| Author |
 Topic  |
|
|
alex042
Average Member
USA
631 Posts |
 Posted - 10 October 2002 : 00:10:04
|
I was just informed that our company frowns on cookies as they consider them a security risk. Is there a way to store login information in a session variable instead of cookies? How exactly would this work?
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 10 October 2002 : 00:37:08
|
Might want to tell your company the Session Variables are *evil* they do have some performance issues associated with them.
You'd not be able to persist the logon in a Session Variable, the user would have to logon each time they visited the forum. But to convert them to use Session Variables you'd basically just have to look for every piece of code that either calls the DoCookies routine or issues a Request.Cookie or Response.Cookie and convert them to Session Variables
Session("Password") = xxx
etc... |
Kiwihosting.Net - The Forum Hosting Specialists
|
 |
|
|
Doug G
Support Moderator
USA
6493 Posts |
Posted - 10 October 2002 : 00:41:13
|
quote:
You'd not be able to persist the logon in a Session Variable, the user would have to logon each time they visited the forum. But to convert them to use Session Variables you'd basically just have to look for every piece of code that either calls the DoCookies routine or issues a Request.Cookie or Response.Cookie and convert them to Session Variables
Yep, I have a session-based login that requires logging in on every visit (intentional). I once kludged it into Snitz 3.3 but never got done, there was a lot of additional coding. I probably did it the hard way, and what I ended up with worked good enough for what I was playing with at the time.
|
======
Doug G
======
Computer history and help at www.dougscode.com |
|
|
|
alex042
Average Member
USA
631 Posts |
Posted - 10 October 2002 : 01:12:42
|
How long does the session variable hold? Until the browser is closed? What kind of performance impact are we talking about? Does it matter if its a Unix vs Win server?
Personally, I'd prefer the cookie method as I don't see it being that big of a security issue being on an intranet, but I wanted to investigate other methods. I think people are overly concerned with cookies when they overlook other things like malicious Java code, etc. And ironically, we're moving to a java environment.
|
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 10 October 2002 : 02:52:27
|
Yes unfortunately Cookie's do seem to have got a bit of a bad reputation, to me they are an extremely useful method of persisting temporary or short term data.
The main performance issues with session variables is due to something called "Thread Affinity or serialisation", it's one reason why you should never put OBJECTs such as your DB Connection into a Session Variable
Theres a bit more about it here: http://www.devx.com/upload/free/features/zones/asp/articles/2000/tacticalasp4-2.asp
Sessions last for 20 minute (I think thats the default IIS value) or until the code explicity destroys them via Session.Abandon, the session variables will remain active even after the user has closed the browser until that 20 minute timeout occurs (the value can be changed via IIS or in code using Session.Timeout).
Now heres the *REAL* kicker, for Session Vraiables to work, the client browser must be able to accept cookies as the IIS Web Service uses a cookie to keep track of the Session ID of the client. |
Kiwihosting.Net - The Forum Hosting Specialists
|
Edited by - Gremlin on 10 October 2002 02:59:07 |
|
|
|
Doug G
Support Moderator
USA
6493 Posts |
Posted - 10 October 2002 : 03:56:30
|
Sessions are good for my low-volume private websites. In busy high-traffic sites they can be quite a drag on the server. In addition, sessions don't scale well in any kind of cluster or web farm, since session and application objects are localized to one server. I believe newer clustering software does allow session and application state to be transparent across a group of servers, but I've never seen it in action.
I once modified config.asp to put all the Snitz configuration in Session variables instead of application variables, added a user key to the configuration table (3.3 where settings were "horizontal"), and allowed each user to configure their own color settings & such. It worked but I'd not recommend it in a busy site :)
IE can differentiate between session cookies and "real" cookies, and you can set IE to accept only session cookies. IE6 Privacy tab in Internet Options offers a number of different cookie handling choices. AFAIK session cookies are never saved on the client disk. |
======
Doug G
======
Computer history and help at www.dougscode.com |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 10 October 2002 : 04:46:27
|
quote:
AFAIK session cookies are never saved on the client disk.
Thats correct they're never saved.
We've been playing around with .NET Servers and the Session Variables accross clustering seems to work ok, but I have no idea what sort of new performance issue this may bring up yet. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
alex042
Average Member
USA
631 Posts |
Posted - 10 October 2002 : 09:01:16
|
quote:
Sessions last for 20 minute (I think thats the default IIS value) or until the code explicity destroys them via Session.Abandon, the session variables will remain active even after the user has closed the browser until that 20 minute timeout occurs (the value can be changed via IIS or in code using Session.Timeout).
Now heres the *REAL* kicker, for Session Vraiables to work, the client browser must be able to accept cookies as the IIS Web Service uses a cookie to keep track of the Session ID of the client.
So basically, IIS is holding resources until they timeout. Is the same true for a Unix server? In our conversion process from ASP to JSP, sessions were brought up as a possibility.
quote:
Sessions are good for my low-volume private websites. In busy high-traffic sites they can be quite a drag on the server.
What would you consider low-volume? We have around 500 people in our dept with, I believe, around 3000 hits/day or 1000 page views/day from a little over 100 user sessions/day.
quote:
IE can differentiate between session cookies and "real" cookies, and you can set IE to accept only session cookies. IE6 Privacy tab in Internet Options offers a number of different cookie handling choices. AFAIK session cookies are never saved on the client disk.
Not everyone can even FIND IE on their workstations here. Since Netscape is currently our 'preferred' browser, IE is sometimes hidden away and for those who find it, most are running IE 4 and many of the options are locked down.
|
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 10 October 2002 : 09:43:52
|
| As far as I know the Sessions concept is supported by Apache (the most common *NIX Webserver) however whether there are any performance issues with them under Apache I have no idea. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
alex042
Average Member
USA
631 Posts |
Posted - 10 October 2002 : 12:57:18
|
quote:
As far as I know the Sessions concept is supported by Apache (the most common *NIX Webserver) however whether there are any performance issues with them under Apache I have no idea.
Actually I believe the choice of applications here is WebSphere on IPlanet.
|
|
|
|
burthold
Junior Member
USA
426 Posts |
Posted - 10 October 2002 : 13:18:21
|
Well, if you are running application and session variables and have access to a backend database you can always set IIS to log session states and variables to the DB that would help it out a little. We did that for a site that crossed more than one web server.
Wes |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 10 October 2002 : 18:09:41
|
| I've used WebSphere under MVS (mainframe) which runs in a linux subsystem, it too has Session Variables, but haven't read enough product information to find out whether there are any issues with their use, if there were then I suspect the issues may differ between Mainframe and Server installations anyway due to just the different nature of bottlenecks that occur on those platforms. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
| |
Topic |
|
Topic Locked
