Hi guys

I am looking at a legacy ASP system with a database front end. The ASP uses a cookie named "NIS" to store some generic system information eg User Id, Department etc. The values are retrieved to control access to different lists if information from a back end database.

If a user has two browser sessions, with the same initial logon screen, running on the same PC but using different user IDs would this corrupt the cookie overwriting with information from the other sessions?

Thanks in advance

Daz

;;;If a user has two browser sessions, with the same initial logon screen
They are the same session. Sessions are independant of each other. One session is supposed to overwrite what another session did, isnt it? - Your code controls the cookies, if you have told your code to write a cookie, it will write, therefore yes it will.



Wind is your friend
Matt

Matt

is there a difference in creating sessions in using the following urls to initiate the session. Both will eventually call the logon screen to gain access to the system.

//<Machine-Name>/Software
//<Machine-Name>/Software/defaultlogon.asp

where <Software> is set as a website in IIS.

The reason for this is I have been asked to confirm if a user can run multiple sessions at the same time. After checking a few pages the only thing that seems to ring alarm bells is this cookie usage (and coming from 3GL/4GL background it doesn't seem unique).

Thanks again

Daz

;;;is there a difference in creating sessions in using the following urls to initiate the session. Both will eventually call the logon screen to gain access to the system.

I initiate tracking of session level values once they log in, not before. How do you know who they are. You can identify them with a cookie before login. Not completely sure what your getting at, but yes I would say a differece.

;;; if a user can run multiple sessions at the same time
What are you trying to achieve by doing this?

Wind is your friend
Matt

Matt

The idea behind multiple sessions is to allow the user to do two things at once.

Eg User could be in the middle of a patient registration screen but then get a phone call that needs an appointment creating.

The software runs as multi hospital and so users may logon to the system under different hospitals (data stored in a cookie)

On our support system somone has added the comments that if the users start with "//<Machine-Name>/Software" rather than "//<Machine-Name>/Software/startlogin.asp" then the system can be run more than once on the same PC without corrupting the cookie.

Since the last post I have done a little testing using one of the screens and adding writes to show information stored in the cookie. The information seems to remain correct for each instance of the browser and no corruption.

This seems ok but I now don't follow why it doesn't corrupt if both are using the same cookie. Can it be held in memory instead of the HDD and each instance is pointing to a different version of the cookie in memory.

I have also checked my cookie folder and the only cookie that changes is "<Username@Software". This seems to loose information ie after logon contains Hospital=ABC but then after the second logon the hospital=ABC is missing, yet both sessions seem to bring the correct hospitals back from the cookie.

Totally getting lost now and no idea of whats happening!

Thanks

Darren

;;;The idea behind multiple sessions is to allow the user to do two things at once

Depending on how a system is designed user can do many many things using the same session, requiring only one log-on. Are you saying within the same system a user has to login multiple times to do multiple tasks? I would get very annoyed at this, especially since each login would required different UN and PW's.

What exactly is your definition of 'corrupting the cookie'

;;Can it be held in memory instead of the HDD
Depends how it is being created. There are two types of cookies:

1..Session, or transient cookies
Cookies that are stored in the computer's memory only during a user's browsing session and are automatically deleted from the user's computer when the browser is closed (session expires).

2..Permanent, persistent, or stored cookies
Cookies that are stored on the user's computer and are not deleted when the browser is closed. Permanent cookies can retain user preferences for a particular web site, allowing those preferences to be used in future browsing sessions.

Wind is your friend
Matt

Matt

The system does have limitations but the user is looking at running two or more sessions running in separate instances of IE to allow say a report that processes million+ records before outputting and normal day to day processing. The logon ID/password would be the same but may be accessing data linked to different hospitals.

The comment on cookie types may be the answer. As mentioned before the hospital code when changed in two concurrent sessions seemed to always give the correct hosp code for the session so I assume that the code is in a session cookie.

Is there any easy way of checking?

Thanks

Darren

I dont use Permanent cookies eva, I believe there is no need. The only thing I would ever use them for is to give a user a checkbox to tick that remembers thier username. IMO a stupid feature, I do alot code for defence, security is paramount - need I say more.

;;;logon ID/password would be the same
If they are logging into different systems this would be logical. If they are logging into different areas of the same system, this shouldnt require them to log in more than once. Sounds like odd system design. Once you are logged into a system, the ability to visit different areas should be based on a users accounts user level - or areas this account can acccess. Then in the head of all pages one line of code determines if a person should see the page. I use session variables this way:

1..Log in
2..Validate UN and PW
3..Get thier userLevel (an integer EG 1=god, 2=admin, 3=write, 4=read, 5=general OR 1=hospitals 1,2,3 - 2=hospitals 7,3,4 etc)
4..Assign this userLevel and thier unique ID from the users table (usualy called ID and is a auto incrimenting interger) to session variables

session("UL") = RS("useLevel")
session("ID" = rs("id")

Now in all restricted pages in the head do someting like:
if session("UL") > 1 then
   response.redirect("someOtherPage.asp")
end if

;;;seemed to always give the correct hosp code
This doesnt sound like a problem

;;;Is there any easy way of checking?
Look at the code. follow the code, understand how it does what it does.

The code to check existing cookies(persistant)
<%
dim x,yfor each x in Request.Cookies
  response.write("<p>")
  if Request.Cookies(x).HasKeys then
    for each y in Request.Cookies(x)
      response.write(x & ":" & y & "=" & Request.Cookies(x)(y))
      response.write("<br />")
    next
  else
    Response.Write(x & "=" & Request.Cookies(x) & "<br />")
  end if
  response.write "</p>"
next
%>
NOTE: search your code for 'Request.Cookies' to check where thsy are being set

The code to check existing sesion variables(temp stores in memory)
   'How many session variables are there?
   Response.Write "There are " & Session.Contents.Count & _
             " Session variables<P>"

   Dim strName, iLoop
   For Each strName in Session.Contents
     'Is this session variable an array?
     If IsArray(Session(strName)) then
       'If it is an array, loop through each element one at a time
       For iLoop = LBound(Session(strName)) to UBound(Session(strName))
          Response.Write strName & "(" & iLoop & ") - " & _
               Session(strName)(iLoop) & "<BR>"
       Next
     Else
       'We aren't dealing with an array, so just display the variable
       Response.Write strName & " - " & Session.Contents(strName) & "<BR>"
     End If
   Next

NOTE to check the code search for 'session'









Wind is your friend
Matt