Security Info - Session Var OR Cookie??

[Jason Langston]

Hey experts,
Been VB'ing for years, relatively new to the world of ASP.
An either or question. I'm developing a "secured" site, requiring a user to
log-in to get access to many of the site's pages. Naturally, all I do is at
the top of each "secured" ASP page I check for log in info.
Here's my question : where do I store the user's logged in status - in a
cookie I check each time (seems like a lot of network traffic / slow?) or in
a Session variable (memory considerations?)?

Thanks for any comments, experience or explanations,

JasonL

[David]

Jason,

I would use session variable, for the simple reason that if the user closes
the browser before you get the chance to clear the cookie then they will
remain loggged in...

Its a difficult decision to make...

hope this helps

David


"Jason Langston" <jason@DONTSPAMMEwirelesszone.com> wrote:
>Hey experts,
>Been VB'ing for years, relatively new to the world of ASP.
>An either or question. I'm developing a "secured" site, requiring a user
to
>log-in to get access to many of the site's pages. Naturally, all I do is
at
>the top of each "secured" ASP page I check for log in info.
>Here's my question : where do I store the user's logged in status - in a
>cookie I check each time (seems like a lot of network traffic / slow?) or
in
>a Session variable (memory considerations?)?
>
>Thanks for any comments, experience or explanations,
>
>JasonL
>
>

[Jason Langston]

Yeah, I'm leaning that way simply because as a desktop developer I'd never
bother writing something to disk when I could use a variable. But I've
written a couple of database driven log-in front ends for other website
developers and they specifically requested that I create a cookie. I often
wonder if that was due to their realm of experience, or if there are real
memory/performance issues with using a Session variable. I've read in a few
places, though I forget where and in what context, that Session Variables
were discouraged.

David <novadose@hotmail.com> wrote in message
news:399302a6$1@news.devx.com...
>
> Jason,
>
> I would use session variable, for the simple reason that if the user
closes
> the browser before you get the chance to clear the cookie then they will
> remain loggged in...
>
> Its a difficult decision to make...
>
> hope this helps
>
> David
>
>
> "Jason Langston" <jason@DONTSPAMMEwirelesszone.com> wrote:
> >Hey experts,
> >Been VB'ing for years, relatively new to the world of ASP.
> >An either or question. I'm developing a "secured" site, requiring a user
> to
> >log-in to get access to many of the site's pages. Naturally, all I do is
> at
> >the top of each "secured" ASP page I check for log in info.
> >Here's my question : where do I store the user's logged in status - in a
> >cookie I check each time (seems like a lot of network traffic / slow?) or
> in
> >a Session variable (memory considerations?)?
> >
> >Thanks for any comments, experience or explanations,
> >
> >JasonL
> >
> >
>

[David]

Jason,

Another thing that comes to mind, is the fact that some people are still
scared on enabling cookies on their browsers. This means that not everybody
will be able to use your application...

I say, if you have the resources to handle session variables then do so...

hope this helps

David


"Jason Langston" <jason@DONTSPAMMEwirelesszone.com> wrote:
> Yeah, I'm leaning that way simply because as a desktop developer I'd never
>bother writing something to disk when I could use a variable. But I've
>written a couple of database driven log-in front ends for other website
>developers and they specifically requested that I create a cookie. I often
>wonder if that was due to their realm of experience, or if there are real
>memory/performance issues with using a Session variable. I've read in a
few
>places, though I forget where and in what context, that Session Variables
>were discouraged.
>
>David <novadose@hotmail.com> wrote in message
>news:399302a6$1@news.devx.com...
>>
>> Jason,
>>
>> I would use session variable, for the simple reason that if the user
>closes
>> the browser before you get the chance to clear the cookie then they will
>> remain loggged in...
>>
>> Its a difficult decision to make...
>>
>> hope this helps
>>
>> David
>>
>>
>> "Jason Langston" <jason@DONTSPAMMEwirelesszone.com> wrote:
>> >Hey experts,
>> >Been VB'ing for years, relatively new to the world of ASP.
>> >An either or question. I'm developing a "secured" site, requiring a user
>> to
>> >log-in to get access to many of the site's pages. Naturally, all I do
is
>> at
>> >the top of each "secured" ASP page I check for log in info.
>> >Here's my question : where do I store the user's logged in status - in
a
>> >cookie I check each time (seems like a lot of network traffic / slow?)
or
>> in
>> >a Session variable (memory considerations?)?
>> >
>> >Thanks for any comments, experience or explanations,
>> >
>> >JasonL
>> >
>> >
>>
>
>

[John Timney (MVP)]

have you thought about storing them in a DB, and writing their ID value to
each web output page, after a period of inactivity you can simple reset it
to empty in the db, but while they are active you have a scaleable session
store - without session variables or cookies.

Regards

John Timney (MVP)


Jason Langston <jason@DONTSPAMMEwirelesszone.com> wrote in message
news:3992bd72$1@news.devx.com...
> Hey experts,
> Been VB'ing for years, relatively new to the world of ASP.
> An either or question. I'm developing a "secured" site, requiring a user
to
> log-in to get access to many of the site's pages. Naturally, all I do is
at
> the top of each "secured" ASP page I check for log in info.
> Here's my question : where do I store the user's logged in status - in a
> cookie I check each time (seems like a lot of network traffic / slow?) or
in
> a Session variable (memory considerations?)?
>
> Thanks for any comments, experience or explanations,
>
> JasonL
>
>

[Jason Langston]

John,
Actually I have. That would certainly eliminate the issue of users who won't
accept cookies (since, I believe, even session variables require a cookie).
However, what's the performance? Have you tried this? with success?
Again, my concern is that it seems awfully slow to have to do an additional
disk read (cookie - file, or db) for each 'secured' page. Though, it may be
worth it for the scalability and portability issues.
Q - When you say "writing their ID value ..." could you be more specific. I
understand that each session/user is given a unique ID to identify, how
would I obtain that ID value?
Thanks,
Jason
John Timney (MVP) <timneyj@btinternet.com> wrote in message
news:399457a5@news.devx.com...
> have you thought about storing them in a DB, and writing their ID value to
> each web output page, after a period of inactivity you can simple reset it
> to empty in the db, but while they are active you have a scaleable session
> store - without session variables or cookies.
>
> Regards
>
> John Timney (MVP)
>
>
> Jason Langston <jason@DONTSPAMMEwirelesszone.com> wrote in message
> news:3992bd72$1@news.devx.com...
> > Hey experts,
> > Been VB'ing for years, relatively new to the world of ASP.
> > An either or question. I'm developing a "secured" site, requiring a user
> to
> > log-in to get access to many of the site's pages. Naturally, all I do is
> at
> > the top of each "secured" ASP page I check for log in info.
> > Here's my question : where do I store the user's logged in status - in a
> > cookie I check each time (seems like a lot of network traffic / slow?)
or
> in
> > a Session variable (memory considerations?)?
> >
> > Thanks for any comments, experience or explanations,
> >
> > JasonL
> >
> >
>
>

[John Timney (MVP)]

I have tired this a number of times and its a good and very scaleable
approach.

Implications:
There is a database hit for each secured/session state page read
all the pages requiring session handling need to be dynamically generated.

Considerations:
More planning is required
More performance testing is required

In the past I have used milliseconds as the unique ID, if the ID is already
taken (multiple server farms) then issue another. Keep the session ID for a
predetermined period of inactivity before it becomes void and removed from
the DB, otherwise use it for the ID of the session record.


--
Regards

John Timney
Microsoft MVP
Co-Author Professional JSP
ISBN: 1-861003-62-5


Jason Langston <jason@DONTSPAMMEwirelesszone.com> wrote in message
news:3997f774@news.devx.com...
> John,
> Actually I have. That would certainly eliminate the issue of users who
won't
> accept cookies (since, I believe, even session variables require a
cookie).
> However, what's the performance? Have you tried this? with success?
> Again, my concern is that it seems awfully slow to have to do an
additional
> disk read (cookie - file, or db) for each 'secured' page. Though, it may
be
> worth it for the scalability and portability issues.
> Q - When you say "writing their ID value ..." could you be more specific.
I
> understand that each session/user is given a unique ID to identify, how
> would I obtain that ID value?
> Thanks,
> Jason
> John Timney (MVP) <timneyj@btinternet.com> wrote in message
> news:399457a5@news.devx.com...
> > have you thought about storing them in a DB, and writing their ID value
to
> > each web output page, after a period of inactivity you can simple reset
it
> > to empty in the db, but while they are active you have a scaleable
session
> > store - without session variables or cookies.
> >
> > Regards
> >
> > John Timney (MVP)
> >
> >
> > Jason Langston <jason@DONTSPAMMEwirelesszone.com> wrote in message
> > news:3992bd72$1@news.devx.com...
> > > Hey experts,
> > > Been VB'ing for years, relatively new to the world of ASP.
> > > An either or question. I'm developing a "secured" site, requiring a
user
> > to
> > > log-in to get access to many of the site's pages. Naturally, all I do
is
> > at
> > > the top of each "secured" ASP page I check for log in info.
> > > Here's my question : where do I store the user's logged in status - in
a
> > > cookie I check each time (seems like a lot of network traffic / slow?)
> or
> > in
> > > a Session variable (memory considerations?)?
> > >
> > > Thanks for any comments, experience or explanations,
> > >
> > > JasonL
> > >
> > >
> >
> >
>
>

[Craig]

Can someone verify that a session variable uses cookies? It would certainly
explain a problem I had with two applications running at the same time.

"Jason Langston" <jason@DONTSPAMMEwirelesszone.com> wrote in message
news:3997f774@news.devx.com...
> John,
> Actually I have. That would certainly eliminate the issue of users who
won't
> accept cookies (since, I believe, even session variables require a
cookie).
<snip>

[Jim Edgar]

Jason ---

FYI -- I've been VB'ing for several years also and I'm just now looking at
developing some Web apps. Personally I hate cookies being written to
my computer so much that I have turned them off. If a site that I
absolutely
need to use (mainly financial institutions) requires cookies then I put that
site into my 'trusted' folder. Immediately after an internet session I
delete
all cookies. I only mention this because I have asked several
friends and coworkers and I found that many of them have turned off cookies
on their machines also. If the app that you are developing requires cookies
then a significant percentage of web surfers are going to ignore your site
if they get a 'cookies required' error message... I know I'll pass on it.

Jim Edgar

"Jason Langston" <jason@DONTSPAMMEwirelesszone.com> wrote in message
news:3992bd72$1@news.devx.com...
> Hey experts,
> Been VB'ing for years, relatively new to the world of ASP.
> An either or question. I'm developing a "secured" site, requiring a user
to
> log-in to get access to many of the site's pages. Naturally, all I do is
at
> the top of each "secured" ASP page I check for log in info.
> Here's my question : where do I store the user's logged in status - in a
> cookie I check each time (seems like a lot of network traffic / slow?) or
in
> a Session variable (memory considerations?)?
>
> Thanks for any comments, experience or explanations,
>
> JasonL
>
>

[Michael D. Kersey]

Jason Langston wrote:
> Actually I have. That would certainly eliminate the issue of users who won't
> accept cookies (since, I believe, even session variables require a cookie).
> However, what's the performance? Have you tried this? with success?

Note that you can store user information in a number of places other
than the Session object:
1. The Application object - this will give very fast access, since it is
entirely memory based,
2. A memory-resident component. Again extremely quick, but more work
than (1),
3. A file. Slower than (1) or (2), but still fast, since the disk drive
is local to the server,
4. A database. Slower than (3), but again still fairly fast when
compared with network I/O.

Consider that, to get a cookie, an explicit request must be sent to the
browser, which occurs over the internet - very slow compared to local
disk access.