Session objects and POSTed Form items

[Brian Burgess]

Hi all,

Anyone know of any issues with setting the value of a Session object
to the value of a submitted form item via
'Session("mySessionObj")=Request.Form("myFrmElem")' ?

In my case the Session object gets set fine. But when the user links
to another page, the value of the session object is EMPTY.

thanks in advance..

-BB

 

[Evertjan.]

Brian Burgess wrote on 30 aug 2003 in
microsoft.public.inetserver.asp.general:

Anyone know of any issues with setting the value of a Session object
to the value of a submitted form item via
'Session("mySessionObj")=Request.Form("myFrmElem")' ?

This is not "the session object", it is just a variable stored on the
server for use by all asp pages during that session.

"The session object" is the collection of all these variables.

In my case the Session object gets set fine.

See above.

But when the user links to another page,
the value of the session object is EMPTY.

If that page is not in the same session, yes, otherwise it is available.

 

[Brian Burgess]

Well I tried two ways...
1st:
If (Session("login") = Empty) Then
Session("login") = Request.Form("login")
End If

2nd:
If (Session("login") = "") Then
Session("login") = Request.Form("login")
End If


I should also mention that the user could be transfered to this page
from some other pages .. in this case we would not have the
'Request.Form("login")' available to us. HOWEVER, in this case we
should have already been through the login process, and therefore the
Session collection item(login) should already be set.

Got it?


Thnks again,

-BB

 

[jason kennedy]

looks like a logical flaw

on your login page, it would be better to use this

If Request.Form("login") <> "" then
Session("login") = true
End if

if the user comes from another page having already logged in, to check

if session("login") <> true then

else

end if

jason

 

[Brian Burgess]

Cool!

That might work better to check if the user had logged in. But I
also need the actual lgoin value in some of the pages. Do you think
that the following would work then?
If Request.Form("login") <> "" Then
Session("login") = Request.Form("login")
End if

Thanks

-BB

 

[jason kennedy]

what is that advocacy doc about? and what exactly is underquoting?
i've been posting in newsgroups via OE for a couple of years, and have never
seen a thread advocating quoting below a post rather than above

jason

jason kennedy wrote on 30 aug 2003 in
microsoft.public.inetserver.asp.general:

looks like a logical flaw
on your login page, it would be better to use this

If Request.Form("login") <> "" then
Session("login") = true
End if

if the user comes from another page having already logged in, to check

if session("login") <> true then

else

end if

[first I would like to stress, please do not underquote
<http://www.xs4all.nl/~wijnands/nnq/nquote.html>]

Brian is right, but do not accept the login confirmation from clientside,
that can be attacked.

"If true = true then" is superfluous, so this is enough:


<%
If Session("loggedin") Then
Response.redirect "mainpage.asp"
End If

If Lcase(Request.Form("loginname")) = "john" AND _
Request.Form("loginpassword") = "QWERty" then
Session("loggedin") = true
Response.redirect "mainpage.asp"
End If
Response.redirect "loginpage.asp"
%>

==========================

And on mainpage.asp and all other pages:

<%
If NOT Session("loggedin") Then
Response.redirect "loginpage.asp"
End If
%>

If you have far more than one name/password combination,
a database becomes usefull.

 

[Brian Burgess]

Ok I just tried the following:
If Request.Form("login") <> "" then
Session("login") = Request.Form("login")
End if

The Session item gets set correctly as before, but is still reset to
'Empty' once the user clicks the link to another page... any ideas?

Thanks

-bB

what is that advocacy doc about? and what exactly is underquoting?
i've been posting in newsgroups via OE for a couple of years, and have never
seen a thread advocating quoting below a post rather than above

jason

jason kennedy wrote on 30 aug 2003 in
microsoft.public.inetserver.asp.general:

On 30 Aug 2003 12:56:19 GMT, "Evertjan."
Brian Burgess wrote on 30 aug 2003 in
microsoft.public.inetserver.asp.general:

It IS in the same session! .. the user is linking .. in fact this
all WAS working .. until I changed the code to only set the value
of a Session collection item IF that item did not already have a
value.

I think we would need to see that piece of code.

Well I tried two ways...
1st:
If (Session("login") = Empty) Then
Session("login") = Request.Form("login")
End If

2nd:
If (Session("login") = "") Then
Session("login") = Request.Form("login")
End If


I should also mention that the user could be transfered to this page
from some other pages .. in this case we would not have the
'Request.Form("login")' available to us. HOWEVER, in this case we
should have already been through the login process, and therefore the
Session collection item(login) should already be set.
looks like a logical flaw
on your login page, it would be better to use this

If Request.Form("login") <> "" then
Session("login") = true
End if

if the user comes from another page having already logged in, to check

if session("login") <> true then

else

end if

[first I would like to stress, please do not underquote
<http://www.xs4all.nl/~wijnands/nnq/nquote.html>]

Brian is right, but do not accept the login confirmation from clientside,
that can be attacked.

"If true = true then" is superfluous, so this is enough:


<%
If Session("loggedin") Then
Response.redirect "mainpage.asp"
End If

If Lcase(Request.Form("loginname")) = "john" AND _
Request.Form("loginpassword") = "QWERty" then
Session("loggedin") = true
Response.redirect "mainpage.asp"
End If
Response.redirect "loginpage.asp"
%>

==========================

And on mainpage.asp and all other pages:

<%
If NOT Session("loggedin") Then
Response.redirect "loginpage.asp"
End If
%>

If you have far more than one name/password combination,
a database becomes usefull.

 

[Evertjan.]

jason kennedy wrote on 30 aug 2003 in
microsoft.public.inetserver.asp.general:

and what exactly is underquoting?
i've been posting in newsgroups via OE for a couple of years, and have
never seen a thread advocating quoting below a post rather than above

But that is what you were doing. You were quoting under your post. This
answer is topquoting.

It does not matter what programme ["OE"] you use, it is against netiquette
on usenet NG.

 

[Brian Burgess]

How about the original question .. Any one have ideas?

thanks

-BB

jason kennedy wrote on 30 aug 2003 in
microsoft.public.inetserver.asp.general:

and what exactly is underquoting?
i've been posting in newsgroups via OE for a couple of years, and have
never seen a thread advocating quoting below a post rather than above

But that is what you were doing. You were quoting under your post. This
answer is topquoting.

It does not matter what programme ["OE"] you use, it is against netiquette
on usenet NG.

 

[Brian Burgess]

I figured this one out with everyones help along an article(2157) in
ASPFAQ.com. The trouble was my initial code AND related to an MS security
patch. A KB article(Q316112) describes it.

My code now is more or less it is like the following, and it is working
properly:

<%

Option Explicit


If (Request.Form("loginName") <> "") Then

Session("loginName") = Request.Form("loginName")

End If

Dim strLoginName

strLoginName = Session("loginName")

....

'Do your stuff here

....

%>



Thanks all,

-BB