Session objects and POSTed Form items

Discussion in 'ASP General' started by Brian Burgess, Aug 30, 2003.

  1. Hi all,

    Anyone know of any issues with setting the value of a Session object
    to the value of a submitted form item via
    'Session("mySessionObj")=Request.Form("myFrmElem")' ?

    In my case the Session object gets set fine. But when the user links
    to another page, the value of the session object is EMPTY.

    thanks in advance..

    -BB
     
    Brian Burgess, Aug 30, 2003
    #1
    1. Advertising

  2. Brian Burgess

    Evertjan. Guest

    Brian Burgess wrote on 30 aug 2003 in
    microsoft.public.inetserver.asp.general:
    > Anyone know of any issues with setting the value of a Session object
    > to the value of a submitted form item via
    > 'Session("mySessionObj")=Request.Form("myFrmElem")' ?


    This is not "the session object", it is just a variable stored on the
    server for use by all asp pages during that session.

    "The session object" is the collection of all these variables.

    > In my case the Session object gets set fine.


    See above.

    > But when the user links to another page,
    > the value of the session object is EMPTY.


    If that page is not in the same session, yes, otherwise it is available.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Aug 30, 2003
    #2
    1. Advertising

  3. Well I tried two ways...
    1st:
    If (Session("login") = Empty) Then
    Session("login") = Request.Form("login")
    End If

    2nd:
    If (Session("login") = "") Then
    Session("login") = Request.Form("login")
    End If


    I should also mention that the user could be transfered to this page
    from some other pages .. in this case we would not have the
    'Request.Form("login")' available to us. HOWEVER, in this case we
    should have already been through the login process, and therefore the
    Session collection item(login) should already be set.

    Got it? :)


    Thnks again,

    -BB


    On 30 Aug 2003 12:56:19 GMT, "Evertjan."
    <> wrote:

    >Brian Burgess wrote on 30 aug 2003 in
    >microsoft.public.inetserver.asp.general:
    >
    >> It IS in the same session! .. the user is linking .. in fact this all
    >> WAS working .. until I changed the code to only set the value of a
    >> Session collection item IF that item did not already have a value.

    >
    >I think we would need to see that piece of code.
     
    Brian Burgess, Aug 30, 2003
    #3
  4. looks like a logical flaw

    on your login page, it would be better to use this

    If Request.Form("login") <> "" then
    Session("login") = true
    End if

    if the user comes from another page having already logged in, to check

    if session("login") <> true then

    else

    end if

    jason

    "Brian Burgess" <> wrote in message
    news:...
    > Well I tried two ways...
    > 1st:
    > If (Session("login") = Empty) Then
    > Session("login") = Request.Form("login")
    > End If
    >
    > 2nd:
    > If (Session("login") = "") Then
    > Session("login") = Request.Form("login")
    > End If
    >
    >
    > I should also mention that the user could be transfered to this page
    > from some other pages .. in this case we would not have the
    > 'Request.Form("login")' available to us. HOWEVER, in this case we
    > should have already been through the login process, and therefore the
    > Session collection item(login) should already be set.
    >
    > Got it? :)
    >
    >
    > Thnks again,
    >
    > -BB
    >
    >
    > On 30 Aug 2003 12:56:19 GMT, "Evertjan."
    > <> wrote:
    >
    > >Brian Burgess wrote on 30 aug 2003 in
    > >microsoft.public.inetserver.asp.general:
    > >
    > >> It IS in the same session! .. the user is linking .. in fact this all
    > >> WAS working .. until I changed the code to only set the value of a
    > >> Session collection item IF that item did not already have a value.

    > >
    > >I think we would need to see that piece of code.

    >
     
    jason kennedy, Aug 30, 2003
    #4
  5. Cool!

    That might work better to check if the user had logged in. But I
    also need the actual lgoin value in some of the pages. Do you think
    that the following would work then?
    If Request.Form("login") <> "" Then
    Session("login") = Request.Form("login")
    End if

    Thanks

    -BB


    On Sat, 30 Aug 2003 14:31:35 +0100, "jason kennedy" <>
    wrote:

    >looks like a logical flaw
    >
    >on your login page, it would be better to use this
    >
    >If Request.Form("login") <> "" then
    >Session("login") = true
    >End if
    >
    >if the user comes from another page having already logged in, to check
    >
    >if session("login") <> true then
    >
    >else
    >
    >end if
    >
    >jason
    >
    >"Brian Burgess" <> wrote in message
    >news:...
    >> Well I tried two ways...
    >> 1st:
    >> If (Session("login") = Empty) Then
    >> Session("login") = Request.Form("login")
    >> End If
    >>
    >> 2nd:
    >> If (Session("login") = "") Then
    >> Session("login") = Request.Form("login")
    >> End If
    >>
    >>
    >> I should also mention that the user could be transfered to this page
    >> from some other pages .. in this case we would not have the
    >> 'Request.Form("login")' available to us. HOWEVER, in this case we
    >> should have already been through the login process, and therefore the
    >> Session collection item(login) should already be set.
    >>
    >> Got it? :)
    >>
    >>
    >> Thnks again,
    >>
    >> -BB
    >>
    >>
    >> On 30 Aug 2003 12:56:19 GMT, "Evertjan."
    >> <> wrote:
    >>
    >> >Brian Burgess wrote on 30 aug 2003 in
    >> >microsoft.public.inetserver.asp.general:
    >> >
    >> >> It IS in the same session! .. the user is linking .. in fact this all
    >> >> WAS working .. until I changed the code to only set the value of a
    >> >> Session collection item IF that item did not already have a value.
    >> >
    >> >I think we would need to see that piece of code.

    >>

    >
     
    Brian Burgess, Aug 30, 2003
    #5
  6. what is that advocacy doc about? and what exactly is underquoting?
    i've been posting in newsgroups via OE for a couple of years, and have never
    seen a thread advocating quoting below a post rather than above

    jason

    "Evertjan." <> wrote in message
    news:Xns93E7A5F203126eejj99@194.109.133.29...
    > jason kennedy wrote on 30 aug 2003 in
    > microsoft.public.inetserver.asp.general:
    > >> On 30 Aug 2003 12:56:19 GMT, "Evertjan."
    > >> <> wrote:
    > >> >Brian Burgess wrote on 30 aug 2003 in
    > >> >microsoft.public.inetserver.asp.general:
    > >> >
    > >> >> It IS in the same session! .. the user is linking .. in fact this
    > >> >> all WAS working .. until I changed the code to only set the value
    > >> >> of a Session collection item IF that item did not already have a
    > >> >> value.
    > >> >
    > >> >I think we would need to see that piece of code.
    > >>

    > > "Brian Burgess" <> wrote in message
    > >> Well I tried two ways...
    > >> 1st:
    > >> If (Session("login") = Empty) Then
    > >> Session("login") = Request.Form("login")
    > >> End If
    > >>
    > >> 2nd:
    > >> If (Session("login") = "") Then
    > >> Session("login") = Request.Form("login")
    > >> End If
    > >>
    > >>
    > >> I should also mention that the user could be transfered to this page
    > >> from some other pages .. in this case we would not have the
    > >> 'Request.Form("login")' available to us. HOWEVER, in this case we
    > >> should have already been through the login process, and therefore the
    > >> Session collection item(login) should already be set.

    > > looks like a logical flaw
    > > on your login page, it would be better to use this
    > >
    > > If Request.Form("login") <> "" then
    > > Session("login") = true
    > > End if
    > >
    > > if the user comes from another page having already logged in, to check
    > >
    > > if session("login") <> true then
    > >
    > > else
    > >
    > > end if

    >
    > [first I would like to stress, please do not underquote
    > <http://www.xs4all.nl/%7ewijnands/nnq/nquote.html>]
    >
    > Brian is right, but do not accept the login confirmation from clientside,
    > that can be attacked.
    >
    > "If true = true then" is superfluous, so this is enough:
    >
    >
    > <%
    > If Session("loggedin") Then
    > Response.redirect "mainpage.asp"
    > End If
    >
    > If Lcase(Request.Form("loginname")) = "john" AND _
    > Request.Form("loginpassword") = "QWERty" then
    > Session("loggedin") = true
    > Response.redirect "mainpage.asp"
    > End If
    > Response.redirect "loginpage.asp"
    > %>
    >
    > ==========================
    >
    > And on mainpage.asp and all other pages:
    >
    > <%
    > If NOT Session("loggedin") Then
    > Response.redirect "loginpage.asp"
    > End If
    > %>
    >
    > If you have far more than one name/password combination,
    > a database becomes usefull.
    >
    > --
    > Evertjan.
    > The Netherlands.
    > (Please change the x'es to dots in my emailaddress)
     
    jason kennedy, Aug 30, 2003
    #6
  7. Ok I just tried the following:
    If Request.Form("login") <> "" then
    Session("login") = Request.Form("login")
    End if

    The Session item gets set correctly as before, but is still reset to
    'Empty' once the user clicks the link to another page... any ideas?

    Thanks

    -bB


    On Sat, 30 Aug 2003 17:15:15 +0100, "jason kennedy" <>
    wrote:

    >what is that advocacy doc about? and what exactly is underquoting?
    >i've been posting in newsgroups via OE for a couple of years, and have never
    >seen a thread advocating quoting below a post rather than above
    >
    >jason
    >
    >"Evertjan." <> wrote in message
    >news:Xns93E7A5F203126eejj99@194.109.133.29...
    >> jason kennedy wrote on 30 aug 2003 in
    >> microsoft.public.inetserver.asp.general:
    >> >> On 30 Aug 2003 12:56:19 GMT, "Evertjan."
    >> >> <> wrote:
    >> >> >Brian Burgess wrote on 30 aug 2003 in
    >> >> >microsoft.public.inetserver.asp.general:
    >> >> >
    >> >> >> It IS in the same session! .. the user is linking .. in fact this
    >> >> >> all WAS working .. until I changed the code to only set the value
    >> >> >> of a Session collection item IF that item did not already have a
    >> >> >> value.
    >> >> >
    >> >> >I think we would need to see that piece of code.
    >> >>
    >> > "Brian Burgess" <> wrote in message
    >> >> Well I tried two ways...
    >> >> 1st:
    >> >> If (Session("login") = Empty) Then
    >> >> Session("login") = Request.Form("login")
    >> >> End If
    >> >>
    >> >> 2nd:
    >> >> If (Session("login") = "") Then
    >> >> Session("login") = Request.Form("login")
    >> >> End If
    >> >>
    >> >>
    >> >> I should also mention that the user could be transfered to this page
    >> >> from some other pages .. in this case we would not have the
    >> >> 'Request.Form("login")' available to us. HOWEVER, in this case we
    >> >> should have already been through the login process, and therefore the
    >> >> Session collection item(login) should already be set.
    >> > looks like a logical flaw
    >> > on your login page, it would be better to use this
    >> >
    >> > If Request.Form("login") <> "" then
    >> > Session("login") = true
    >> > End if
    >> >
    >> > if the user comes from another page having already logged in, to check
    >> >
    >> > if session("login") <> true then
    >> >
    >> > else
    >> >
    >> > end if

    >>
    >> [first I would like to stress, please do not underquote
    >> <http://www.xs4all.nl/%7ewijnands/nnq/nquote.html>]
    >>
    >> Brian is right, but do not accept the login confirmation from clientside,
    >> that can be attacked.
    >>
    >> "If true = true then" is superfluous, so this is enough:
    >>
    >>
    >> <%
    >> If Session("loggedin") Then
    >> Response.redirect "mainpage.asp"
    >> End If
    >>
    >> If Lcase(Request.Form("loginname")) = "john" AND _
    >> Request.Form("loginpassword") = "QWERty" then
    >> Session("loggedin") = true
    >> Response.redirect "mainpage.asp"
    >> End If
    >> Response.redirect "loginpage.asp"
    >> %>
    >>
    >> ==========================
    >>
    >> And on mainpage.asp and all other pages:
    >>
    >> <%
    >> If NOT Session("loggedin") Then
    >> Response.redirect "loginpage.asp"
    >> End If
    >> %>
    >>
    >> If you have far more than one name/password combination,
    >> a database becomes usefull.
    >>
    >> --
    >> Evertjan.
    >> The Netherlands.
    >> (Please change the x'es to dots in my emailaddress)

    >
     
    Brian Burgess, Aug 30, 2003
    #7
  8. Brian Burgess

    Evertjan. Guest

    jason kennedy wrote on 30 aug 2003 in
    microsoft.public.inetserver.asp.general:
    > and what exactly is underquoting?
    > i've been posting in newsgroups via OE for a couple of years, and have
    > never seen a thread advocating quoting below a post rather than above


    But that is what you were doing. You were quoting under your post. This
    answer is topquoting.

    It does not matter what programme ["OE"] you use, it is against netiquette
    on usenet NG.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Aug 30, 2003
    #8
  9. How about the original question .. Any one have ideas?

    thanks

    -BB

    On 30 Aug 2003 17:52:53 GMT, "Evertjan."
    <> wrote:

    >jason kennedy wrote on 30 aug 2003 in
    >microsoft.public.inetserver.asp.general:
    >> and what exactly is underquoting?
    >> i've been posting in newsgroups via OE for a couple of years, and have
    >> never seen a thread advocating quoting below a post rather than above

    >
    >But that is what you were doing. You were quoting under your post. This
    >answer is topquoting.
    >
    >It does not matter what programme ["OE"] you use, it is against netiquette
    >on usenet NG.
     
    Brian Burgess, Aug 31, 2003
    #9
  10. Session objects and POSTed Form items - SOLVED

    I figured this one out with everyones help along an article(2157) in
    ASPFAQ.com. The trouble was my initial code AND related to an MS security
    patch. A KB article(Q316112) describes it.

    My code now is more or less it is like the following, and it is working
    properly:

    <%

    Option Explicit


    If (Request.Form("loginName") <> "") Then

    Session("loginName") = Request.Form("loginName")

    End If

    Dim strLoginName

    strLoginName = Session("loginName")

    ....

    'Do your stuff here

    ....

    %>



    Thanks all,

    -BB



    "Brian Burgess" <> wrote in message
    news:...
    > Hi all,
    >
    > Anyone know of any issues with setting the value of a Session object
    > to the value of a submitted form item via
    > 'Session("mySessionObj")=Request.Form("myFrmElem")' ?
    >
    > In my case the Session object gets set fine. But when the user links
    > to another page, the value of the session object is EMPTY.
    >
    > thanks in advance..
    >
    > -BB
     
    Brian Burgess, Aug 31, 2003
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Keith Patrick
    Replies:
    1
    Views:
    360
    Joerg Jooss
    Feb 3, 2005
  2. Replies:
    0
    Views:
    557
  3. Waldy

    Posted Form Items not in Request

    Waldy, Apr 8, 2008, in forum: ASP .Net
    Replies:
    3
    Views:
    374
    Mark Fitzpatrick
    Apr 8, 2008
  4. Daniel Gormley

    Dynamically add posted form items into array

    Daniel Gormley, Dec 14, 2005, in forum: ASP General
    Replies:
    1
    Views:
    193
    Steven Burn
    Dec 14, 2005
  5. Choxio
    Replies:
    18
    Views:
    189
    Grant Wagner
    May 31, 2005
Loading...

Share This Page