By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
425,925 Members | 732 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 425,925 IT Pros & Developers. It's quick & easy.

Sessions & Cookies

P: n/a


Hello,

I posted a simular question in the "IIS Security" group but it think it
is more usefull to post it here.

I want to do something very simpel. Make a part of my website available
only for users with a username and password. The site is mainly ASP
based. The webserver is an IIS6 and I do NOT have access to server
settings (session timeout, security,...).

I use sessions to set the validation for the users. Basically you are
redirected to a form where you can give a username and password, this is
validated with the values in a database. If the password and username
are ok a session value is set <%=Session("Validated")=True%>*.

At the beginning of each secured page I start with:
<%If Session("Validated")=False Then Response.Redirect("Login.asp") End
If%>

So if the session value "validated" is true you can see the secured
pages, else you are redirected to the logon page.

The default timeout value for session is 20 minutes. Because the session
should stay alive during the complete time of the visit I was thinking
of puting the session.timeout to 60 minutes. I set this at the beginning
of every secure page: <%Session.timeout=60%>

Now, Users keep on contacting me saying that they have to relogon quiet
often. This also seems to happen when a user is not on the website for
20 minutes already (session expired). I tested it myself and have the
feeling the I am indeed regularly redirected. Sometimes after 10
minutes, other times 30 minutes, ... There seems not to be any logic in
the time that users are redirected to the logon page.

Because the website is used to fill in a lot of long HTML forms, it is
very frustrating for the users when they are completing a form and then
pressing "Submit" being redirected to the logon page and lose all
entered data.

Is there somebody who can give me more info on the strange session
behavior? For me it is not normal that a session times out in that
unlogic way.

The only solution I can think of is passing the post information to the
logon page and then redirect after validation back to the transaction
page.

How can you reset the timeout counter on a session in ASP? What I was
thinking was that I am doing it maybe wrong?

Now the session variable that let a user have access to the site is set
once at logon time: (<%=Session("Validated")=True%*>*). Then it is
checked on every page that the user opens (<%If
Session("Validated")=False Then Response.Redirect("Login.asp") End If%>)

Would it be a good idea to re-set the variable every time a user
accesses page? Like <%If Session("Validated")=False Then
Response.Redirect("Login.asp") Else Session("Validated")=True End If%>
Would this reset the timer that times out the session? Or do I have to
add something like <%Session.Abandon%> before setting the variable
again?

What would this do on the server performance?
Is this a good way of working with sessions?

Swicth to cookies i.o. sessions?

I am open for all suggestions, please help! In the future there are also
money transactions going over this website, so it has to be a secure
method! I will use a seperate HTTPS host for this.

Thanks for you help!
*** Sent via Developersdex http://www.developersdex.com ***
Jul 22 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a
Ik Ben Het wrote:
The default timeout value for session is 20 minutes...

...Users keep on contacting me saying that they have to relogon
quiet often. This also seems to happen when a user is not on the
website for 20 minutes already (session expired)...


There are any number of possibilities. Here is a good list of things to
consider:
http://aspfaq.com/show.asp?id=2157

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Jul 22 '05 #2

P: n/a
Hello Dave,

Thank you very much. Indeed alot of answers to my questions!

Jul 22 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.