Sessions & Cookies

Discussion in 'ASP General' started by Ik Ben Het, Jun 4, 2005.

  1. Ik Ben Het

    Ik Ben Het Guest


    I posted a simular question in the "IIS Security" group but it think it
    is more usefull to post it here.

    I want to do something very simpel. Make a part of my website available
    only for users with a username and password. The site is mainly ASP
    based. The webserver is an IIS6 and I do NOT have access to server
    settings (session timeout, security,...).

    I use sessions to set the validation for the users. Basically you are
    redirected to a form where you can give a username and password, this is
    validated with the values in a database. If the password and username
    are ok a session value is set <%=Session("Validated")=True%>­.

    At the beginning of each secured page I start with:
    <%If Session("Validated")=False Then Response.Redirect("Login.asp") End

    So if the session value "validated" is true you can see the secured
    pages, else you are redirected to the logon page.

    The default timeout value for session is 20 minutes. Because the session
    should stay alive during the complete time of the visit I was thinking
    of puting the session.timeout to 60 minutes. I set this at the beginning
    of every secure page: <%Session.timeout=60%>

    Now, Users keep on contacting me saying that they have to relogon quiet
    often. This also seems to happen when a user is not on the website for
    20 minutes already (session expired). I tested it myself and have the
    feeling the I am indeed regularly redirected. Sometimes after 10
    minutes, other times 30 minutes, ... There seems not to be any logic in
    the time that users are redirected to the logon page.

    Because the website is used to fill in a lot of long HTML forms, it is
    very frustrating for the users when they are completing a form and then
    pressing "Submit" being redirected to the logon page and lose all
    entered data.

    Is there somebody who can give me more info on the strange session
    behavior? For me it is not normal that a session times out in that
    unlogic way.

    The only solution I can think of is passing the post information to the
    logon page and then redirect after validation back to the transaction

    How can you reset the timeout counter on a session in ASP? What I was
    thinking was that I am doing it maybe wrong?

    Now the session variable that let a user have access to the site is set
    once at logon time: (<%=Session("Validated")=True%­>­). Then it is
    checked on every page that the user opens (<%If
    Session("Validated")=False Then Response.Redirect("Login.asp") End If%>)

    Would it be a good idea to re-set the variable every time a user
    accesses page? Like <%If Session("Validated")=False Then
    Response.Redirect("Login.asp") Else Session("Validated")=True End If%>
    Would this reset the timer that times out the session? Or do I have to
    add something like <%Session.Abandon%> before setting the variable

    What would this do on the server performance?
    Is this a good way of working with sessions?

    Swicth to cookies i.o. sessions?

    I am open for all suggestions, please help! In the future there are also
    money transactions going over this website, so it has to be a secure
    method! I will use a seperate HTTPS host for this.

    Thanks for you help!

    *** Sent via Developersdex ***
    Ik Ben Het, Jun 4, 2005
    1. Advertisements

  2. Ik Ben Het

    IkBenHet Guest

    Hello Dave,

    Thank you very much. Indeed alot of answers to my questions!
    IkBenHet, Jun 5, 2005
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ken Cox [Microsoft MVP]

    Re: Relationship between IIS Sessions and ASP.NET Sessions?

    Ken Cox [Microsoft MVP], Aug 8, 2003, in forum: ASP .Net
    Luther Miller
    Aug 8, 2003
  2. Thomas Scheiderich

    Cookies, sessions and timeouts

    Thomas Scheiderich, Jun 23, 2004, in forum: ASP .Net
    Thomas Scheiderich
    Jun 24, 2004
  3. DougS

    Sessions and Cookies dont work

    DougS, Dec 3, 2005, in forum: ASP .Net
    Dec 4, 2005
  4. =?Utf-8?B?UGF1bA==?=

    Eternal Debate: Cookies vs. Sessions vs. QueryString

    =?Utf-8?B?UGF1bA==?=, Dec 9, 2005, in forum: ASP .Net
    Dec 12, 2005
  5. John Laury
    John Laury
    Nov 18, 2003
  6. _Who
  7. scottymo
    Dominick Baier
    Sep 30, 2006
  8. Bookham Measures

    Moving from ASP Sessions to Database Sessions

    Bookham Measures, Jul 23, 2007, in forum: ASP General
    Bookham Measures
    Aug 23, 2007