Security Info - Session Var OR Cookie??


DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 10 of 10

Thread: Security Info - Session Var OR Cookie??

  1. #1
    Jason Langston Guest

    Security Info - Session Var OR Cookie??

    Hey experts,
    Been VB'ing for years, relatively new to the world of ASP.
    An either or question. I'm developing a "secured" site, requiring a user to
    log-in to get access to many of the site's pages. Naturally, all I do is at
    the top of each "secured" ASP page I check for log in info.
    Here's my question : where do I store the user's logged in status - in a
    cookie I check each time (seems like a lot of network traffic / slow?) or in
    a Session variable (memory considerations?)?

    Thanks for any comments, experience or explanations,

    JasonL



  2. #2
    David Guest

    Re: Security Info - Session Var OR Cookie??


    Jason,

    I would use session variable, for the simple reason that if the user closes
    the browser before you get the chance to clear the cookie then they will
    remain loggged in...

    Its a difficult decision to make...

    hope this helps

    David


    "Jason Langston" <jason@DONTSPAMMEwirelesszone.com> wrote:
    >Hey experts,
    >Been VB'ing for years, relatively new to the world of ASP.
    >An either or question. I'm developing a "secured" site, requiring a user

    to
    >log-in to get access to many of the site's pages. Naturally, all I do is

    at
    >the top of each "secured" ASP page I check for log in info.
    >Here's my question : where do I store the user's logged in status - in a
    >cookie I check each time (seems like a lot of network traffic / slow?) or

    in
    >a Session variable (memory considerations?)?
    >
    >Thanks for any comments, experience or explanations,
    >
    >JasonL
    >
    >



  3. #3
    Jason Langston Guest

    Re: Security Info - Session Var OR Cookie??

    Yeah, I'm leaning that way simply because as a desktop developer I'd never
    bother writing something to disk when I could use a variable. But I've
    written a couple of database driven log-in front ends for other website
    developers and they specifically requested that I create a cookie. I often
    wonder if that was due to their realm of experience, or if there are real
    memory/performance issues with using a Session variable. I've read in a few
    places, though I forget where and in what context, that Session Variables
    were discouraged.

    David <novadose@hotmail.com> wrote in message
    news:399302a6$1@news.devx.com...
    >
    > Jason,
    >
    > I would use session variable, for the simple reason that if the user

    closes
    > the browser before you get the chance to clear the cookie then they will
    > remain loggged in...
    >
    > Its a difficult decision to make...
    >
    > hope this helps
    >
    > David
    >
    >
    > "Jason Langston" <jason@DONTSPAMMEwirelesszone.com> wrote:
    > >Hey experts,
    > >Been VB'ing for years, relatively new to the world of ASP.
    > >An either or question. I'm developing a "secured" site, requiring a user

    > to
    > >log-in to get access to many of the site's pages. Naturally, all I do is

    > at
    > >the top of each "secured" ASP page I check for log in info.
    > >Here's my question : where do I store the user's logged in status - in a
    > >cookie I check each time (seems like a lot of network traffic / slow?) or

    > in
    > >a Session variable (memory considerations?)?
    > >
    > >Thanks for any comments, experience or explanations,
    > >
    > >JasonL
    > >
    > >

    >




  4. #4
    David Guest

    Re: Security Info - Session Var OR Cookie??


    Jason,

    Another thing that comes to mind, is the fact that some people are still
    scared on enabling cookies on their browsers. This means that not everybody
    will be able to use your application...

    I say, if you have the resources to handle session variables then do so...

    hope this helps

    David


    "Jason Langston" <jason@DONTSPAMMEwirelesszone.com> wrote:
    > Yeah, I'm leaning that way simply because as a desktop developer I'd never
    >bother writing something to disk when I could use a variable. But I've
    >written a couple of database driven log-in front ends for other website
    >developers and they specifically requested that I create a cookie. I often
    >wonder if that was due to their realm of experience, or if there are real
    >memory/performance issues with using a Session variable. I've read in a

    few
    >places, though I forget where and in what context, that Session Variables
    >were discouraged.
    >
    >David <novadose@hotmail.com> wrote in message
    >news:399302a6$1@news.devx.com...
    >>
    >> Jason,
    >>
    >> I would use session variable, for the simple reason that if the user

    >closes
    >> the browser before you get the chance to clear the cookie then they will
    >> remain loggged in...
    >>
    >> Its a difficult decision to make...
    >>
    >> hope this helps
    >>
    >> David
    >>
    >>
    >> "Jason Langston" <jason@DONTSPAMMEwirelesszone.com> wrote:
    >> >Hey experts,
    >> >Been VB'ing for years, relatively new to the world of ASP.
    >> >An either or question. I'm developing a "secured" site, requiring a user

    >> to
    >> >log-in to get access to many of the site's pages. Naturally, all I do

    is
    >> at
    >> >the top of each "secured" ASP page I check for log in info.
    >> >Here's my question : where do I store the user's logged in status - in

    a
    >> >cookie I check each time (seems like a lot of network traffic / slow?)

    or
    >> in
    >> >a Session variable (memory considerations?)?
    >> >
    >> >Thanks for any comments, experience or explanations,
    >> >
    >> >JasonL
    >> >
    >> >

    >>

    >
    >



  5. #5
    John Timney (MVP) Guest

    Re: Security Info - Session Var OR Cookie??

    have you thought about storing them in a DB, and writing their ID value to
    each web output page, after a period of inactivity you can simple reset it
    to empty in the db, but while they are active you have a scaleable session
    store - without session variables or cookies.

    Regards

    John Timney (MVP)


    Jason Langston <jason@DONTSPAMMEwirelesszone.com> wrote in message
    news:3992bd72$1@news.devx.com...
    > Hey experts,
    > Been VB'ing for years, relatively new to the world of ASP.
    > An either or question. I'm developing a "secured" site, requiring a user

    to
    > log-in to get access to many of the site's pages. Naturally, all I do is

    at
    > the top of each "secured" ASP page I check for log in info.
    > Here's my question : where do I store the user's logged in status - in a
    > cookie I check each time (seems like a lot of network traffic / slow?) or

    in
    > a Session variable (memory considerations?)?
    >
    > Thanks for any comments, experience or explanations,
    >
    > JasonL
    >
    >




  6. #6
    Jason Langston Guest

    Re: Security Info - Session Var OR Cookie??

    John,
    Actually I have. That would certainly eliminate the issue of users who won't
    accept cookies (since, I believe, even session variables require a cookie).
    However, what's the performance? Have you tried this? with success?
    Again, my concern is that it seems awfully slow to have to do an additional
    disk read (cookie - file, or db) for each 'secured' page. Though, it may be
    worth it for the scalability and portability issues.
    Q - When you say "writing their ID value ..." could you be more specific. I
    understand that each session/user is given a unique ID to identify, how
    would I obtain that ID value?
    Thanks,
    Jason
    John Timney (MVP) <timneyj@btinternet.com> wrote in message
    news:399457a5@news.devx.com...
    > have you thought about storing them in a DB, and writing their ID value to
    > each web output page, after a period of inactivity you can simple reset it
    > to empty in the db, but while they are active you have a scaleable session
    > store - without session variables or cookies.
    >
    > Regards
    >
    > John Timney (MVP)
    >
    >
    > Jason Langston <jason@DONTSPAMMEwirelesszone.com> wrote in message
    > news:3992bd72$1@news.devx.com...
    > > Hey experts,
    > > Been VB'ing for years, relatively new to the world of ASP.
    > > An either or question. I'm developing a "secured" site, requiring a user

    > to
    > > log-in to get access to many of the site's pages. Naturally, all I do is

    > at
    > > the top of each "secured" ASP page I check for log in info.
    > > Here's my question : where do I store the user's logged in status - in a
    > > cookie I check each time (seems like a lot of network traffic / slow?)

    or
    > in
    > > a Session variable (memory considerations?)?
    > >
    > > Thanks for any comments, experience or explanations,
    > >
    > > JasonL
    > >
    > >

    >
    >




  7. #7
    John Timney (MVP) Guest

    Re: Security Info - Session Var OR Cookie??

    I have tired this a number of times and its a good and very scaleable
    approach.

    Implications:
    There is a database hit for each secured/session state page read
    all the pages requiring session handling need to be dynamically generated.

    Considerations:
    More planning is required
    More performance testing is required

    In the past I have used milliseconds as the unique ID, if the ID is already
    taken (multiple server farms) then issue another. Keep the session ID for a
    predetermined period of inactivity before it becomes void and removed from
    the DB, otherwise use it for the ID of the session record.


    --
    Regards

    John Timney
    Microsoft MVP
    Co-Author Professional JSP
    ISBN: 1-861003-62-5


    Jason Langston <jason@DONTSPAMMEwirelesszone.com> wrote in message
    news:3997f774@news.devx.com...
    > John,
    > Actually I have. That would certainly eliminate the issue of users who

    won't
    > accept cookies (since, I believe, even session variables require a

    cookie).
    > However, what's the performance? Have you tried this? with success?
    > Again, my concern is that it seems awfully slow to have to do an

    additional
    > disk read (cookie - file, or db) for each 'secured' page. Though, it may

    be
    > worth it for the scalability and portability issues.
    > Q - When you say "writing their ID value ..." could you be more specific.

    I
    > understand that each session/user is given a unique ID to identify, how
    > would I obtain that ID value?
    > Thanks,
    > Jason
    > John Timney (MVP) <timneyj@btinternet.com> wrote in message
    > news:399457a5@news.devx.com...
    > > have you thought about storing them in a DB, and writing their ID value

    to
    > > each web output page, after a period of inactivity you can simple reset

    it
    > > to empty in the db, but while they are active you have a scaleable

    session
    > > store - without session variables or cookies.
    > >
    > > Regards
    > >
    > > John Timney (MVP)
    > >
    > >
    > > Jason Langston <jason@DONTSPAMMEwirelesszone.com> wrote in message
    > > news:3992bd72$1@news.devx.com...
    > > > Hey experts,
    > > > Been VB'ing for years, relatively new to the world of ASP.
    > > > An either or question. I'm developing a "secured" site, requiring a

    user
    > > to
    > > > log-in to get access to many of the site's pages. Naturally, all I do

    is
    > > at
    > > > the top of each "secured" ASP page I check for log in info.
    > > > Here's my question : where do I store the user's logged in status - in

    a
    > > > cookie I check each time (seems like a lot of network traffic / slow?)

    > or
    > > in
    > > > a Session variable (memory considerations?)?
    > > >
    > > > Thanks for any comments, experience or explanations,
    > > >
    > > > JasonL
    > > >
    > > >

    > >
    > >

    >
    >




  8. #8
    Craig Guest

    Re: Security Info - Session Var OR Cookie??

    Can someone verify that a session variable uses cookies? It would certainly
    explain a problem I had with two applications running at the same time.

    "Jason Langston" <jason@DONTSPAMMEwirelesszone.com> wrote in message
    news:3997f774@news.devx.com...
    > John,
    > Actually I have. That would certainly eliminate the issue of users who

    won't
    > accept cookies (since, I believe, even session variables require a

    cookie).
    <snip>



  9. #9
    Jim Edgar Guest

    Re: Security Info - Session Var OR Cookie??

    Jason ---

    FYI -- I've been VB'ing for several years also and I'm just now looking at
    developing some Web apps. Personally I hate cookies being written to
    my computer so much that I have turned them off. If a site that I
    absolutely
    need to use (mainly financial institutions) requires cookies then I put that
    site into my 'trusted' folder. Immediately after an internet session I
    delete
    all cookies. I only mention this because I have asked several
    friends and coworkers and I found that many of them have turned off cookies
    on their machines also. If the app that you are developing requires cookies
    then a significant percentage of web surfers are going to ignore your site
    if they get a 'cookies required' error message... I know I'll pass on it.

    Jim Edgar

    "Jason Langston" <jason@DONTSPAMMEwirelesszone.com> wrote in message
    news:3992bd72$1@news.devx.com...
    > Hey experts,
    > Been VB'ing for years, relatively new to the world of ASP.
    > An either or question. I'm developing a "secured" site, requiring a user

    to
    > log-in to get access to many of the site's pages. Naturally, all I do is

    at
    > the top of each "secured" ASP page I check for log in info.
    > Here's my question : where do I store the user's logged in status - in a
    > cookie I check each time (seems like a lot of network traffic / slow?) or

    in
    > a Session variable (memory considerations?)?
    >
    > Thanks for any comments, experience or explanations,
    >
    > JasonL
    >
    >




  10. #10
    Michael D. Kersey Guest

    Re: Security Info - Session Var OR Cookie??

    Jason Langston wrote:
    > Actually I have. That would certainly eliminate the issue of users who won't
    > accept cookies (since, I believe, even session variables require a cookie).
    > However, what's the performance? Have you tried this? with success?


    Note that you can store user information in a number of places other
    than the Session object:
    1. The Application object - this will give very fast access, since it is
    entirely memory based,
    2. A memory-resident component. Again extremely quick, but more work
    than (1),
    3. A file. Slower than (1) or (2), but still fast, since the disk drive
    is local to the server,
    4. A database. Slower than (3), but again still fairly fast when
    compared with network I/O.

    Consider that, to get a cookie, an explicit request must be sent to the
    browser, which occurs over the internet - very slow compared to local
    disk access.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center