Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > login and sessions

Reply
Thread Tools

login and sessions

 
 
Ricardo Furtado
Guest
Posts: n/a
 
      08-31-2010
When developing web pages i usualy check if the user is logged by using
sessions.
Yesterday i read something about the down sides of sessions and one of them
is when computers don't allow sessions.
What should be the best way to check if a user is logged?
 
Reply With Quote
 
 
 
 
Tim Slattery
Guest
Posts: n/a
 
      08-31-2010
Ricardo Furtado <(E-Mail Removed)> wrote:

>When developing web pages i usualy check if the user is logged by using
>sessions.
>Yesterday i read something about the down sides of sessions and one of them
>is when computers don't allow sessions.
>What should be the best way to check if a user is logged?


Sessions are maintained server-side. They are identified by a cookie
that's passed back and forth between the server and client. Most
clients will allow session cookies even if they don't allow persistent
cookies. If the client doesn't allow session cookies, then there's
nothing much you can do to maintain a session. (And the user has cut
himself off from a LARGE part of the web!)

--
Tim Slattery
http://www.velocityreviews.com/forums/(E-Mail Removed)
http://members.cox.net/slatteryt
 
Reply With Quote
 
 
 
 
Ricardo Furtado
Guest
Posts: n/a
 
      08-31-2010
Thanks for your answer.

So, but can i believe that sessions are the best options for this kind of
tasks? better than passing a session ID in every URL or even global variables?

"Tim Slattery" wrote:

> Ricardo Furtado <(E-Mail Removed)> wrote:
>
> >When developing web pages i usualy check if the user is logged by using
> >sessions.
> >Yesterday i read something about the down sides of sessions and one of them
> >is when computers don't allow sessions.
> >What should be the best way to check if a user is logged?

>
> Sessions are maintained server-side. They are identified by a cookie
> that's passed back and forth between the server and client. Most
> clients will allow session cookies even if they don't allow persistent
> cookies. If the client doesn't allow session cookies, then there's
> nothing much you can do to maintain a session. (And the user has cut
> himself off from a LARGE part of the web!)
>
> --
> Tim Slattery
> (E-Mail Removed)
> http://members.cox.net/slatteryt
> .
>

 
Reply With Quote
 
Evertjan.
Guest
Posts: n/a
 
      08-31-2010
Ricardo Furtado wrote on 31 aug 2010 in
microsoft.public.inetserver.asp.general:
> "Tim Slattery" wrote:
>
>> Ricardo Furtado <(E-Mail Removed)> wrote:
>>
>> >When developing web pages i usualy check if the user is logged by
>> >using sessions.
>> >Yesterday i read something about the down sides of sessions and one
>> >of them is when computers don't allow sessions.
>> >What should be the best way to check if a user is logged?

>>
>> Sessions are maintained server-side. They are identified by a cookie
>> that's passed back and forth between the server and client. Most
>> clients will allow session cookies even if they don't allow
>> persistent cookies. If the client doesn't allow session cookies, then
>> there's nothing much you can do to maintain a session. (And the user
>> has cut himself off from a LARGE part of the web!)


[please do not top post or quote signatures on usenet]

> Thanks for your answer.
>
> So, but can i believe that sessions are the best options for this kind
> of tasks? better than passing a session ID in every URL


A session is passing a session ID in every request header.

Why do you think "the best" exists?
That is a matter of tast, not of axioms.

> or even global variables?


Uh? what do you mean, global where? On the server?
As a application variable?
Or as a session variable? [you would need a session for the latter]
Or on the browser?
How would you recognize a specific user with those?

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
 
Reply With Quote
 
Bwig Zomberi
Guest
Posts: n/a
 
      09-02-2010
Ricardo Furtado wrote:
> When developing web pages i usualy check if the user is logged by using
> sessions.
> Yesterday i read something about the down sides of sessions and one of them
> is when computers don't allow sessions.
> What should be the best way to check if a user is logged?



Use session variables to maintain login details. Use response.cookies to
maintain other details such user preferences, shopping cart details...

--
Bwig Zomberi
 
Reply With Quote
 
Ricardo Furtado
Guest
Posts: n/a
 
      09-02-2010
Ok, thank you all for your answers.
I'll do that, Bwig Zomberi. Great tip

"Bwig Zomberi" wrote:

> Ricardo Furtado wrote:
> > When developing web pages i usualy check if the user is logged by using
> > sessions.
> > Yesterday i read something about the down sides of sessions and one of them
> > is when computers don't allow sessions.
> > What should be the best way to check if a user is logged?

>
>
> Use session variables to maintain login details. Use response.cookies to
> maintain other details such user preferences, shopping cart details...
>
> --
> Bwig Zomberi
> .
>

 
Reply With Quote
 
Evertjan.
Guest
Posts: n/a
 
      09-02-2010
Bwig Zomberi wrote on 02 sep 2010 in
microsoft.public.inetserver.asp.general:

> Ricardo Furtado wrote:
>> When developing web pages i usualy check if the user is logged by
>> using sessions.
>> Yesterday i read something about the down sides of sessions and one
>> of them is when computers don't allow sessions.
>> What should be the best way to check if a user is logged?

>
>
> Use session variables to maintain login details. Use response.cookies
> to maintain other details such user preferences, shopping cart
> details...


Why?

It seems ridiculous if [as you should] you want to keep those details only
for the session.

Shopping cart details are part of the session and can better be kept on the
server to prevent malicious use.

Preferences could be kept in persistant cookies between sessions, if you
want to save them for future use, however since you would keep login
details on a serverside database, they are better kept in that database, to
prevent another user on the same browser to be presented with another's
preferences, and the same user on another browser or pc without his [or
her's] preferences.

So all in all, no, don't use cookies in a shopping cart environment, but
for the asp automatic session.id cookie.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
 
Reply With Quote
 
Bwig Zomberi
Guest
Posts: n/a
 
      09-06-2010
Evertjan. wrote:
> Bwig Zomberi wrote on 02 sep 2010 in
> microsoft.public.inetserver.asp.general:
>
>> Ricardo Furtado wrote:
>>> When developing web pages i usualy check if the user is logged by
>>> using sessions.
>>> Yesterday i read something about the down sides of sessions and one
>>> of them is when computers don't allow sessions.
>>> What should be the best way to check if a user is logged?

>>
>>
>> Use session variables to maintain login details. Use response.cookies
>> to maintain other details such user preferences, shopping cart
>> details...

>
> Why?
>
> It seems ridiculous if [as you should] you want to keep those details only
> for the session.
>
> Shopping cart details are part of the session and can better be kept on the
> server to prevent malicious use.
>
> Preferences could be kept in persistant cookies between sessions, if you
> want to save them for future use, however since you would keep login
> details on a serverside database, they are better kept in that database, to
> prevent another user on the same browser to be presented with another's
> preferences, and the same user on another browser or pc without his [or
> her's] preferences.
>
> So all in all, no, don't use cookies in a shopping cart environment, but
> for the asp automatic session.id cookie.
>


Cookies can be made to expire. Details stored in the cookie should be
mapped to the user id and should be used only if the user is logged in.

You can of course store shopping cart and other details on the server
but that is a lot of work. It is easier to maintain an activity log
in ASP.NET.

Session variables are a limited resource. Most websites are on shared
servers. So, it is best to limit the use of session variables.




--
Bwig Zomberi
 
Reply With Quote
 
Evertjan.
Guest
Posts: n/a
 
      09-06-2010
Bwig Zomberi wrote on 06 sep 2010 in
microsoft.public.inetserver.asp.general:

>> So all in all, no, don't use cookies in a shopping cart environment,
>> but for the asp automatic session.id cookie.
>>

>
> Cookies can be made to expire. Details stored in the cookie should be
> mapped to the user id and should be used only if the user is logged
> in.


Wait!

Do not discuss session cookies and expiring cookies in the same way.

While the latter often are disallowed by users, the session cookies,
that only live till the browser has stopped or the domain is no longer
accessed are most often allowed, making the ASP session.id cookie
possible and so the ASP session.

> You can of course store shopping cart and other details on the server
> but that is a lot of work.


You can see that as a joke, but it is not. The only safe programming is
serverside programming, and a shopping cart should not be influenced by
interfering code on the browser, like the firefox and chrome extensions.

> It is easier to maintain an activity log
> in ASP.NET.


Off topic, this is a classic ASP NG.

> Session variables are a limited resource. Most websites are on shared
> servers. So, it is best to limit the use of session variables.


No it is not,
because of the simple truth that "is best" does not exist in
programming.

Having a shopping cart without enough resources asks for more resources
in professional surrounding, not for unsave escape practices.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Moving from ASP Sessions to Database Sessions Bookham Measures ASP General 19 08-23-2007 03:51 PM
Cookieless Sessions (Sessions Without Cookies) and Security scottymo ASP .Net Security 3 09-29-2006 11:00 PM
News login different from mail login William W. Plummer Firefox 21 04-08-2005 05:37 AM
Login and No Login Q. John Chen ASP .Net Security 2 03-02-2004 12:13 AM
Re: Relationship between IIS Sessions and ASP.NET Sessions? Ken Cox [Microsoft MVP] ASP .Net 1 08-08-2003 03:22 PM



Advertisments