Hi,



I'm currently using session variables to force users to password protect my

pages. 



However, I know using session variables isn't best prectice and I was

wondering if anyone had tips on a better way of doing it?



I'm not sure how I track and manage user sessions without session variables

(e.g how do I know if the user has left my site or closed their browser??)







Cheers



Dave

well a damned good question but the http protocol is a stateless protocol, 

in fact you DONT know when a user has left the session.

you could assume if a session has 20 minutes to expire that the moment 

he logged in, after 20 minutes he/she is out (probably..if the user did 

not stay there)

in Microsoft Site Server you have something calles Active User Object in 

which you had his properties and the state...

in normal asp..

or you develop an object yourself...

or you use a sessionid to create a GUID that is used to access the 

pages. you store this variable into the database.

each time a user accesses the pages he needs to give his sessionid that 

was generated for him/her the moment he logged in.

in the database you mark this GUID as active.

you let the user log out so that you can set the GUID on not active, so 

that this guid is not to be used the next time or by somenone else...

that should solve your problem

eric



-----Original Message-----

From: David Bosomworth [mailto:David@s...]

Sent: Tuesday, August 28, 2001 11:00

To: ASP Web HowTo

Subject: [asp_web_howto] User authentication and managing user sessions





Hi,



I'm currently using session variables to force users to password protect my

pages.



However, I know using session variables isn't best prectice and I was

wondering if anyone had tips on a better way of doing it?



I'm not sure how I track and manage user sessions without session variables

(e.g how do I know if the user has left my site or closed their browser??)







Cheers



Dave