473,320 Members | 1,991 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Session alternatives and hacks?

Ok, so Session is less than desirable, at least that's what I'm always
reading. So what are real, practical alternatives? Querystrings? an
endless chain of hidden form fields??

Here are the things I'm looking for specifically....

1). I need to identify users uniquely as clients in some kind of
maintainable state.

2). I need to track anonymous user page views, etc. I'm guessing
Application level but don't know how to track users individually doing this.
Page views maybe, but not the succession in which they're viewed

Is there a way to do this without Session that isn't a pain in the a#*? Or
is Session just not that bad? I've used it a lot with users that manage
their "own" content but now I need to manage "all" users.

Oh, and how "safe" is Session? I need to know how hackers get into sites
that use the plain old "If userID <> Session("userID").....". Is there a
way that hackers can create their own session and get by this?

Thanks!
Jul 22 '05 #1
6 1684
On Fri, 04 Mar 2005 13:11:06 GMT, "John"
<no***@amIgivingitouthere.com> wrote:
Ok, so Session is less than desirable, at least that's what I'm always
reading. So what are real, practical alternatives? Querystrings? an
endless chain of hidden form fields??
Why are sessions less than desirable?
Here are the things I'm looking for specifically....

1). I need to identify users uniquely as clients in some kind of
maintainable state.

2). I need to track anonymous user page views, etc. I'm guessing
Application level but don't know how to track users individually doing this.
Page views maybe, but not the succession in which they're viewed

Is there a way to do this without Session that isn't a pain in the a#*? Or
is Session just not that bad? I've used it a lot with users that manage
their "own" content but now I need to manage "all" users.

Oh, and how "safe" is Session? I need to know how hackers get into sites
that use the plain old "If userID <> Session("userID").....". Is there a
way that hackers can create their own session and get by this?


Okay, that's not sessions. That's security. If your issue is
maintaining security state through sessions you have a different set
of questions. Though you may find that hackers get into sites without
having to spoof a session a lot easier.

Jeff
Jul 22 '05 #2
"John" <no***@amIgivingitouthere.com> wrote in message
news:K7******************@twister.nyroc.rr.com...
Ok, so Session is less than desirable, at least that's what I'm always
reading. So what are real, practical alternatives? Querystrings? an
endless chain of hidden form fields??
Sessions are not undesirable. It's only that the scalability gets limited if
you store the session in RAM.
If you use 'hidden form fields' you'll have something like ASP.NET which
uses a ViewState mechanism. If you start talking about that, there are
people that swear against :)

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

Here are the things I'm looking for specifically....

1). I need to identify users uniquely as clients in some kind of
maintainable state.

2). I need to track anonymous user page views, etc. I'm guessing
Application level but don't know how to track users individually doing
this.
Page views maybe, but not the succession in which they're viewed

Is there a way to do this without Session that isn't a pain in the a#*?
Or
is Session just not that bad? I've used it a lot with users that manage
their "own" content but now I need to manage "all" users.

Oh, and how "safe" is Session? I need to know how hackers get into sites
that use the plain old "If userID <> Session("userID").....". Is there a
way that hackers can create their own session and get by this?

Thanks!


Jul 22 '05 #3
RAM-based ASP Session state is not good in circumstances such as "recycling"
in IIS 6, and web farms. These newsgroups are full of posts such as
"...help!...all my session variables have disappeared" due to people being
suckered into the simplicity of ASP Sessions.

Tony Proctor

"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> wrote in
message news:#T**************@TK2MSFTNGP12.phx.gbl...
"John" <no***@amIgivingitouthere.com> wrote in message
news:K7******************@twister.nyroc.rr.com...
Ok, so Session is less than desirable, at least that's what I'm always
reading. So what are real, practical alternatives? Querystrings? an
endless chain of hidden form fields??
Sessions are not undesirable. It's only that the scalability gets limited

if you store the session in RAM.
If you use 'hidden form fields' you'll have something like ASP.NET which
uses a ViewState mechanism. If you start talking about that, there are
people that swear against :)

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

Here are the things I'm looking for specifically....

1). I need to identify users uniquely as clients in some kind of
maintainable state.

2). I need to track anonymous user page views, etc. I'm guessing
Application level but don't know how to track users individually doing
this.
Page views maybe, but not the succession in which they're viewed

Is there a way to do this without Session that isn't a pain in the a#*?
Or
is Session just not that bad? I've used it a lot with users that manage
their "own" content but now I need to manage "all" users.

Oh, and how "safe" is Session? I need to know how hackers get into sites that use the plain old "If userID <> Session("userID").....". Is there a way that hackers can create their own session and get by this?

Thanks!

Jul 22 '05 #4
ok, this is stuff I need to learn. Suggestions where I can learn more
thoroughly about Session? And not just a MIcrosoft documentation please.
Those are great for reference but they are NOT good teaching materials. I'm
not a"beginner" either so I don't need my hand held. Is there anything in
the middle?

Thanks
"Tony Proctor" <tony_proctor@aimtechnology_NoMoreSPAM_.com> wrote in message
news:uT**************@TK2MSFTNGP14.phx.gbl...
RAM-based ASP Session state is not good in circumstances such as "recycling" in IIS 6, and web farms. These newsgroups are full of posts such as
"...help!...all my session variables have disappeared" due to people being
suckered into the simplicity of ASP Sessions.

Tony Proctor

"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> wrote in
message news:#T**************@TK2MSFTNGP12.phx.gbl...
"John" <no***@amIgivingitouthere.com> wrote in message
news:K7******************@twister.nyroc.rr.com...
Ok, so Session is less than desirable, at least that's what I'm always
reading. So what are real, practical alternatives? Querystrings? an
endless chain of hidden form fields??
Sessions are not undesirable. It's only that the scalability gets limited if
you store the session in RAM.
If you use 'hidden form fields' you'll have something like ASP.NET which
uses a ViewState mechanism. If you start talking about that, there are
people that swear against :)

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

Here are the things I'm looking for specifically....

1). I need to identify users uniquely as clients in some kind of
maintainable state.

2). I need to track anonymous user page views, etc. I'm guessing
Application level but don't know how to track users individually doing
this.
Page views maybe, but not the succession in which they're viewed

Is there a way to do this without Session that isn't a pain in the a#*? Or
is Session just not that bad? I've used it a lot with users that manage their "own" content but now I need to manage "all" users.

Oh, and how "safe" is Session? I need to know how hackers get into
sites that use the plain old "If userID <> Session("userID").....". Is
there a way that hackers can create their own session and get by this?

Thanks!


Jul 22 '05 #5
Why do you post this? Did I -say- that sessions in RAM are OK?

I do have a product that solves this problem very elegantly. But every
solution has it's drawbacks. So is a session in a DB demanding a lot of
resources for the DB.

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

"Tony Proctor" <tony_proctor@aimtechnology_NoMoreSPAM_.com> wrote in message
news:uT**************@TK2MSFTNGP14.phx.gbl...
RAM-based ASP Session state is not good in circumstances such as
"recycling"
in IIS 6, and web farms. These newsgroups are full of posts such as
"...help!...all my session variables have disappeared" due to people being
suckered into the simplicity of ASP Sessions.

Tony Proctor

"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> wrote in
message news:#T**************@TK2MSFTNGP12.phx.gbl...
"John" <no***@amIgivingitouthere.com> wrote in message
news:K7******************@twister.nyroc.rr.com...
> Ok, so Session is less than desirable, at least that's what I'm always
> reading. So what are real, practical alternatives? Querystrings? an
> endless chain of hidden form fields??


Sessions are not undesirable. It's only that the scalability gets limited

if
you store the session in RAM.
If you use 'hidden form fields' you'll have something like ASP.NET which
uses a ViewState mechanism. If you start talking about that, there are
people that swear against :)

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

> Here are the things I'm looking for specifically....
>
> 1). I need to identify users uniquely as clients in some kind of
> maintainable state.
>
> 2). I need to track anonymous user page views, etc. I'm guessing
> Application level but don't know how to track users individually doing
> this.
> Page views maybe, but not the succession in which they're viewed
>
> Is there a way to do this without Session that isn't a pain in the a#*?
> Or
> is Session just not that bad? I've used it a lot with users that
> manage
> their "own" content but now I need to manage "all" users.
>
> Oh, and how "safe" is Session? I need to know how hackers get into sites > that use the plain old "If userID <> Session("userID").....". Is there a > way that hackers can create their own session and get by this?
>
> Thanks!
>
>



Jul 22 '05 #6
My apologies Egbert. I obviously misread your post and replied too soon

Tony Proctor

"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> wrote in
message news:Ol**************@TK2MSFTNGP09.phx.gbl...
Why do you post this? Did I -say- that sessions in RAM are OK?

I do have a product that solves this problem very elegantly. But every
solution has it's drawbacks. So is a session in a DB demanding a lot of
resources for the DB.

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

"Tony Proctor" <tony_proctor@aimtechnology_NoMoreSPAM_.com> wrote in message news:uT**************@TK2MSFTNGP14.phx.gbl...
RAM-based ASP Session state is not good in circumstances such as
"recycling"
in IIS 6, and web farms. These newsgroups are full of posts such as
"...help!...all my session variables have disappeared" due to people being suckered into the simplicity of ASP Sessions.

Tony Proctor

"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> wrote in
message news:#T**************@TK2MSFTNGP12.phx.gbl...
"John" <no***@amIgivingitouthere.com> wrote in message
news:K7******************@twister.nyroc.rr.com...
> Ok, so Session is less than desirable, at least that's what I'm always > reading. So what are real, practical alternatives? Querystrings? an > endless chain of hidden form fields??

Sessions are not undesirable. It's only that the scalability gets limited
if
you store the session in RAM.
If you use 'hidden form fields' you'll have something like ASP.NET
which uses a ViewState mechanism. If you start talking about that, there are
people that swear against :)

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm
> Here are the things I'm looking for specifically....
>
> 1). I need to identify users uniquely as clients in some kind of
> maintainable state.
>
> 2). I need to track anonymous user page views, etc. I'm guessing
> Application level but don't know how to track users individually doing > this.
> Page views maybe, but not the succession in which they're viewed
>
> Is there a way to do this without Session that isn't a pain in the a#*? > Or
> is Session just not that bad? I've used it a lot with users that
> manage
> their "own" content but now I need to manage "all" users.
>
> Oh, and how "safe" is Session? I need to know how hackers get into

sites
> that use the plain old "If userID <> Session("userID").....". Is

there a
> way that hackers can create their own session and get by this?
>
> Thanks!
>
>


Jul 22 '05 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: Mark | last post by:
Ok, I know that .net inherently does not share session data across asp.net projects, but is there any decent work around to this. We already have a big chunk of our application using the asp.net...
5
by: VB Programmer | last post by:
I often use session variables to store the user's security level, and other important info. How secure are session variables? Can someone decrypt it and get the information? (This would be...
5
by: Andy G | last post by:
I have a registration page that captures 75% of the users data. After they enter that info they are redirected to one of two pages depending on how they answered a question on the registation...
7
by: Gerald | last post by:
Hi, Is there any know problem using session variables ? My website won't have more than 20 simultaneous connections, and i would like to use 5 session variables containing strings... I know...
6
by: Arnt O. Kvannefoss | last post by:
Hello, We have an asp.net application to manage events. Some users get their session values overwritten because they open a second instance of their browser with File > New > Window. These two...
9
by: Schraalhans Keukenmeester | last post by:
I am stomped with the following problem: I have a script start.php and a second script proceed.php Relevant (and working) sections of the code: start.php <?PHP start_session();
43
by: davidkoree | last post by:
I mean not about cookie. Does it have something to do with operating system or browser plugin? I appreciate any help.
6
by: greek_bill | last post by:
Hi, I'm interested in developing an application that needs to run on more than one operating system. Naturally, a lot of the code will be shared between the various OSs, with OS specific...
13
by: Samir Chouaieb | last post by:
Hello, I am trying to find a solution to a login mechanism for different domains on different servers with PHP5. I have one main domain with the user data and several other domains that need...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.