469,303 Members | 1,910 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,303 developers. It's quick & easy.

Session alternatives and hacks?

Ok, so Session is less than desirable, at least that's what I'm always
reading. So what are real, practical alternatives? Querystrings? an
endless chain of hidden form fields??

Here are the things I'm looking for specifically....

1). I need to identify users uniquely as clients in some kind of
maintainable state.

2). I need to track anonymous user page views, etc. I'm guessing
Application level but don't know how to track users individually doing this.
Page views maybe, but not the succession in which they're viewed

Is there a way to do this without Session that isn't a pain in the a#*? Or
is Session just not that bad? I've used it a lot with users that manage
their "own" content but now I need to manage "all" users.

Oh, and how "safe" is Session? I need to know how hackers get into sites
that use the plain old "If userID <> Session("userID").....". Is there a
way that hackers can create their own session and get by this?

Thanks!
Jul 22 '05 #1
6 1569
On Fri, 04 Mar 2005 13:11:06 GMT, "John"
<no***@amIgivingitouthere.com> wrote:
Ok, so Session is less than desirable, at least that's what I'm always
reading. So what are real, practical alternatives? Querystrings? an
endless chain of hidden form fields??
Why are sessions less than desirable?
Here are the things I'm looking for specifically....

1). I need to identify users uniquely as clients in some kind of
maintainable state.

2). I need to track anonymous user page views, etc. I'm guessing
Application level but don't know how to track users individually doing this.
Page views maybe, but not the succession in which they're viewed

Is there a way to do this without Session that isn't a pain in the a#*? Or
is Session just not that bad? I've used it a lot with users that manage
their "own" content but now I need to manage "all" users.

Oh, and how "safe" is Session? I need to know how hackers get into sites
that use the plain old "If userID <> Session("userID").....". Is there a
way that hackers can create their own session and get by this?


Okay, that's not sessions. That's security. If your issue is
maintaining security state through sessions you have a different set
of questions. Though you may find that hackers get into sites without
having to spoof a session a lot easier.

Jeff
Jul 22 '05 #2
"John" <no***@amIgivingitouthere.com> wrote in message
news:K7******************@twister.nyroc.rr.com...
Ok, so Session is less than desirable, at least that's what I'm always
reading. So what are real, practical alternatives? Querystrings? an
endless chain of hidden form fields??
Sessions are not undesirable. It's only that the scalability gets limited if
you store the session in RAM.
If you use 'hidden form fields' you'll have something like ASP.NET which
uses a ViewState mechanism. If you start talking about that, there are
people that swear against :)

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

Here are the things I'm looking for specifically....

1). I need to identify users uniquely as clients in some kind of
maintainable state.

2). I need to track anonymous user page views, etc. I'm guessing
Application level but don't know how to track users individually doing
this.
Page views maybe, but not the succession in which they're viewed

Is there a way to do this without Session that isn't a pain in the a#*?
Or
is Session just not that bad? I've used it a lot with users that manage
their "own" content but now I need to manage "all" users.

Oh, and how "safe" is Session? I need to know how hackers get into sites
that use the plain old "If userID <> Session("userID").....". Is there a
way that hackers can create their own session and get by this?

Thanks!


Jul 22 '05 #3
RAM-based ASP Session state is not good in circumstances such as "recycling"
in IIS 6, and web farms. These newsgroups are full of posts such as
"...help!...all my session variables have disappeared" due to people being
suckered into the simplicity of ASP Sessions.

Tony Proctor

"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> wrote in
message news:#T**************@TK2MSFTNGP12.phx.gbl...
"John" <no***@amIgivingitouthere.com> wrote in message
news:K7******************@twister.nyroc.rr.com...
Ok, so Session is less than desirable, at least that's what I'm always
reading. So what are real, practical alternatives? Querystrings? an
endless chain of hidden form fields??
Sessions are not undesirable. It's only that the scalability gets limited

if you store the session in RAM.
If you use 'hidden form fields' you'll have something like ASP.NET which
uses a ViewState mechanism. If you start talking about that, there are
people that swear against :)

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

Here are the things I'm looking for specifically....

1). I need to identify users uniquely as clients in some kind of
maintainable state.

2). I need to track anonymous user page views, etc. I'm guessing
Application level but don't know how to track users individually doing
this.
Page views maybe, but not the succession in which they're viewed

Is there a way to do this without Session that isn't a pain in the a#*?
Or
is Session just not that bad? I've used it a lot with users that manage
their "own" content but now I need to manage "all" users.

Oh, and how "safe" is Session? I need to know how hackers get into sites that use the plain old "If userID <> Session("userID").....". Is there a way that hackers can create their own session and get by this?

Thanks!

Jul 22 '05 #4
ok, this is stuff I need to learn. Suggestions where I can learn more
thoroughly about Session? And not just a MIcrosoft documentation please.
Those are great for reference but they are NOT good teaching materials. I'm
not a"beginner" either so I don't need my hand held. Is there anything in
the middle?

Thanks
"Tony Proctor" <tony_proctor@aimtechnology_NoMoreSPAM_.com> wrote in message
news:uT**************@TK2MSFTNGP14.phx.gbl...
RAM-based ASP Session state is not good in circumstances such as "recycling" in IIS 6, and web farms. These newsgroups are full of posts such as
"...help!...all my session variables have disappeared" due to people being
suckered into the simplicity of ASP Sessions.

Tony Proctor

"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> wrote in
message news:#T**************@TK2MSFTNGP12.phx.gbl...
"John" <no***@amIgivingitouthere.com> wrote in message
news:K7******************@twister.nyroc.rr.com...
Ok, so Session is less than desirable, at least that's what I'm always
reading. So what are real, practical alternatives? Querystrings? an
endless chain of hidden form fields??
Sessions are not undesirable. It's only that the scalability gets limited if
you store the session in RAM.
If you use 'hidden form fields' you'll have something like ASP.NET which
uses a ViewState mechanism. If you start talking about that, there are
people that swear against :)

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

Here are the things I'm looking for specifically....

1). I need to identify users uniquely as clients in some kind of
maintainable state.

2). I need to track anonymous user page views, etc. I'm guessing
Application level but don't know how to track users individually doing
this.
Page views maybe, but not the succession in which they're viewed

Is there a way to do this without Session that isn't a pain in the a#*? Or
is Session just not that bad? I've used it a lot with users that manage their "own" content but now I need to manage "all" users.

Oh, and how "safe" is Session? I need to know how hackers get into
sites that use the plain old "If userID <> Session("userID").....". Is
there a way that hackers can create their own session and get by this?

Thanks!


Jul 22 '05 #5
Why do you post this? Did I -say- that sessions in RAM are OK?

I do have a product that solves this problem very elegantly. But every
solution has it's drawbacks. So is a session in a DB demanding a lot of
resources for the DB.

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

"Tony Proctor" <tony_proctor@aimtechnology_NoMoreSPAM_.com> wrote in message
news:uT**************@TK2MSFTNGP14.phx.gbl...
RAM-based ASP Session state is not good in circumstances such as
"recycling"
in IIS 6, and web farms. These newsgroups are full of posts such as
"...help!...all my session variables have disappeared" due to people being
suckered into the simplicity of ASP Sessions.

Tony Proctor

"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> wrote in
message news:#T**************@TK2MSFTNGP12.phx.gbl...
"John" <no***@amIgivingitouthere.com> wrote in message
news:K7******************@twister.nyroc.rr.com...
> Ok, so Session is less than desirable, at least that's what I'm always
> reading. So what are real, practical alternatives? Querystrings? an
> endless chain of hidden form fields??


Sessions are not undesirable. It's only that the scalability gets limited

if
you store the session in RAM.
If you use 'hidden form fields' you'll have something like ASP.NET which
uses a ViewState mechanism. If you start talking about that, there are
people that swear against :)

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

> Here are the things I'm looking for specifically....
>
> 1). I need to identify users uniquely as clients in some kind of
> maintainable state.
>
> 2). I need to track anonymous user page views, etc. I'm guessing
> Application level but don't know how to track users individually doing
> this.
> Page views maybe, but not the succession in which they're viewed
>
> Is there a way to do this without Session that isn't a pain in the a#*?
> Or
> is Session just not that bad? I've used it a lot with users that
> manage
> their "own" content but now I need to manage "all" users.
>
> Oh, and how "safe" is Session? I need to know how hackers get into sites > that use the plain old "If userID <> Session("userID").....". Is there a > way that hackers can create their own session and get by this?
>
> Thanks!
>
>



Jul 22 '05 #6
My apologies Egbert. I obviously misread your post and replied too soon

Tony Proctor

"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> wrote in
message news:Ol**************@TK2MSFTNGP09.phx.gbl...
Why do you post this? Did I -say- that sessions in RAM are OK?

I do have a product that solves this problem very elegantly. But every
solution has it's drawbacks. So is a session in a DB demanding a lot of
resources for the DB.

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm

"Tony Proctor" <tony_proctor@aimtechnology_NoMoreSPAM_.com> wrote in message news:uT**************@TK2MSFTNGP14.phx.gbl...
RAM-based ASP Session state is not good in circumstances such as
"recycling"
in IIS 6, and web farms. These newsgroups are full of posts such as
"...help!...all my session variables have disappeared" due to people being suckered into the simplicity of ASP Sessions.

Tony Proctor

"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> wrote in
message news:#T**************@TK2MSFTNGP12.phx.gbl...
"John" <no***@amIgivingitouthere.com> wrote in message
news:K7******************@twister.nyroc.rr.com...
> Ok, so Session is less than desirable, at least that's what I'm always > reading. So what are real, practical alternatives? Querystrings? an > endless chain of hidden form fields??

Sessions are not undesirable. It's only that the scalability gets limited
if
you store the session in RAM.
If you use 'hidden form fields' you'll have something like ASP.NET
which uses a ViewState mechanism. If you start talking about that, there are
people that swear against :)

--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm
> Here are the things I'm looking for specifically....
>
> 1). I need to identify users uniquely as clients in some kind of
> maintainable state.
>
> 2). I need to track anonymous user page views, etc. I'm guessing
> Application level but don't know how to track users individually doing > this.
> Page views maybe, but not the succession in which they're viewed
>
> Is there a way to do this without Session that isn't a pain in the a#*? > Or
> is Session just not that bad? I've used it a lot with users that
> manage
> their "own" content but now I need to manage "all" users.
>
> Oh, and how "safe" is Session? I need to know how hackers get into

sites
> that use the plain old "If userID <> Session("userID").....". Is

there a
> way that hackers can create their own session and get by this?
>
> Thanks!
>
>


Jul 22 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by Mark | last post: by
5 posts views Thread by VB Programmer | last post: by
5 posts views Thread by Andy G | last post: by
7 posts views Thread by Gerald | last post: by
9 posts views Thread by Schraalhans Keukenmeester | last post: by
13 posts views Thread by Samir Chouaieb | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
reply views Thread by harlem98 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.