Example:
session("IsLoggedIn")=false
Can this be changed on the user's machine by editing the cookie directly? (Please tell me it can't!). If so, will ASP know it has been tampered with, and refuse to "accept" it if changed to "true" ?
I am trying to develop a forum in asp. I want to try and make it as secure as possible. I understand that if someone knows or guesses a session ID they can post requests to the server and potentially gain unauthorised access. How can I go about doing this securely?
I did think about using random strings as session id's but then how could i check to see if the user is logged in if i dont know what the session id is.
Are session variables more secure then cookies?
Session cookies (cookies with no expiration) are destroyed when the browser is destroyed.
Session variables are destroyed when the browser is destroyed OR after a time period.
So, in that way, they are secure from the data persisting on the client.
However, while they are in use, can cookies and/or session variables be made secure without encryption?
How much more secure are session variables than cookies?
I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is
correct, it sends the user to page B (confirmation). My question is,
can I (or should I) use server variables to send CC information to page
B?
My boss doesn't want me to store this information in the SQL
database we're using. Obviously cookies are out of the question and so
is passing info through request.querystring, so I was thinking on using
session variables for this, but not sure if it's safe.
What should I do?
Is it safe to store credit card information in the ASP session state to be ultimately transmitted to VeriSign? I have a set of forms that are in the format of a wizard and I need to maintain the information through the pages. I know cookies are potentially unsafe, and I don't want to be responsible for credit card information being stored in my databases. I would use this type of method...
Code:
<% Session("CCNumber") = Request.Form("CCNumber") %>
If it helps, I have a VeriSign SSL certificate.
I would like to implement user authentication and session management for my
applications. I've been using solution 1 (below) for most of my
applications in the past since the target audience is mostly intranet based.
Now that I'm creating a more global application, I want to use a method that
does not require cookies, yet maintain a farily high level of security and
fault tolerance.
Is there a better way to handle this problem? What method does the big
Internet shopping companies use?
Scenario:
A user is authenticated and is given a session key. The session key is
passed to the user in an HTML page and returned to the server using a query
string. The user then copies the URL and gives it to his friend to see.
Since the URL now contains the session key, how does the server distinguish
between the authenticated user and his friend?
Solution 1:
Use an ASP session variable to store the session key between page requests.
This solution requires that the client have session cookies enabled. If the
session is not encrypted (i.e. SSL), the ASP session id is still passed via.
clear text, and is vulnerable.
Solution 2:
Use a session key that identifies the location (IP address) of the user. If
the submitted session key doesn't match the user's location, then the
session key is invalid. The session key can be passed as part of the URL
and does not require cookies. This method is vulnerable to IP spoofing, and
breaks if the user is behind a NAT server, or web caching server that masks
the true IP address.
Solution 3:
Have the session key returned to the server via an HTTP POST request. This
method does not require cookies, but is clear text and vulnerable if the
session is not encrypted. The session key is lost if the user navigates to
a page manually issuing an HTTP GET request.
I want to create an administration page which lists all the current users who are on the site at the moment.
I know coldfusion has this feature built in using the SessionTracker class... does ASP have something similar? If not... is there any way I can just iterate through all the session files on the server...?
I am using Session variables in my ASP application. I have tested the
application on a Win2k professional and it works fine. When the same web
app is installed on a win2k advanced server from the client browser when the
app is accessed the session variable returns null inspite of a value being
already set. I have checked the IIS enable session state settings. When i
use the server machine as client and access the app as localhost then the
session variable has correct value.
How can this be solved? What other settings if any, need to be changed to
get it work.
Do session variables carry over if you've left your site and come back?
My shopping cart uses PayPal/IPN to transact and then enter details of the transaction into my database. All of the data entry takes place after IPN has returned all of the data to my site.
A couple of the fields I need to populate are held in session variables throughout the application. When the customer clicks on the checkout button, and is sent over to PayPal's server to complete the transaction, will the session variables still be available to me upon returning to my site?
Is there a way to close a single session variable, once it's been created? I have an application that requires a several session variables to be created once a person enteres a certian section of my site. When they leave the variables are set to nothing, as they are no longer needed. I'd like to just close them out, but I will still need to keep the session open, so Session.Abandon will not work in this case.
View Replies View RelatedI recently reformatted my PC and reinstalled ISS onto Windows 2000.
Since I have done that, my local sites don't work as they used to.
By that I mean, if I have a login page, such as this: Code:
On my IIS 5.0 i have enable session state set to 20 minutes
ASP SCRIPT TIMEOUT set to 200 seconds.
On my asp pages i even coded in session.timeout = 60
When i check the value of one of my sessions on a page i
am being returned to main page.
i.e If session("basket") = "" then
go to mainpage.asp
When i check the session.timeout on the page this is set
to 60
If i wait around for a few minutes i.e 5 then i am taken
back to mainpage.asp...
The server is not given me the 20 minutes session state.
I cannot seem to get session variables to work on our test server.
The test server is running windows server 2000 with service pack 4, iis 5.0.2195.6620, and sql server 2000.
However, on our main server, NT 4.0 fully updated, they do work.
Could anyone enlighten me as to why session variables don't work on Windows Server 2000?
We have different types of logins for our accounts on our intranet. When a
person logs in, a Session variable is set to determine their level of
access. For sake of argument, say the two LoginTypes are Manager and
Employee.When I log in (as a Manager), I get a certain set of options on the
homepage. Then I return to the login page, after logging in as myself, and
log in as an Employee. For some reason, the page seems "cached" and the
manager options will still display. If I refresh this page, it will appear
the way it should. I *think* this only happens when I copy/paste a URL that
I was at as a Manager. I believe that if I click a link, it displays
properly.Is there a way to prevent this? I do a ton of copying/pasting
URLs.
I would like to declare a session variable.
' Use session variables for the recordsets for the GetSubordinates and IsManager functions
Dim orgStructRS
set orgStructRS = Server.CreateObject("ADODB.Recordset")
Where can I declare this session variables?
Once I use the recordset in both the functions, where do I close these recordsets?
I have read couple of articles warning against the use of storing VB COM
objects (Apartment Threading) in Session Variables due to the fact that
these variables could go bad.My question is what's the workaround this?
I have also read about making ASP Stateless...I'm guessing that means
turning the session and application variables off and if you do that
then how do you pass information for a particular user from one page to
another?I'm confused about how to get an ASP site working without using
Application and Session variables as well as not storing VB COM objects
in Session Variables.
I have a session variable in a login page. Then I go to a form page where I
uses the ProfileID and the UserID. Then I go to a result page where I would
like to use the UserID as a filter, but I can't get the value is stored in it.
I'm loading a variable into the session variables that will be for checking to see if the user can access a certain area of the website. When the user logs out or gives and incorrect login password is it better to kill off all the variables using session.abandon or to set the session access variable to False?
I'm not really concerned about using the servers resources with this one variable, but I would like to keep the server as free as possible.
I've noticed that in my ASP application that session variables are not carried over from
one IE6 open browser window to another.
Can anyone tell me how IE can do this? It seems like it's a useful protection mechanism
that I can add to my application.
BTW, I'm looking for a way to determine if someone is moving cookies between computers.
How IE and/or ASP handles sessions might give me some insights (and I'm open to
suggestions as to how to prevent cookie stealing?)
I have an ASP [Classic] application running under IIS 5 & 6 [on different
servers (obviously)]
I need to implement Session() variables to cache some frequently looked up
data. Because of the nature of the data, it is best held in the Session()
rather than the Application() object.Is there a limit to the how long the parameter name can be?
For example:
Session("HairColour") - the parameter name length her is 10 characters -
what's the max length (is there a max length)?
I ask because my code will generate these parameter names on the fly and I
don't want them to break anything
I have a question regarding ASP session variables.
My assumption was that a session variable has the same lifetime as the
session itself: as a consequence, given that closing the browser doesn't
terminate the session, the session variable is kept alive until the
session expires.But, surprisingly, I've found this to be true for the session variables
whose value is set in the global.asa file, but if the value is set in an
..asp script, it appears to be erased from the session object as soon as
the browser is closed although the session is still alive. Strange. Is
this a bug?What I'd need to know is: how I can make session variables whose value
is set in an .asp script persistent as long as the session is alive.
In my GLOBAL.ASA file I'm trying to create a session variable for reference
in the various webpages of my site....
Sub Session_OnStart
Session("LoggedOn")="Y"
End Sub
When referring to Session("LoggedOn") on my various ASP pages, it is coming
up as "".
I'm obviously misunderstanding how this works... Can anyone point me the
right direction?
Eventually I'll need to access a database and I'm assuming that if I need to
connect to that database, that I'll need to create the connection in the
Session_OnStart event and destroy the connection in the Session_OnEnd event
of the GLOBAL.ASA file.
I need to hold some session variables on an intermediate page for later use . My problem is I dont know Where to store the session command. Do I put it in the head of the page of the form I get the Variable from , do I put it into the response page (I am using The POST method) or Where ?
View Replies View RelatedOn the index page of my site the following code creates a unique user id in the form:
{B851C038-989D-4BE9-B280-32F6A97FEDEC}
if session("userid") = "" then
session("userid") = left(createobject("scriptlet.typelib").guid,38)
end if
This is checked in every page to make sure the user has an id with the following code:
if session("userid") = "" then
response.redirect "index.asp"
end if
When the user has finally finished filling their webcart the userid is posted to the database but for some reason, with about 1 in 5 visitors to the site the database saves an empty field for the userid.
Does anyone know of any issues with session variables or any browser / config that could cause this to happen.
In client-side script (<script> codes </script>), how can set / get session
variables' values?
I am having some trouble with seesion variables.
I have just moved hosting companies to Brinkster.com but have been
having problems with my applications holding session.
They say they can't guarantee sessions and recomend another method of
storing persistant data.
I questioned them on why, only on their servers, my sessions are being
reset as often as they are. They said it must be a coding issue.
However, I have not had trouble before, with same applications on
different or local servers.
So my question is this, what can reset session data? Just a reset of
iis?
I'm having problems with carrying variables over from one page to another and then using them in if/then statements. I can carry the variables over fine (because I can print them) but if I try to compare it to a value I pull from a database it acts like the value is null and won't display. I'm not the best at explaining things so here's my code:
View Replies View RelatedI have a website written in asp that uses session variables. On
one workstation the session variable always comes back as an empty
string, like it doesn't exist. What could cause this? Is there a
browser setting or some type of security that can control whether
session variables are created?
I have some pages in an asp site. Page one collects some data through a form and posts it to page two. Page two inserts the data into an access database and sets three of them as session variables. Page three is supposed to display those variables. My problem is that page three does not display any variables. All the variables are declared correctly and when i tried displaying them with page 2, they displayed properly but between page 2 and 3, they get lost.
View Replies View RelatedI have an web application framework that uses sessions to
maintain a userID and some other variables. If a userID
is not present in the session collection, it redirects the
user to a login page, assuming their session expired.
However, this has been happening seemingly at random on
some of our implementations. The configuration is
basically the same... IIS 5.0, Win2k, IE6, etc. Also,
this happens even when a user goes from screen to screen
so it isn't a timeout issue.
Is it client-side? Server-side? Is it due to some additional security features added
in updates to IE? I don't think we ever had this problem
in IE5.5, but I don't have a written history of that.
I’m experiencing a problem regarding Session Variables and/or Cookies.
I have developed a web site, part of which is the member’s area (I guess well known to everyone) using ASP code. The problem is that it is functioning perfect on the ISP who is hosting the site but it doesn’t on my local server in the office. In both the cases a Session Variable is set to true (lets named it “SESSecured” ) when a user is authenticated (programmatically using Access Database) and all the rest ASP pages are querying the variable in order to proceed or not. In my office server this variable is always empty each type a new ASP page is loaded. In fact any variable set in any previous stage is empty which made me to investigate further and to found that each ASP page is getting a new SESSION_ID! On the cookies matter, tried to use cookies instead of Session variables and found that no cookies can be created
I'm doing a a web survey now which can only be done once. I send email to all with a id append to the URL so i can do checking. If he didnt do be4 I will direct him to the survey page.
After he finish and submit, I do an insert statement backend but the problem is I cant seems to retrieve the session which is the guy's id so i can insert into the DB. When I insert the id is always 0.
My asp application needs 2 variables (uid, password) which i need for
running sql statements.
This is not the same uid , password used for the logging by the user, but
are supplied by a Radius server. My problem is i'm supplied with the uid,
password only once by the Radius server(on the first page) , so i need to
store them. The thing is if i store them in the session they are visible to
the user. So that should be avoided... Been thinking about encrypting the
variabels, but cant find default vb code to encrypt the data. Actualy i don't
want to send any info at all...