Hello All,
I have a in sharing the values between the pages. The cookies are been disable. Hence can't use session variables. Apart from session one way to do the same is to have the hidden field in all the pages and keep on posting the hidden field between the fields. But there is a problem in doing so. Any one can see the values stored in the hidden field through the VIEW SOURCE.

Kinldy suggest me the best possible way to accomplish the same.

NOTE: also keep in mind that there will be heavy load on the server by the same application. Load in the sence, lot many users will be logged into the system.



Thanks,
Rahul Jha

You know that cookies can be read too, right?

You may wish to look at encrypting the values you wish to pass, or alternatively storing them in a database and retrieving the value.

If you store it in a database and don't display the value, then the value that you wish to hide will not be visible to the client at all - because ASP runs on the web server!

Thanks for you reply Georgy. And how do we store the value in DB asa an user specific?

What about using the collection?


Thanks,
Rahul Jha

Can we do some thing with the HTTP header? Like adding the header with the values that I want to share between the pages.

NOTE: I am not sure whether this will work or not......

Thanks,
Rahul Jha

There is also the option of using filesystem object. Like creating and deleting the files for the user. Create the file once the user is logged into, and delete the file once the user logs off.


Thanks,
Rahul Jha

As you've already noticed, it's hard to track a user without things like session variables. Perhaps their IP address could be used to identify them?
I don't follow.

I think you need to expand your question; what exactly are you trying to store, but not show to the user?

what I meant was DICTIONARY


Thanks,
Rahul Jha

Again, still not following: what's this dictionary you speak of?

I strongly suggest against using the FSO.

Can you state your requirements in greater detail please.

The requirement frlom the client side says that the vaules should not be visible to the user through VIEW SOURCE or any other mean. They have also asked not to use Sessions as cookies can be disabled on the user machine....


Thanks,
Rahul Jha

Do you authenticate your users in any way (i.e. do they log on to your site)?

Yes, I authenticate the user through WINDOWS AUTHENTICATION


Thanks,
Rahul Jha

I suggest you log this secure piece of information in a database, along with the users windows authenticated username; then you can retrieve it as you wish.

Thanks for the suggestion mate, but the user / client doesn't want to change the DB schema. It is an existing application and the current package runs through session object only. All that client want is to have some alternative of holding the data apart from session object

Let me get this straight; they don't want any changes made to a package that
Yet want it to work without the use of session objects...

...do you see what I'm getting at here?

Did I mention that, like the source of a page, a cookie can also be read?
I do believe I did

My other suggestions include encryption and asking your users to turn cookies on :P

There are various methods to implement this:

1. Best way is to create a cookie/session. Then check if the cookie/session is created successfully or not and then if not created successfully, ask the user to enable cookies for it. This is the way all top and big sites like MSN.com, hotmail.com operates. Every alternate way will increase the trips to either database or file systems which will put negative impact on the application's performance.
2. Use Database Table. You can create a separate database table only for this purpose, not touching existing database schema. Here you can make every session variable in a separate field with username or id corresponding to the current user. Also introduce an autonumber/ numeric field with auto-increment = recordId. Then you have to grab the last records from database using a query like this: select Top 1 fieldname1, fieldname2 from tableName where userId = 12345 order by recordId desc.
3. The same above database technique can be applied using file system. You can create a text file and put everything inside it rather than table. However, you have to read the text file everytime and in some cases you might have to read a BIG part of the text file to get the last record. This would put bad effect to the performance. Also security wise its not a good idea as there are a lot of crawlers using them people can detect your text file. Also its not a good idea to give un-necessary write permissions. Always a WELCOME-to-HACKERZ.

So bottom line - better to use first or second option. Third option should only be used if first two are not possible.

My 2 cents...

Khurram.
admin - http://www.AmanatAli.Net