Logged

madhukp · July 1st, 2004, 12:31 AM

I have done many administration sites which require login to enter. I am storing the logged-in status in session. But since usage of session is bad and sessions can be blocked in some browsers, I am looking for an alternative method. Does anybody know any safe method ?

I have considered the following methods and discarded all of them.

1) use of cookies - cookies can also be disabled. Highly unsafe

2) query string - not safe

3) hidden fields - not safe

4) create a session id and pass it in all requests. The session id is stored in db along with logged in time. Each action through this id is recorded. There will be a small hidden frame of height 1px on the top of browser window. When the document in that frame is unloaded, a javascript will run which will open another page to record the expiry of this session id- This method does not seem to be a professional one. This reduces the maintainability of scripts. Since each links require the inclusion of this session id.

happygv · July 1st, 2004, 01:13 AM

Hi Madhu,

Quote:

quote:sessions can be blocked in some browsers

Can you provide some details about when/where you experienced this?

It can be used to store variables specific for a user and IIS will maintain these variables when the client moves across pages within your site

You can take a look at this URL - The ASP Session Object

If session can also be blocked, I am not sure, which else would be the safer method to achieve that.

Cheers!

_________________________
- Vijay G
Strive for Perfection

rodmcleay · July 1st, 2004, 01:21 AM

I guess you could store the machines 'IP' , 'Time',the 'Logged in Status' and any other variables you liked in a database and check them for every page.

I think as developers we can endevour to account for as many situations as possible but when you have a user who has client side scripting off, sessions blocked, cookies blocked, some obscure browser developed by a renegade uni student, there has to be a realistic expectation of the information/experience we can provide them.

By the way, which browsers block sessions?

======================================
They say, best men are molded out of faults,
And, for the most, become much more the better
For being a little bad.
======================================

silver_cuts · July 1st, 2004, 01:30 AM

Hi Madhu,

Browsers blocking Sessions ... is unheard for me ..

anyway though the session method is bad for string large amount of data .. still is there and hence it should be used for small amount of data like logged_in status ...

i think session method is best ..

Sudhan.

madhukp · July 1st, 2004, 01:34 AM

hello Vijay,

In IE 6.0 please do the steps.

1) Go tools->Internet options
2) Open privacy tab
3) Click advanced
4) Check "Override automatic cookie handling"
5) Block first party cookies and third party cookies
6) Uncheck "always allow per session cookies"

The session will be disabled for the browser. (Please close all instances of IE except the one where you are working before doing this.)

In IE 5.0, you can do this by an option "disable per session cookies from advanced tab. (I am telling from memory. I cannot test it now).

I am using the following idea in my script.

I will collect login and password and check them against database. If valid, I am storing username in session using following script piece.

Session("gbl_username")=<username>

Username is needed by me in subsequent pages for recording activities.

On the top of every page, I am checking with the script.

if(Session("gbl_username")="") then
Response.Redirect("default.asp?error=sessionout")
end if

Is there anything wrong in my script ?

When I do the above steps, it will always redirect to me to default.asp page. This was experienced by one of our client also.

happygv · July 1st, 2004, 02:26 AM

Madhu,
I tried all that here with my browser settings and it seems to have no problem in dealing with session variables.

But I use IE 6. Someone with IE 5 has got to test that out and tell if that is the case as Madhu experienced. Lets wait to hear from someone that can really convince me to agree that SESSIONs can be blocked. But I dont think one would use IE 5 still.

I read in a site
Accepting cookies

The settings for cookies in Internet Explorer 4 is located on the "Internet Options", "Advanced tab", and so there was a very broad setting.

In Internet Explorer 5 the cookies settings are found on the "Internet Options", "Security tab". Now you can be selective on what sites you accept cookies from. When you have selected a site from which you want to accept cookies, add that site to your "Trusted sites" zone, and use the "Custom level" button to change your settings, to include cookies setting.

Internet Explorer 5 also distinguishes between "per session" cookies and "normal" ones. "Per session" cookies are set for just the one session, but they are deleted when you finish the session.

So I would say that these are cookies related, and not SESSION disabling settings and the session mentioned there pertains to an Instance of IE.

Can you post a simple code snip that doesn't work with the browser settings you posted earlier? So that let me test that out.

PS : Than restructuring your code or looking for some alternate for this, why not you ask your clients to keep their browsers up-to-date? That sounds an easier solution right?

Cheers!

_________________________
- Vijay G
Strive for Perfection

silver_cuts · July 1st, 2004, 04:14 AM

Hi Vijay & Madhu,

I have tried it once again .. but the sessions continue to be working ... i am not having any problem at all ...

may be as vijay said that someone with IE 5 will have to try it ... may be the IE used by madhu be corrupt ... but well as vijay says ... we will have to wait for it ...

yep madhu send up that code ... may be that will help ...

Sudhan.

- Everything Is In Our Hands -

Sudhan.

madhukp · July 1st, 2004, 05:07 AM

Hello Vijay,

You may be checking from PWS or a local server.

Here are my scripts.

login.asp

<%@Language="VBScript"%>
<%
    option explicit
    Server.ScriptTimeOut=300
    response.buffer=false
    Response.AddHeader "Pragma","no-cache"
    Response.AddHeader "cache-control","no-cache,must revalidate"
    Response.Expires =-1
    Session("gbl_b_logged_in_status")="1"
    if(Request.Form("txt_username")<>"" and Request.Form("txt_password")<>"") then
        if(Request.Form("txt_username")="test" and Request.Form("txt_password")="test") then
            Session("gbl_b_logged_in_status")="0"
            Response.Redirect("index.asp")
        else
            Session("gbl_b_logged_in_status")="1"
        end if
    else
        Session("gbl_b_logged_in_status")="1"
    end if
    if(Session("gbl_b_logged_in_status")="1") then
%>
        <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
        <html>
        <head>
            <title>Login page</title>
        </head>
        <body>
            <form name="frm_login" method="post" action="login.asp">
                <table align="center" width="50%" cellspacing="2" cellpadding="2" border="0">
                    <caption>Please login to proceed</caption>
                    <tr>
                        <td width="50%">Username</td>
                        <td width="50%"><input type="text" value="" name="txt_username"></td>
                    </tr>
                    <tr>
                        <td width="50%">Password</td>
                        <td width="50%"><input type="password" value="" name="txt_password"></td>
                    </tr>
                    <tr>
                        <td width="50%"> </td>
                        <td width="50%"><input type="submit" value="Enter"></td>
                    </tr>
                </table>
            </form>
        </body>
        </html>
<%
    end if
%>

index.asp

<%@Language="VBScript"%>
<%
    option explicit
    Server.ScriptTimeOut=300
    response.buffer=false
    Response.AddHeader "Pragma","no-cache"
    Response.AddHeader "cache-control","no-cache,must revalidate"
    Response.Expires =-1
    if(Session("gbl_b_logged_in_status")="0") then
%>
        <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
        <html>
        <head>
            <title>Index page</title>
        </head>
        <body>
        <h1>Welcome to administration site</h1>
        </body>
        </html>
<%
    else
        Response.Redirect("login.asp")
    end if
%>

I have put this in 3 remote servers and tested. One such address only I can give you.

http://www.softwareassociates.co.uk/test/login.asp

use test / test as username / password.

In the step I mentioned, if you check the "Always allow session cookies", it will work. If you uncheck it, it will not work.

This is happenning in all computers in my company. It is not because of any problem in my browser.

You need to close all other browser instances before you change the settings. Otherwise, the setting will not come into effect.

madhukp · July 2nd, 2004, 12:14 AM

Friends,

I have tested it from an internet booth (which uses IE 5.5 and IE 5.0). I am able to replicate the problem there also. So sessions can be blocked.

To those who have tested,

You need to block first party and third party cookies. If you allow them and leave the checkbox labelled "Always allow session cookies" unchecked, then there is no problem for session. But if you block them and leave the checkbox labelled "Always allow session cookies" unchecked, then session will stop working.

As I am told by a project manager in London, most of the corporate companies change the browser setting in this way to prevent sessions. Once, I had to redo a number of pages on visitor side to not use session (I used the method 4 I mentioned above)

madhukp · July 10th, 2004, 04:26 AM

I got an interesting article from net about this problem. I thought it will help you all.

http://www.informit.com/articles/article.asp?p=22686

This solves my problem also.