A user enters a password. Via stored procedure i lookup that (unique)
password. If it is found I save the userID to a Session("userID ") for
later use. I use no other saved variables than this one.
If Session("userID ") is not set, trying to access any other page
results in a response.redire ct to the default.aspx - this I find to be
a simple and useful way of handing user access.
My collegue finds this improper use of Session. "What if user starts
entering data and leaves for lunch or a meeting - when he comes back
the session has run out". That is the only valid argument he can give
me - an okay argument.
He believes the proper way is to use a QueryString instead. My argue
is that I don't want the user to be able to others data just by
entering the proper value in the querystring trough the browsers
address line.
Also I can see the advantage of querystring if a long list/table
(multiple records) si clicked to show detailed information (one
record). But this is not the case right now.
What pros and cons does Session and QueryString have in comparison? Or
is it even senseless to compare these?
Regards /Morten
6  1388 
Stick with your feelings and ask your friend if he's ever used the Internet
before. Yes, that's right, if a user goes to lunch, his session will expire
(you can adjust this timeout). But this is how many, many, many, many, many
sites work! You can offer the option of "remember me" and save the person's
login information in cookies. Then, at the firing of a new session, you can
see if login information was sent via cookies and log the person in that
way. If not, redirect him to the default page. But, no matter what, don't
listen to your friend! :]
Ray at work
"Morten Snedker" <morten_spammen ot_ATdbconsult. dkwrote in message
news:un******** *************** *********@4ax.c om...
>A user enters a password. Via stored procedure i lookup that (unique)
password. If it is found I save the userID to a Session("userID ") for
later use. I use no other saved variables than this one.
If Session("userID ") is not set, trying to access any other page
results in a response.redire ct to the default.aspx - this I find to be
a simple and useful way of handing user access.
My collegue finds this improper use of Session. "What if user starts
entering data and leaves for lunch or a meeting - when he comes back
the session has run out". That is the only valid argument he can give
me - an okay argument.
He believes the proper way is to use a QueryString instead. My argue
is that I don't want the user to be able to others data just by
entering the proper value in the querystring trough the browsers
address line.
Also I can see the advantage of querystring if a long list/table
(multiple records) si clicked to show detailed information (one
record). But this is not the case right now.
What pros and cons does Session and QueryString have in comparison? Or
is it even senseless to compare these?
Regards /Morten
"Ray Costanzo" <my first name at lane34 dot commercialwrote in message
news:O6******** ******@TK2MSFTN GP03.phx.gbl...
But, no matter what, don't listen to your friend! :]
Most definitely!
Your friend is most definitely wrong - but why are you not using forms
authentication? That way you can use security attributes to keep users out
of places where they should not be, and you don't need to maintain data in
the Session at all.
Sorry if I've misunderstood you and that is actually what you are doing.
HTH
Peter
"Morten Snedker" <morten_spammen ot_ATdbconsult. dkwrote in message
news:un******** *************** *********@4ax.c om...
>A user enters a password. Via stored procedure i lookup that (unique)
password. If it is found I save the userID to a Session("userID ") for
later use. I use no other saved variables than this one.
If Session("userID ") is not set, trying to access any other page
results in a response.redire ct to the default.aspx - this I find to be
a simple and useful way of handing user access.
My collegue finds this improper use of Session. "What if user starts
entering data and leaves for lunch or a meeting - when he comes back
the session has run out". That is the only valid argument he can give
me - an okay argument.
He believes the proper way is to use a QueryString instead. My argue
is that I don't want the user to be able to others data just by
entering the proper value in the querystring trough the browsers
address line.
Also I can see the advantage of querystring if a long list/table
(multiple records) si clicked to show detailed information (one
record). But this is not the case right now.
What pros and cons does Session and QueryString have in comparison? Or
is it even senseless to compare these?
Regards /Morten
My collegue finds this improper use of Session. "What if user starts
entering data and leaves for lunch or a meeting - when he comes back
the session has run out". That is the only valid argument he can give
me - an okay argument.
Yep, that's a good thing... what if the user leaves for the day and
remains logged in so the cleaning woman can delete every row of data?
I would do a couple of things, though. Forward the user to a page that
explains that their session has run out due to inactivity for X number
of minutes, so they know what the hell is going on. 2) Make sure no
form take so long to enter that the session runs out while they're
actually working.
If users bitch and moan about a 20 minute session, you can always bump
it up. On one app, we have ours set to 60 minutes because a user will
often be on the phone with a customer while accessing the app, and will
be flipping back and forth between the app and an Excel sheet.
He believes the proper way is to use a QueryString instead. My argue
is that I don't want the user to be able to others data just by
entering the proper value in the querystring trough the browsers
address line.
The QS is no security whatsoever. You're right, he's wrong.
On Mon, 15 Jan 2007 14:41:05 -0000, "Peter Bradley"
<pb******@uwic. ac.ukwrote:
>Your friend is most definitely wrong - but why are you not using forms
authentication ? That way you can use security attributes to keep users out
of places where they should not be, and you don't need to maintain data in
the Session at all.
I'm fairly new to ASP.NET and I've found out about forms
authentication too late. We're entering test phase first coming
Monday, so I'm on a tight schedule.
I consider the current security to be effecient enough. It is a closed
system with 2,500 known users.
Thanks for your reply.
/Snedker
I consider the current security to be effecient enough. It is a closed
system with 2,500 known users
Worst type. Nearly all crackers are internal.
I'd change it - but I'm not you so YMMV.
Peter This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: xo55ox |
last post by:
Hi,
I just build a website and need to somehow trap the user logon and
1) display 'welcome! so and so' at the left hand corner of the page.
2) valid whether the user exists in my MySQL database, user table.
How do I do that?
Thanks for your help!
|
by: Vance Kessler |
last post by:
Yes, yes, I know why are we using Crystal 7 under Windows 2003. Well we
have to for now.
We had a website that was working just fine under Windows 2000 then we
re-staged the boxes upgraded to Windows 2003 and now we are having problems
with Crystal 7. The thing is that this works on development machines also
running the same version of Windows 2003. We are not running in IIS 5
compatibility mode nor do we want to.
The problem is...
|
by: FaheemRao |
last post by:
Hi All,
I would like to track errors per user session. What I am looking at
some kind of dynamic performance view that list the errors in a
particular user session.
I looked into Oracle documnetations but could not find any V$ listing
view errors
Any alternate solution?
What I am trying to do is able to see the errors which Oracle server
throw to client without being on client machine.
|
by: Le |
last post by:
Hello
I was wondering if there was a way to keep a user's session info across multple domains
For example, company A owns website www.a.com and www.b.com. A user logs into www.a.co
and later visits www.b.com. I would like to have it where the user doesn't have to login again.
Thank
Le
|
by: weiwei |
last post by:
Hi:
I am trying to write a web function to display all the user's session
which logon to the server. my current asp script
doesn't work, however, the problem is even myself only is login to the
server (no one else) my asp script shows duplicate
usernames, how can I make it only one instead of two, the other
question is how can force user log off from asp scripting,
I am trying to search on the web, but no much success, any help will be...
| | |
by: joseph conrad |
last post by:
Hi,
I tried to implement my own session handler in order to keep control on
the process
the drawback I foun it is not creating and storing in my cookie the
PHPSESSID variable anymore.
reading te documentation it seems it should do it anyway
any advice?
|
by: Alex Maghen |
last post by:
I want to create an object which is attached to the specific user session and
I want to be able to access that object directly throughout the Pages, Page
Controls, and Master Pages of the site.
I'm assuming that the best way to do that is to create the object and then
put it into the Session? If so, a few questions about the best way to do that:
1. If I want to reliably access that object on any and every page, how do I
make sure that...
|
by: Laurahn |
last post by:
How can i configure my application for closing the session ? How can i use
the session end for closing the session ?
|
by: Question123 |
last post by:
Hello
I have a .Net 2.0 site and am investigating caching. Using the OutputCache directive seems to work well but there is one thing I am unsure of.
Consider two website users UserA & UserB. If UserA browses to a page with OutputCache turned on, the server executes the code caches the HTML in the page.
If UserB then requests the same page, does the server have to re-execute the page (because it is a different user) or does it use the...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
