Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Join Date
    May 2004
    Location
    bangalore
    Posts
    270

    Unanswered: Alternative to SESSION object

    Hello All,
    I have a in sharing the values between the pages. The cookies are been disable. Hence can't use session variables. Apart from session one way to do the same is to have the hidden field in all the pages and keep on posting the hidden field between the fields. But there is a problem in doing so. Any one can see the values stored in the hidden field through the VIEW SOURCE.

    Kinldy suggest me the best possible way to accomplish the same.

    NOTE: also keep in mind that there will be heavy load on the server by the same application. Load in the sence, lot many users will be logged into the system.



    Thanks,
    Rahul Jha

  2. #2
    Join Date
    Jan 2007
    Location
    UK
    Posts
    11,434
    Provided Answers: 10
    You know that cookies can be read too, right?

    You may wish to look at encrypting the values you wish to pass, or alternatively storing them in a database and retrieving the value.

    If you store it in a database and don't display the value, then the value that you wish to hide will not be visible to the client at all - because ASP runs on the web server!
    George
    Home | Blog

  3. #3
    Join Date
    May 2004
    Location
    bangalore
    Posts
    270
    Thanks for you reply Georgy. And how do we store the value in DB asa an user specific?

    What about using the collection?


    Thanks,
    Rahul Jha

  4. #4
    Join Date
    May 2004
    Location
    bangalore
    Posts
    270
    Can we do some thing with the HTTP header? Like adding the header with the values that I want to share between the pages.

    NOTE: I am not sure whether this will work or not......

    Thanks,
    Rahul Jha

  5. #5
    Join Date
    May 2004
    Location
    bangalore
    Posts
    270
    There is also the option of using filesystem object. Like creating and deleting the files for the user. Create the file once the user is logged into, and delete the file once the user logs off.


    Thanks,
    Rahul Jha

  6. #6
    Join Date
    Jan 2007
    Location
    UK
    Posts
    11,434
    Provided Answers: 10
    Quote Originally Posted by DBA_Rahul
    Thanks for you reply Georgy. And how do we store the value in DB asa an user specific?
    As you've already noticed, it's hard to track a user without things like session variables. Perhaps their IP address could be used to identify them?
    Quote Originally Posted by DBA_Rahul
    What about using the collection?
    I don't follow.

    I think you need to expand your question; what exactly are you trying to store, but not show to the user?
    George
    Home | Blog

  7. #7
    Join Date
    May 2004
    Location
    bangalore
    Posts
    270
    what I meant was DICTIONARY


    Thanks,
    Rahul Jha

  8. #8
    Join Date
    Jan 2007
    Location
    UK
    Posts
    11,434
    Provided Answers: 10
    Again, still not following: what's this dictionary you speak of?

    I strongly suggest against using the FSO.

    Can you state your requirements in greater detail please.
    George
    Home | Blog

  9. #9
    Join Date
    May 2004
    Location
    bangalore
    Posts
    270
    The requirement frlom the client side says that the vaules should not be visible to the user through VIEW SOURCE or any other mean. They have also asked not to use Sessions as cookies can be disabled on the user machine....


    Thanks,
    Rahul Jha

  10. #10
    Join Date
    Jan 2007
    Location
    UK
    Posts
    11,434
    Provided Answers: 10
    Do you authenticate your users in any way (i.e. do they log on to your site)?
    George
    Home | Blog

  11. #11
    Join Date
    May 2004
    Location
    bangalore
    Posts
    270
    Yes, I authenticate the user through WINDOWS AUTHENTICATION


    Thanks,
    Rahul Jha

  12. #12
    Join Date
    Jan 2007
    Location
    UK
    Posts
    11,434
    Provided Answers: 10
    I suggest you log this secure piece of information in a database, along with the users windows authenticated username; then you can retrieve it as you wish.
    George
    Home | Blog

  13. #13
    Join Date
    May 2004
    Location
    bangalore
    Posts
    270
    Thanks for the suggestion mate, but the user / client doesn't want to change the DB schema. It is an existing application and the current package runs through session object only. All that client want is to have some alternative of holding the data apart from session object

  14. #14
    Join Date
    Jan 2007
    Location
    UK
    Posts
    11,434
    Provided Answers: 10
    Let me get this straight; they don't want any changes made to a package that
    Quote Originally Posted by DBA Rahul
    runs through session object only
    Yet want it to work without the use of session objects...

    ...do you see what I'm getting at here?

    Did I mention that, like the source of a page, a cookie can also be read?
    Quote Originally Posted by georgev in post #2
    You know that cookies can be read too, right?
    I do believe I did

    My other suggestions include encryption and asking your users to turn cookies on :P
    George
    Home | Blog

  15. #15
    Join Date
    Apr 2007
    Posts
    29

    Post

    There are various methods to implement this:

    1. Best way is to create a cookie/session. Then check if the cookie/session is created successfully or not and then if not created successfully, ask the user to enable cookies for it. This is the way all top and big sites like MSN.com, hotmail.com operates. Every alternate way will increase the trips to either database or file systems which will put negative impact on the application's performance.
    2. Use Database Table. You can create a separate database table only for this purpose, not touching existing database schema. Here you can make every session variable in a separate field with username or id corresponding to the current user. Also introduce an autonumber/ numeric field with auto-increment = recordId. Then you have to grab the last records from database using a query like this: select Top 1 fieldname1, fieldname2 from tableName where userId = 12345 order by recordId desc.
    3. The same above database technique can be applied using file system. You can create a text file and put everything inside it rather than table. However, you have to read the text file everytime and in some cases you might have to read a BIG part of the text file to get the last record. This would put bad effect to the performance. Also security wise its not a good idea as there are a lot of crawlers using them people can detect your text file. Also its not a good idea to give un-necessary write permissions. Always a WELCOME-to-HACKERZ.
    So bottom line - better to use first or second option. Third option should only be used if first two are not possible.

    My 2 cents...

    Khurram.
    admin - http://www.AmanatAli.Net

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •