473,386 Members | 1,712 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > proper user of session

Join Bytes to post your question to a community of 473,386 software developers and data experts.

Proper user of Session

A user enters a password. Via stored procedure i lookup that (unique)
password. If it is found I save the userID to a Session("userID") for
later use. I use no other saved variables than this one.

If Session("userID") is not set, trying to access any other page
results in a response.redirect to the default.aspx - this I find to be
a simple and useful way of handing user access.

My collegue finds this improper use of Session. "What if user starts
entering data and leaves for lunch or a meeting - when he comes back
the session has run out". That is the only valid argument he can give
me - an okay argument.

He believes the proper way is to use a QueryString instead. My argue
is that I don't want the user to be able to others data just by
entering the proper value in the querystring trough the browsers
address line.

Also I can see the advantage of querystring if a long list/table
(multiple records) si clicked to show detailed information (one
record). But this is not the case right now.

What pros and cons does Session and QueryString have in comparison? Or
is it even senseless to compare these?

Regards /Morten
Jan 15 '07 #1
6 1372
Stick with your feelings and ask your friend if he's ever used the Internet
before. Yes, that's right, if a user goes to lunch, his session will expire
(you can adjust this timeout). But this is how many, many, many, many, many
sites work! You can offer the option of "remember me" and save the person's
login information in cookies. Then, at the firing of a new session, you can
see if login information was sent via cookies and log the person in that
way. If not, redirect him to the default page. But, no matter what, don't
listen to your friend! :]

Ray at work
"Morten Snedker" <morten_spammenot_ATdbconsult.dkwrote in message
news:un********************************@4ax.com...
>A user enters a password. Via stored procedure i lookup that (unique)
password. If it is found I save the userID to a Session("userID") for
later use. I use no other saved variables than this one.

If Session("userID") is not set, trying to access any other page
results in a response.redirect to the default.aspx - this I find to be
a simple and useful way of handing user access.

My collegue finds this improper use of Session. "What if user starts
entering data and leaves for lunch or a meeting - when he comes back
the session has run out". That is the only valid argument he can give
me - an okay argument.

He believes the proper way is to use a QueryString instead. My argue
is that I don't want the user to be able to others data just by
entering the proper value in the querystring trough the browsers
address line.

Also I can see the advantage of querystring if a long list/table
(multiple records) si clicked to show detailed information (one
record). But this is not the case right now.

What pros and cons does Session and QueryString have in comparison? Or
is it even senseless to compare these?

Regards /Morten

Jan 15 '07 #2
"Ray Costanzo" <my first name at lane34 dot commercialwrote in message
news:O6**************@TK2MSFTNGP03.phx.gbl...
But, no matter what, don't listen to your friend! :]
Most definitely!
Jan 15 '07 #3
Your friend is most definitely wrong - but why are you not using forms
authentication? That way you can use security attributes to keep users out
of places where they should not be, and you don't need to maintain data in
the Session at all.

Sorry if I've misunderstood you and that is actually what you are doing.

HTH
Peter

"Morten Snedker" <morten_spammenot_ATdbconsult.dkwrote in message
news:un********************************@4ax.com...
>A user enters a password. Via stored procedure i lookup that (unique)
password. If it is found I save the userID to a Session("userID") for
later use. I use no other saved variables than this one.

If Session("userID") is not set, trying to access any other page
results in a response.redirect to the default.aspx - this I find to be
a simple and useful way of handing user access.

My collegue finds this improper use of Session. "What if user starts
entering data and leaves for lunch or a meeting - when he comes back
the session has run out". That is the only valid argument he can give
me - an okay argument.

He believes the proper way is to use a QueryString instead. My argue
is that I don't want the user to be able to others data just by
entering the proper value in the querystring trough the browsers
address line.

Also I can see the advantage of querystring if a long list/table
(multiple records) si clicked to show detailed information (one
record). But this is not the case right now.

What pros and cons does Session and QueryString have in comparison? Or
is it even senseless to compare these?

Regards /Morten

Jan 15 '07 #4
My collegue finds this improper use of Session. "What if user starts
entering data and leaves for lunch or a meeting - when he comes back
the session has run out". That is the only valid argument he can give
me - an okay argument.
Yep, that's a good thing... what if the user leaves for the day and
remains logged in so the cleaning woman can delete every row of data?

I would do a couple of things, though. Forward the user to a page that
explains that their session has run out due to inactivity for X number
of minutes, so they know what the hell is going on. 2) Make sure no
form take so long to enter that the session runs out while they're
actually working.

If users bitch and moan about a 20 minute session, you can always bump
it up. On one app, we have ours set to 60 minutes because a user will
often be on the phone with a customer while accessing the app, and will
be flipping back and forth between the app and an Excel sheet.
He believes the proper way is to use a QueryString instead. My argue
is that I don't want the user to be able to others data just by
entering the proper value in the querystring trough the browsers
address line.
The QS is no security whatsoever. You're right, he's wrong.

Jan 15 '07 #5
On Mon, 15 Jan 2007 14:41:05 -0000, "Peter Bradley"
<pb******@uwic.ac.ukwrote:
>Your friend is most definitely wrong - but why are you not using forms
authentication? That way you can use security attributes to keep users out
of places where they should not be, and you don't need to maintain data in
the Session at all.
I'm fairly new to ASP.NET and I've found out about forms
authentication too late. We're entering test phase first coming
Monday, so I'm on a tight schedule.

I consider the current security to be effecient enough. It is a closed
system with 2,500 known users.

Thanks for your reply.

/Snedker
Jan 16 '07 #6
I consider the current security to be effecient enough. It is a closed
system with 2,500 known users
Worst type. Nearly all crackers are internal.

I'd change it - but I'm not you so YMMV.
Peter
Jan 16 '07 #7
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
How to capture and valid user session
by: xo55ox | last post by:
Hi, I just build a website and need to somehow trap the user logon and 1) display 'welcome! so and so' at the left hand corner of the page. 2) valid whether the user exists in my MySQL...
PHP
0
"User Session has expired" in Windows 2003 under Crystal 7
by: Vance Kessler | last post by:
Yes, yes, I know why are we using Crystal 7 under Windows 2003. Well we have to for now. We had a website that was working just fine under Windows 2000 then we re-staged the boxes upgraded to...
ASP / Active Server Pages
2
Errors per user session!
by: FaheemRao | last post by:
Hi All, I would like to track errors per user session. What I am looking at some kind of dynamic performance view that list the errors in a particular user session. I looked into Oracle...
Oracle Database
4
Keeping user session info across multiple domains
by: Le | last post by:
Hello I was wondering if there was a way to keep a user's session info across multple domains For example, company A owns website www.a.com and www.b.com. A user logs into www.a.co and later...
.NET Framework
0
user session & disconnect asp
by: weiwei | last post by:
Hi: I am trying to write a web function to display all the user's session which logon to the server. my current asp script doesn't work, however, the problem is even myself only is login to the...
ASP / Active Server Pages
0
custom user session handler + PHPSESSID in cookie
by: joseph conrad | last post by:
Hi, I tried to implement my own session handler in order to keep control on the process the drawback I foun it is not creating and storing in my cookie the PHPSESSID variable anymore. reading te...
PHP
3
Accessing a Persistent Object throughout a user session
by: Alex Maghen | last post by:
I want to create an object which is attached to the specific user session and I want to be able to access that object directly throughout the Pages, Page Controls, and Master Pages of the site. ...
ASP.NET
13
Close User Session
by: Laurahn | last post by:
How can i configure my application for closing the session ? How can i use the session end for closing the session ?
ASP.NET
3
OutputCache tied to a User Session or to the Application?
by: Question123 | last post by:
Hello I have a .Net 2.0 site and am investigating caching. Using the OutputCache directive seems to work well but there is one thing I am unsure of. Consider two website users UserA & UserB. ...
ASP.NET
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!