless chain of hidden form fields??

    >
    > Sessions are not undesirable. It's only that the scalability gets limited

    if
    > you store the session in RAM.
    > If you use 'hidden form fields' you'll have something like ASP.NET which
    > uses a ViewState mechanism. If you start talking about that, there are
    > people that swear against :)
    >
    > --
    > compatible web farm Session replacement for Asp and Asp.Net
    > http://www.nieropwebconsult.nl/asp_session_manager.htm
    >
    >
    > > Here are the things I'm looking for specifically....
    > >
    > > 1). I need to identify users uniquely as clients in some kind of
    > > maintainable state.
    > >
    > > 2). I need to track anonymous user page views, etc. I'm guessing
    > > Application level but don't know how to track users individually doing
    > > this.
    > > Page views maybe, but not the succession in which they're viewed
    > >
    > > Is there a way to do this without Session that isn't a pain in the a#*?
    > > Or
    > > is Session just not that bad? I've used it a lot with users that manage
    > > their "own" content but now I need to manage "all" users.
    > >
    > > Oh, and how "safe" is Session? I need to know how hackers get into

    sites
    > > that use the plain old "If userID <> Session("userID").....". Is there

    a
    > > way that hackers can create their own session and get by this?
    > >
    > > Thanks!
    > >
    > >

    >
     
    Tony Proctor, Mar 6, 2005
    #4
  5. John

    John Guest

    ok, this is stuff I need to learn. Suggestions where I can learn more
    thoroughly about Session? And not just a MIcrosoft documentation please.
    Those are great for reference but they are NOT good teaching materials. I'm
    not a"beginner" either so I don't need my hand held. Is there anything in
    the middle?

    Thanks


    "Tony Proctor" <tony_proctor@aimtechnology_NoMoreSPAM_.com> wrote in message
    news:...
    > RAM-based ASP Session state is not good in circumstances such as

    "recycling"
    > in IIS 6, and web farms. These newsgroups are full of posts such as
    > "...help!...all my session variables have disappeared" due to people being
    > suckered into the simplicity of ASP Sessions.
    >
    > Tony Proctor
    >
    > "Egbert Nierop (MVP for IIS)" <> wrote in
    > message news:#...
    > > "John" <> wrote in message
    > > news:K7ZVd.62127$...
    > > > Ok, so Session is less than desirable, at least that's what I'm always
    > > > reading. So what are real, practical alternatives? Querystrings? an
    > > > endless chain of hidden form fields??

    > >
    > > Sessions are not undesirable. It's only that the scalability gets

    limited
    > if
    > > you store the session in RAM.
    > > If you use 'hidden form fields' you'll have something like ASP.NET which
    > > uses a ViewState mechanism. If you start talking about that, there are
    > > people that swear against :)
    > >
    > > --
    > > compatible web farm Session replacement for Asp and Asp.Net
    > > http://www.nieropwebconsult.nl/asp_session_manager.htm
    > >
    > >
    > > > Here are the things I'm looking for specifically....
    > > >
    > > > 1). I need to identify users uniquely as clients in some kind of
    > > > maintainable state.
    > > >
    > > > 2). I need to track anonymous user page views, etc. I'm guessing
    > > > Application level but don't know how to track users individually doing
    > > > this.
    > > > Page views maybe, but not the succession in which they're viewed
    > > >
    > > > Is there a way to do this without Session that isn't a pain in the

    a#*?
    > > > Or
    > > > is Session just not that bad? I've used it a lot with users that

    manage
    > > > their "own" content but now I need to manage "all" users.
    > > >
    > > > Oh, and how "safe" is Session? I need to know how hackers get into

    > sites
    > > > that use the plain old "If userID <> Session("userID").....". Is

    there
    > a
    > > > way that hackers can create their own session and get by this?
    > > >
    > > > Thanks!
    > > >
    > > >

    > >

    >
    >
     
    John, Mar 8, 2005
    #5
  6. Why do you post this? Did I -say- that sessions in RAM are OK?

    I do have a product that solves this problem very elegantly. But every
    solution has it's drawbacks. So is a session in a DB demanding a lot of
    resources for the DB.

    --
    compatible web farm Session replacement for Asp and Asp.Net
    http://www.nieropwebconsult.nl/asp_session_manager.htm

    "Tony Proctor" <tony_proctor@aimtechnology_NoMoreSPAM_.com> wrote in message
    news:...
    > RAM-based ASP Session state is not good in circumstances such as
    > "recycling"
    > in IIS 6, and web farms. These newsgroups are full of posts such as
    > "...help!...all my session variables have disappeared" due to people being
    > suckered into the simplicity of ASP Sessions.
    >
    > Tony Proctor
    >
    > "Egbert Nierop (MVP for IIS)" <> wrote in
    > message news:#...
    >> "John" <> wrote in message
    >> news:K7ZVd.62127$...
    >> > Ok, so Session is less than desirable, at least that's what I'm always
    >> > reading. So what are real, practical alternatives? Querystrings? an
    >> > endless chain of hidden form fields??

    >>
    >> Sessions are not undesirable. It's only that the scalability gets limited

    > if
    >> you store the session in RAM.
    >> If you use 'hidden form fields' you'll have something like ASP.NET which
    >> uses a ViewState mechanism. If you start talking about that, there are
    >> people that swear against :)
    >>
    >> --
    >> compatible web farm Session replacement for Asp and Asp.Net
    >> http://www.nieropwebconsult.nl/asp_session_manager.htm
    >>
    >>
    >> > Here are the things I'm looking for specifically....
    >> >
    >> > 1). I need to identify users uniquely as clients in some kind of
    >> > maintainable state.
    >> >
    >> > 2). I need to track anonymous user page views, etc. I'm guessing
    >> > Application level but don't know how to track users individually doing
    >> > this.
    >> > Page views maybe, but not the succession in which they're viewed
    >> >
    >> > Is there a way to do this without Session that isn't a pain in the a#*?
    >> > Or
    >> > is Session just not that bad? I've used it a lot with users that
    >> > manage
    >> > their "own" content but now I need to manage "all" users.
    >> >
    >> > Oh, and how "safe" is Session? I need to know how hackers get into

    > sites
    >> > that use the plain old "If userID <> Session("userID").....". Is there

    > a
    >> > way that hackers can create their own session and get by this?
    >> >
    >> > Thanks!
    >> >
    >> >

    >>

    >
    >
     
    Egbert Nierop \(MVP for IIS\), Mar 11, 2005
    #6
  7. John

    Tony Proctor Guest

    My apologies Egbert. I obviously misread your post and replied too soon

    Tony Proctor

    "Egbert Nierop (MVP for IIS)" <> wrote in
    message news:...
    > Why do you post this? Did I -say- that sessions in RAM are OK?
    >
    > I do have a product that solves this problem very elegantly. But every
    > solution has it's drawbacks. So is a session in a DB demanding a lot of
    > resources for the DB.
    >
    > --
    > compatible web farm Session replacement for Asp and Asp.Net
    > http://www.nieropwebconsult.nl/asp_session_manager.htm
    >
    > "Tony Proctor" <tony_proctor@aimtechnology_NoMoreSPAM_.com> wrote in

    message
    > news:...
    > > RAM-based ASP Session state is not good in circumstances such as
    > > "recycling"
    > > in IIS 6, and web farms. These newsgroups are full of posts such as
    > > "...help!...all my session variables have disappeared" due to people

    being
    > > suckered into the simplicity of ASP Sessions.
    > >
    > > Tony Proctor
    > >
    > > "Egbert Nierop (MVP for IIS)" <> wrote in
    > > message news:#...
    > >> "John" <> wrote in message
    > >> news:K7ZVd.62127$...
    > >> > Ok, so Session is less than desirable, at least that's what I'm

    always
    > >> > reading. So what are real, practical alternatives? Querystrings?

    an
    > >> > endless chain of hidden form fields??
    > >>
    > >> Sessions are not undesirable. It's only that the scalability gets

    limited
    > > if
    > >> you store the session in RAM.
    > >> If you use 'hidden form fields' you'll have something like ASP.NET

    which
    > >> uses a ViewState mechanism. If you start talking about that, there are
    > >> people that swear against :)
    > >>
    > >> --
    > >> compatible web farm Session replacement for Asp and Asp.Net
    > >> http://www.nieropwebconsult.nl/asp_session_manager.htm
    > >>
    > >>
    > >> > Here are the things I'm looking for specifically....
    > >> >
    > >> > 1). I need to identify users uniquely as clients in some kind of
    > >> > maintainable state.
    > >> >
    > >> > 2). I need to track anonymous user page views, etc. I'm guessing
    > >> > Application level but don't know how to track users individually

    doing
    > >> > this.
    > >> > Page views maybe, but not the succession in which they're viewed
    > >> >
    > >> > Is there a way to do this without Session that isn't a pain in the

    a#*?
    > >> > Or
    > >> > is Session just not that bad? I've used it a lot with users that
    > >> > manage
    > >> > their "own" content but now I need to manage "all" users.
    > >> >
    > >> > Oh, and how "safe" is Session? I need to know how hackers get into

    > > sites
    > >> > that use the plain old "If userID <> Session("userID").....". Is

    there
    > > a
    > >> > way that hackers can create their own session and get by this?
    > >> >
    > >> > Thanks!
    > >> >
    > >> >
    > >>

    > >
    > >

    >
     
    Tony Proctor, Mar 15, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?SG9tYW0=?=

    How to avoid lifecycle hacks?

    =?Utf-8?B?SG9tYW0=?=, Mar 3, 2005, in forum: ASP .Net
    Replies:
    11
    Views:
    642
    =?Utf-8?B?SG9tYW0=?=
    Mar 3, 2005
  2. Eric Pinnell
    Replies:
    5
    Views:
    602
  3. Veritech

    CSS hacks

    Veritech, Jul 15, 2005, in forum: HTML
    Replies:
    2
    Views:
    576
    Veritech
    Jul 16, 2005
  4. mark4asp
    Replies:
    5
    Views:
    359
    David Dorward
    Mar 31, 2007
  5. ES
    Replies:
    2
    Views:
    99
    Lyle Johnson
    Aug 26, 2005
Loading...

Share This Page