Session alternatives and hacks?

[John]

Ok, so Session is less than desirable, at least that's what I'm always
reading. So what are real, practical alternatives? Querystrings? an
endless chain of hidden form fields??

Here are the things I'm looking for specifically....

1). I need to identify users uniquely as clients in some kind of
maintainable state.

2). I need to track anonymous user page views, etc. I'm guessing
Application level but don't know how to track users individually doing this.
Page views maybe, but not the succession in which they're viewed

Is there a way to do this without Session that isn't a pain in the a#*? Or
is Session just not that bad? I've used it a lot with users that manage
their "own" content but now I need to manage "all" users.

Oh, and how "safe" is Session? I need to know how hackers get into sites
that use the plain old "If userID <> Session("userID").....". Is there a
way that hackers can create their own session and get by this?

Thanks!

 

[Jeff Cochran]

Ok, so Session is less than desirable, at least that's what I'm always
reading. So what are real, practical alternatives? Querystrings? an
endless chain of hidden form fields??

Why are sessions less than desirable?

Here are the things I'm looking for specifically....

1). I need to identify users uniquely as clients in some kind of
maintainable state.

2). I need to track anonymous user page views, etc. I'm guessing
Application level but don't know how to track users individually doing this.
Page views maybe, but not the succession in which they're viewed

Is there a way to do this without Session that isn't a pain in the a#*? Or
is Session just not that bad? I've used it a lot with users that manage
their "own" content but now I need to manage "all" users.

Oh, and how "safe" is Session? I need to know how hackers get into sites
that use the plain old "If userID <> Session("userID").....". Is there a
way that hackers can create their own session and get by this?

Okay, that's not sessions. That's security. If your issue is
maintaining security state through sessions you have a different set
of questions. Though you may find that hackers get into sites without
having to spoof a session a lot easier.

Jeff

 

[Egbert Nierop \(MVP for IIS\)]

Ok, so Session is less than desirable, at least that's what I'm always
reading. So what are real, practical alternatives? Querystrings? an
endless chain of hidden form fields??

Sessions are not undesirable. It's only that the scalability gets limited if
you store the session in RAM.
If you use 'hidden form fields' you'll have something like ASP.NET which
uses a ViewState mechanism. If you start talking about that, there are
people that swear against

 

[Tony Proctor]

RAM-based ASP Session state is not good in circumstances such as "recycling"
in IIS 6, and web farms. These newsgroups are full of posts such as
"...help!...all my session variables have disappeared" due to people being
suckered into the simplicity of ASP Sessions.

Tony Proctor

 

[John]

ok, this is stuff I need to learn. Suggestions where I can learn more
thoroughly about Session? And not just a MIcrosoft documentation please.
Those are great for reference but they are NOT good teaching materials. I'm
not a"beginner" either so I don't need my hand held. Is there anything in
the middle?

Thanks

 

[Egbert Nierop \(MVP for IIS\)]

Why do you post this? Did I -say- that sessions in RAM are OK?

I do have a product that solves this problem very elegantly. But every
solution has it's drawbacks. So is a session in a DB demanding a lot of
resources for the DB.

 

[Tony Proctor]

My apologies Egbert. I obviously misread your post and replied too soon

Tony Proctor