Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Session alternatives and hacks?

Reply
Thread Tools

Session alternatives and hacks?

 
 
John
Guest
Posts: n/a
 
      03-04-2005
Ok, so Session is less than desirable, at least that's what I'm always
reading. So what are real, practical alternatives? Querystrings? an
endless chain of hidden form fields??

Here are the things I'm looking for specifically....

1). I need to identify users uniquely as clients in some kind of
maintainable state.

2). I need to track anonymous user page views, etc. I'm guessing
Application level but don't know how to track users individually doing this.
Page views maybe, but not the succession in which they're viewed

Is there a way to do this without Session that isn't a pain in the a#*? Or
is Session just not that bad? I've used it a lot with users that manage
their "own" content but now I need to manage "all" users.

Oh, and how "safe" is Session? I need to know how hackers get into sites
that use the plain old "If userID <> Session("userID").....". Is there a
way that hackers can create their own session and get by this?

Thanks!


 
Reply With Quote
 
 
 
 
Jeff Cochran
Guest
Posts: n/a
 
      03-04-2005
On Fri, 04 Mar 2005 13:11:06 GMT, "John"
<(E-Mail Removed)> wrote:

>Ok, so Session is less than desirable, at least that's what I'm always
>reading. So what are real, practical alternatives? Querystrings? an
>endless chain of hidden form fields??


Why are sessions less than desirable?

>Here are the things I'm looking for specifically....
>
>1). I need to identify users uniquely as clients in some kind of
>maintainable state.
>
>2). I need to track anonymous user page views, etc. I'm guessing
>Application level but don't know how to track users individually doing this.
>Page views maybe, but not the succession in which they're viewed
>
>Is there a way to do this without Session that isn't a pain in the a#*? Or
>is Session just not that bad? I've used it a lot with users that manage
>their "own" content but now I need to manage "all" users.
>
>Oh, and how "safe" is Session? I need to know how hackers get into sites
>that use the plain old "If userID <> Session("userID").....". Is there a
>way that hackers can create their own session and get by this?


Okay, that's not sessions. That's security. If your issue is
maintaining security state through sessions you have a different set
of questions. Though you may find that hackers get into sites without
having to spoof a session a lot easier.

Jeff
 
Reply With Quote
 
 
 
 
Egbert Nierop \(MVP for IIS\)
Guest
Posts: n/a
 
      03-05-2005
"John" <(E-Mail Removed)> wrote in message
news:K7ZVd.62127$(E-Mail Removed)...
> Ok, so Session is less than desirable, at least that's what I'm always
> reading. So what are real, practical alternatives? Querystrings? an
> endless chain of hidden form fields??


Sessions are not undesirable. It's only that the scalability gets limited if
you store the session in RAM.
If you use 'hidden form fields' you'll have something like ASP.NET which
uses a ViewState mechanism. If you start talking about that, there are
people that swear against

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm


> Here are the things I'm looking for specifically....
>
> 1). I need to identify users uniquely as clients in some kind of
> maintainable state.
>
> 2). I need to track anonymous user page views, etc. I'm guessing
> Application level but don't know how to track users individually doing
> this.
> Page views maybe, but not the succession in which they're viewed
>
> Is there a way to do this without Session that isn't a pain in the a#*?
> Or
> is Session just not that bad? I've used it a lot with users that manage
> their "own" content but now I need to manage "all" users.
>
> Oh, and how "safe" is Session? I need to know how hackers get into sites
> that use the plain old "If userID <> Session("userID").....". Is there a
> way that hackers can create their own session and get by this?
>
> Thanks!
>
>


 
Reply With Quote
 
Tony Proctor
Guest
Posts: n/a
 
      03-06-2005
RAM-based ASP Session state is not good in circumstances such as "recycling"
in IIS 6, and web farms. These newsgroups are full of posts such as
"...help!...all my session variables have disappeared" due to people being
suckered into the simplicity of ASP Sessions.

Tony Proctor

"Egbert Nierop (MVP for IIS)" <(E-Mail Removed)> wrote in
message news:#(E-Mail Removed)...
> "John" <(E-Mail Removed)> wrote in message
> news:K7ZVd.62127$(E-Mail Removed)...
> > Ok, so Session is less than desirable, at least that's what I'm always
> > reading. So what are real, practical alternatives? Querystrings? an
> > endless chain of hidden form fields??

>
> Sessions are not undesirable. It's only that the scalability gets limited

if
> you store the session in RAM.
> If you use 'hidden form fields' you'll have something like ASP.NET which
> uses a ViewState mechanism. If you start talking about that, there are
> people that swear against
>
> --
> compatible web farm Session replacement for Asp and Asp.Net
> http://www.nieropwebconsult.nl/asp_session_manager.htm
>
>
> > Here are the things I'm looking for specifically....
> >
> > 1). I need to identify users uniquely as clients in some kind of
> > maintainable state.
> >
> > 2). I need to track anonymous user page views, etc. I'm guessing
> > Application level but don't know how to track users individually doing
> > this.
> > Page views maybe, but not the succession in which they're viewed
> >
> > Is there a way to do this without Session that isn't a pain in the a#*?
> > Or
> > is Session just not that bad? I've used it a lot with users that manage
> > their "own" content but now I need to manage "all" users.
> >
> > Oh, and how "safe" is Session? I need to know how hackers get into

sites
> > that use the plain old "If userID <> Session("userID").....". Is there

a
> > way that hackers can create their own session and get by this?
> >
> > Thanks!
> >
> >

>



 
Reply With Quote
 
John
Guest
Posts: n/a
 
      03-08-2005
ok, this is stuff I need to learn. Suggestions where I can learn more
thoroughly about Session? And not just a MIcrosoft documentation please.
Those are great for reference but they are NOT good teaching materials. I'm
not a"beginner" either so I don't need my hand held. Is there anything in
the middle?

Thanks


"Tony Proctor" <tony_proctor@aimtechnology_NoMoreSPAM_.com> wrote in message
news:(E-Mail Removed)...
> RAM-based ASP Session state is not good in circumstances such as

"recycling"
> in IIS 6, and web farms. These newsgroups are full of posts such as
> "...help!...all my session variables have disappeared" due to people being
> suckered into the simplicity of ASP Sessions.
>
> Tony Proctor
>
> "Egbert Nierop (MVP for IIS)" <(E-Mail Removed)> wrote in
> message news:#(E-Mail Removed)...
> > "John" <(E-Mail Removed)> wrote in message
> > news:K7ZVd.62127$(E-Mail Removed)...
> > > Ok, so Session is less than desirable, at least that's what I'm always
> > > reading. So what are real, practical alternatives? Querystrings? an
> > > endless chain of hidden form fields??

> >
> > Sessions are not undesirable. It's only that the scalability gets

limited
> if
> > you store the session in RAM.
> > If you use 'hidden form fields' you'll have something like ASP.NET which
> > uses a ViewState mechanism. If you start talking about that, there are
> > people that swear against
> >
> > --
> > compatible web farm Session replacement for Asp and Asp.Net
> > http://www.nieropwebconsult.nl/asp_session_manager.htm
> >
> >
> > > Here are the things I'm looking for specifically....
> > >
> > > 1). I need to identify users uniquely as clients in some kind of
> > > maintainable state.
> > >
> > > 2). I need to track anonymous user page views, etc. I'm guessing
> > > Application level but don't know how to track users individually doing
> > > this.
> > > Page views maybe, but not the succession in which they're viewed
> > >
> > > Is there a way to do this without Session that isn't a pain in the

a#*?
> > > Or
> > > is Session just not that bad? I've used it a lot with users that

manage
> > > their "own" content but now I need to manage "all" users.
> > >
> > > Oh, and how "safe" is Session? I need to know how hackers get into

> sites
> > > that use the plain old "If userID <> Session("userID").....". Is

there
> a
> > > way that hackers can create their own session and get by this?
> > >
> > > Thanks!
> > >
> > >

> >

>
>



 
Reply With Quote
 
Egbert Nierop \(MVP for IIS\)
Guest
Posts: n/a
 
      03-11-2005
Why do you post this? Did I -say- that sessions in RAM are OK?

I do have a product that solves this problem very elegantly. But every
solution has it's drawbacks. So is a session in a DB demanding a lot of
resources for the DB.

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

"Tony Proctor" <tony_proctor@aimtechnology_NoMoreSPAM_.com> wrote in message
news:(E-Mail Removed)...
> RAM-based ASP Session state is not good in circumstances such as
> "recycling"
> in IIS 6, and web farms. These newsgroups are full of posts such as
> "...help!...all my session variables have disappeared" due to people being
> suckered into the simplicity of ASP Sessions.
>
> Tony Proctor
>
> "Egbert Nierop (MVP for IIS)" <(E-Mail Removed)> wrote in
> message news:#(E-Mail Removed)...
>> "John" <(E-Mail Removed)> wrote in message
>> news:K7ZVd.62127$(E-Mail Removed)...
>> > Ok, so Session is less than desirable, at least that's what I'm always
>> > reading. So what are real, practical alternatives? Querystrings? an
>> > endless chain of hidden form fields??

>>
>> Sessions are not undesirable. It's only that the scalability gets limited

> if
>> you store the session in RAM.
>> If you use 'hidden form fields' you'll have something like ASP.NET which
>> uses a ViewState mechanism. If you start talking about that, there are
>> people that swear against
>>
>> --
>> compatible web farm Session replacement for Asp and Asp.Net
>> http://www.nieropwebconsult.nl/asp_session_manager.htm
>>
>>
>> > Here are the things I'm looking for specifically....
>> >
>> > 1). I need to identify users uniquely as clients in some kind of
>> > maintainable state.
>> >
>> > 2). I need to track anonymous user page views, etc. I'm guessing
>> > Application level but don't know how to track users individually doing
>> > this.
>> > Page views maybe, but not the succession in which they're viewed
>> >
>> > Is there a way to do this without Session that isn't a pain in the a#*?
>> > Or
>> > is Session just not that bad? I've used it a lot with users that
>> > manage
>> > their "own" content but now I need to manage "all" users.
>> >
>> > Oh, and how "safe" is Session? I need to know how hackers get into

> sites
>> > that use the plain old "If userID <> Session("userID").....". Is there

> a
>> > way that hackers can create their own session and get by this?
>> >
>> > Thanks!
>> >
>> >

>>

>
>


 
Reply With Quote
 
Tony Proctor
Guest
Posts: n/a
 
      03-15-2005
My apologies Egbert. I obviously misread your post and replied too soon

Tony Proctor

"Egbert Nierop (MVP for IIS)" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> Why do you post this? Did I -say- that sessions in RAM are OK?
>
> I do have a product that solves this problem very elegantly. But every
> solution has it's drawbacks. So is a session in a DB demanding a lot of
> resources for the DB.
>
> --
> compatible web farm Session replacement for Asp and Asp.Net
> http://www.nieropwebconsult.nl/asp_session_manager.htm
>
> "Tony Proctor" <tony_proctor@aimtechnology_NoMoreSPAM_.com> wrote in

message
> news:(E-Mail Removed)...
> > RAM-based ASP Session state is not good in circumstances such as
> > "recycling"
> > in IIS 6, and web farms. These newsgroups are full of posts such as
> > "...help!...all my session variables have disappeared" due to people

being
> > suckered into the simplicity of ASP Sessions.
> >
> > Tony Proctor
> >
> > "Egbert Nierop (MVP for IIS)" <(E-Mail Removed)> wrote in
> > message news:#(E-Mail Removed)...
> >> "John" <(E-Mail Removed)> wrote in message
> >> news:K7ZVd.62127$(E-Mail Removed)...
> >> > Ok, so Session is less than desirable, at least that's what I'm

always
> >> > reading. So what are real, practical alternatives? Querystrings?

an
> >> > endless chain of hidden form fields??
> >>
> >> Sessions are not undesirable. It's only that the scalability gets

limited
> > if
> >> you store the session in RAM.
> >> If you use 'hidden form fields' you'll have something like ASP.NET

which
> >> uses a ViewState mechanism. If you start talking about that, there are
> >> people that swear against
> >>
> >> --
> >> compatible web farm Session replacement for Asp and Asp.Net
> >> http://www.nieropwebconsult.nl/asp_session_manager.htm
> >>
> >>
> >> > Here are the things I'm looking for specifically....
> >> >
> >> > 1). I need to identify users uniquely as clients in some kind of
> >> > maintainable state.
> >> >
> >> > 2). I need to track anonymous user page views, etc. I'm guessing
> >> > Application level but don't know how to track users individually

doing
> >> > this.
> >> > Page views maybe, but not the succession in which they're viewed
> >> >
> >> > Is there a way to do this without Session that isn't a pain in the

a#*?
> >> > Or
> >> > is Session just not that bad? I've used it a lot with users that
> >> > manage
> >> > their "own" content but now I need to manage "all" users.
> >> >
> >> > Oh, and how "safe" is Session? I need to know how hackers get into

> > sites
> >> > that use the plain old "If userID <> Session("userID").....". Is

there
> > a
> >> > way that hackers can create their own session and get by this?
> >> >
> >> > Thanks!
> >> >
> >> >
> >>

> >
> >

>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Session Timeout problems-web.confg session state and IIS session s =?Utf-8?B?Um9iSEs=?= ASP .Net 4 04-11-2007 04:52 PM
Session var alternatives / best practices Weston Weems ASP .Net 1 10-14-2004 10:55 PM
MS Press 2003 books and alternatives Bill Bixby MCSE 7 04-29-2004 05:52 PM
Session State - What does it take to establish one single ASP.NET session per "browser session" Jeff Smythe ASP .Net 3 01-02-2004 04:10 AM
How can I "know" the difference between a session timed out and a session that did session.abort? Jazzis ASP General 2 09-23-2003 07:16 AM



Advertisments