login and sessions

[Ricardo Furtado]

When developing web pages i usualy check if the user is logged by using
sessions.
Yesterday i read something about the down sides of sessions and one of them
is when computers don't allow sessions.
What should be the best way to check if a user is logged?

 

[Tim Slattery]

When developing web pages i usualy check if the user is logged by using
sessions.
Yesterday i read something about the down sides of sessions and one of them
is when computers don't allow sessions.
What should be the best way to check if a user is logged?

Sessions are maintained server-side. They are identified by a cookie
that's passed back and forth between the server and client. Most
clients will allow session cookies even if they don't allow persistent
cookies. If the client doesn't allow session cookies, then there's
nothing much you can do to maintain a session. (And the user has cut
himself off from a LARGE part of the web!)

 

[Ricardo Furtado]

Thanks for your answer.

So, but can i believe that sessions are the best options for this kind of
tasks? better than passing a session ID in every URL or even global variables?

 

[Evertjan.]

Ricardo Furtado wrote on 31 aug 2010 in
microsoft.public.inetserver.asp.general:
[please do not top post or quote signatures on usenet]

Thanks for your answer.

So, but can i believe that sessions are the best options for this kind
of tasks? better than passing a session ID in every URL

A session is passing a session ID in every request header.

Why do you think "the best" exists?
That is a matter of tast, not of axioms.

or even global variables?

Uh? what do you mean, global where? On the server?
As a application variable?
Or as a session variable? [you would need a session for the latter]
Or on the browser?
How would you recognize a specific user with those?

 

[Bwig Zomberi]

When developing web pages i usualy check if the user is logged by using
sessions.
Yesterday i read something about the down sides of sessions and one of them
is when computers don't allow sessions.
What should be the best way to check if a user is logged?

Use session variables to maintain login details. Use response.cookies to
maintain other details such user preferences, shopping cart details...

 

[Ricardo Furtado]

Ok, thank you all for your answers.
I'll do that, Bwig Zomberi. Great tip

 

[Evertjan.]

Bwig Zomberi wrote on 02 sep 2010 in
microsoft.public.inetserver.asp.general:

Use session variables to maintain login details. Use response.cookies
to maintain other details such user preferences, shopping cart
details...

Why?

It seems ridiculous if [as you should] you want to keep those details only
for the session.

Shopping cart details are part of the session and can better be kept on the
server to prevent malicious use.

Preferences could be kept in persistant cookies between sessions, if you
want to save them for future use, however since you would keep login
details on a serverside database, they are better kept in that database, to
prevent another user on the same browser to be presented with another's
preferences, and the same user on another browser or pc without his [or
her's] preferences.

So all in all, no, don't use cookies in a shopping cart environment, but
for the asp automatic session.id cookie.

 

[Bwig Zomberi]

Bwig Zomberi wrote on 02 sep 2010 in
microsoft.public.inetserver.asp.general:

Use session variables to maintain login details. Use response.cookies
to maintain other details such user preferences, shopping cart
details...

Why?

It seems ridiculous if [as you should] you want to keep those details only
for the session.

Shopping cart details are part of the session and can better be kept on the
server to prevent malicious use.

Preferences could be kept in persistant cookies between sessions, if you
want to save them for future use, however since you would keep login
details on a serverside database, they are better kept in that database, to
prevent another user on the same browser to be presented with another's
preferences, and the same user on another browser or pc without his [or
her's] preferences.

So all in all, no, don't use cookies in a shopping cart environment, but
for the asp automatic session.id cookie.

Cookies can be made to expire. Details stored in the cookie should be
mapped to the user id and should be used only if the user is logged in.

You can of course store shopping cart and other details on the server
but that is a lot of work.;-) It is easier to maintain an activity log
in ASP.NET.

Session variables are a limited resource. Most websites are on shared
servers. So, it is best to limit the use of session variables.

 

[Evertjan.]

Bwig Zomberi wrote on 06 sep 2010 in
microsoft.public.inetserver.asp.general:

Cookies can be made to expire. Details stored in the cookie should be
mapped to the user id and should be used only if the user is logged
in.

Wait!

Do not discuss session cookies and expiring cookies in the same way.

While the latter often are disallowed by users, the session cookies,
that only live till the browser has stopped or the domain is no longer
accessed are most often allowed, making the ASP session.id cookie
possible and so the ASP session.

You can of course store shopping cart and other details on the server
but that is a lot of work.;-)

You can see that as a joke, but it is not. The only safe programming is
serverside programming, and a shopping cart should not be influenced by
interfering code on the browser, like the firefox and chrome extensions.

It is easier to maintain an activity log
in ASP.NET.

Off topic, this is a classic ASP NG.

Session variables are a limited resource. Most websites are on shared
servers. So, it is best to limit the use of session variables.

No it is not,
because of the simple truth that "is best" does not exist in
programming.

Having a shopping cart without enough resources asks for more resources
in professional surrounding, not for unsave escape practices.