Wrox Programmer Forums
|
Classic ASP Basics For beginner programmers starting with "classic" ASP 3, pre-".NET." NOT for ASP.NET 1.0, 1.1, or 2.0
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Basics section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old July 1st, 2004, 12:31 AM
Friend of Wrox
 
Join Date: Oct 2003
Posts: 463
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to madhukp
Default Logged - in status without using session

I have done many administration sites which require login to enter. I am storing the logged-in status in session. But since usage of session is bad and sessions can be blocked in some browsers, I am looking for an alternative method. Does anybody know any safe method ?

I have considered the following methods and discarded all of them.

1) use of cookies - cookies can also be disabled. Highly unsafe

2) query string - not safe

3) hidden fields - not safe

4) create a session id and pass it in all requests. The session id is stored in db along with logged in time. Each action through this id is recorded. There will be a small hidden frame of height 1px on the top of browser window. When the document in that frame is unloaded, a javascript will run which will open another page to record the expiry of this session id- This method does not seem to be a professional one. This reduces the maintainability of scripts. Since each links require the inclusion of this session id.
 
Old July 1st, 2004, 01:13 AM
Friend of Wrox
 
Join Date: Jun 2003
Posts: 2,480
Thanks: 0
Thanked 1 Time in 1 Post
Default

Hi Madhu,

Quote:
quote:sessions can be blocked in some browsers
Can you provide some details about when/where you experienced this?

It can be used to store variables specific for a user and IIS will maintain these variables when the client moves across pages within your site

You can take a look at this URL - The ASP Session Object

If session can also be blocked, I am not sure, which else would be the safer method to achieve that.

Cheers!

_________________________
- Vijay G
Strive for Perfection
 
Old July 1st, 2004, 01:21 AM
Friend of Wrox
 
Join Date: Jun 2003
Posts: 596
Thanks: 1
Thanked 3 Times in 3 Posts
Default

I guess you could store the machines 'IP' , 'Time',the 'Logged in Status' and any other variables you liked in a database and check them for every page.

I think as developers we can endevour to account for as many situations as possible but when you have a user who has client side scripting off, sessions blocked, cookies blocked, some obscure browser developed by a renegade uni student, there has to be a realistic expectation of the information/experience we can provide them.

By the way, which browsers block sessions?

======================================
They say, best men are molded out of faults,
And, for the most, become much more the better
For being a little bad.
======================================
 
Old July 1st, 2004, 01:30 AM
Authorized User
 
Join Date: Jun 2004
Posts: 68
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to silver_cuts Send a message via Yahoo to silver_cuts
Default

Hi Madhu,

Browsers blocking Sessions ... is unheard for me ..

anyway though the session method is bad for string large amount of data .. still is there and hence it should be used for small amount of data like logged_in status ...

i think session method is best ..

Sudhan.

 
Old July 1st, 2004, 01:34 AM
Friend of Wrox
 
Join Date: Oct 2003
Posts: 463
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to madhukp
Default

hello Vijay,

In IE 6.0 please do the steps.

1) Go tools->Internet options
2) Open privacy tab
3) Click advanced
4) Check "Override automatic cookie handling"
5) Block first party cookies and third party cookies
6) Uncheck "always allow per session cookies"

The session will be disabled for the browser. (Please close all instances of IE except the one where you are working before doing this.)

In IE 5.0, you can do this by an option "disable per session cookies from advanced tab. (I am telling from memory. I cannot test it now).

I am using the following idea in my script.

I will collect login and password and check them against database. If valid, I am storing username in session using following script piece.

Session("gbl_username")=<username>

Username is needed by me in subsequent pages for recording activities.

On the top of every page, I am checking with the script.

if(Session("gbl_username")="") then
    Response.Redirect("default.asp?error=sessionout")
end if

Is there anything wrong in my script ?

When I do the above steps, it will always redirect to me to default.asp page. This was experienced by one of our client also.
 
Old July 1st, 2004, 02:26 AM
Friend of Wrox
 
Join Date: Jun 2003
Posts: 2,480
Thanks: 0
Thanked 1 Time in 1 Post
Default

Madhu,
I tried all that here with my browser settings and it seems to have no problem in dealing with session variables.

But I use IE 6. Someone with IE 5 has got to test that out and tell if that is the case as Madhu experienced. Lets wait to hear from someone that can really convince me to agree that SESSIONs can be blocked. But I dont think one would use IE 5 still.

I read in a site
Accepting cookies

The settings for cookies in Internet Explorer 4 is located on the "Internet Options", "Advanced tab", and so there was a very broad setting.

In Internet Explorer 5 the cookies settings are found on the "Internet Options", "Security tab". Now you can be selective on what sites you accept cookies from. When you have selected a site from which you want to accept cookies, add that site to your "Trusted sites" zone, and use the "Custom level" button to change your settings, to include cookies setting.

Internet Explorer 5 also distinguishes between "per session" cookies and "normal" ones. "Per session" cookies are set for just the one session, but they are deleted when you finish the session.

So I would say that these are cookies related, and not SESSION disabling settings and the session mentioned there pertains to an Instance of IE.

Can you post a simple code snip that doesn't work with the browser settings you posted earlier? So that let me test that out.

PS : Than restructuring your code or looking for some alternate for this, why not you ask your clients to keep their browsers up-to-date? That sounds an easier solution right?

Cheers!

_________________________
- Vijay G
Strive for Perfection
 
Old July 1st, 2004, 04:14 AM
Authorized User
 
Join Date: Jun 2004
Posts: 68
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to silver_cuts Send a message via Yahoo to silver_cuts
Default

Hi Vijay & Madhu,

I have tried it once again .. but the sessions continue to be working ... i am not having any problem at all ...

may be as vijay said that someone with IE 5 will have to try it ... may be the IE used by madhu be corrupt ... but well as vijay says ... we will have to wait for it ...

yep madhu send up that code ... may be that will help ...

Sudhan.

- Everything Is In Our Hands -

              Sudhan.
 
Old July 1st, 2004, 05:07 AM
Friend of Wrox
 
Join Date: Oct 2003
Posts: 463
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to madhukp
Default

Hello Vijay,

You may be checking from PWS or a local server.

Here are my scripts.

login.asp

<%@Language="VBScript"%>
<%
    option explicit
    Server.ScriptTimeOut=300
    response.buffer=false
    Response.AddHeader "Pragma","no-cache"
    Response.AddHeader "cache-control","no-cache,must revalidate"
    Response.Expires =-1
    Session("gbl_b_logged_in_status")="1"
    if(Request.Form("txt_username")<>"" and Request.Form("txt_password")<>"") then
        if(Request.Form("txt_username")="test" and Request.Form("txt_password")="test") then
            Session("gbl_b_logged_in_status")="0"
            Response.Redirect("index.asp")
        else
            Session("gbl_b_logged_in_status")="1"
        end if
    else
        Session("gbl_b_logged_in_status")="1"
    end if
    if(Session("gbl_b_logged_in_status")="1") then
%>
        <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
        <html>
        <head>
            <title>Login page</title>
        </head>
        <body>
            <form name="frm_login" method="post" action="login.asp">
                <table align="center" width="50%" cellspacing="2" cellpadding="2" border="0">
                    <caption>Please login to proceed</caption>
                    <tr>
                        <td width="50%">Username</td>
                        <td width="50%"><input type="text" value="" name="txt_username"></td>
                    </tr>
                    <tr>
                        <td width="50%">Password</td>
                        <td width="50%"><input type="password" value="" name="txt_password"></td>
                    </tr>
                    <tr>
                        <td width="50%">&nbsp;</td>
                        <td width="50%"><input type="submit" value="Enter"></td>
                    </tr>
                </table>
            </form>
        </body>
        </html>
<%
    end if
%>

index.asp

<%@Language="VBScript"%>
<%
    option explicit
    Server.ScriptTimeOut=300
    response.buffer=false
    Response.AddHeader "Pragma","no-cache"
    Response.AddHeader "cache-control","no-cache,must revalidate"
    Response.Expires =-1
    if(Session("gbl_b_logged_in_status")="0") then
%>
        <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
        <html>
        <head>
            <title>Index page</title>
        </head>
        <body>
        <h1>Welcome to administration site</h1>
        </body>
        </html>
<%
    else
        Response.Redirect("login.asp")
    end if
%>

I have put this in 3 remote servers and tested. One such address only I can give you.

http://www.softwareassociates.co.uk/test/login.asp

use test / test as username / password.

In the step I mentioned, if you check the "Always allow session cookies", it will work. If you uncheck it, it will not work.

This is happenning in all computers in my company. It is not because of any problem in my browser.

You need to close all other browser instances before you change the settings. Otherwise, the setting will not come into effect.
 
Old July 2nd, 2004, 12:14 AM
Friend of Wrox
 
Join Date: Oct 2003
Posts: 463
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to madhukp
Default

Friends,

I have tested it from an internet booth (which uses IE 5.5 and IE 5.0). I am able to replicate the problem there also. So sessions can be blocked.

To those who have tested,

You need to block first party and third party cookies. If you allow them and leave the checkbox labelled "Always allow session cookies" unchecked, then there is no problem for session. But if you block them and leave the checkbox labelled "Always allow session cookies" unchecked, then session will stop working.

As I am told by a project manager in London, most of the corporate companies change the browser setting in this way to prevent sessions. Once, I had to redo a number of pages on visitor side to not use session (I used the method 4 I mentioned above)
 
Old July 10th, 2004, 04:26 AM
Friend of Wrox
 
Join Date: Oct 2003
Posts: 463
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to madhukp
Default

I got an interesting article from net about this problem. I thought it will help you all.

http://www.informit.com/articles/article.asp?p=22686

This solves my problem also.





Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting logged in UserName to Session ID Admiral1701 ASP.NET 2.0 Professional 10 December 1st, 2006 10:35 AM
user logged jonyBravo Access 6 November 27th, 2006 09:14 AM
Currently Logged on to the Database Corey Access 5 January 18th, 2006 06:46 PM
Getting the name of the logged on user Grahame2003 C# 2 March 4th, 2004 04:48 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.