Sessions : Is this the right way...

Results 1 to 2 of 2

Thread: Sessions : Is this the right way...

  1. #1
    Join Date
    Dec 1969

    Default Sessions : Is this the right way...

    Hi!<BR>I am using sessions to maintain state between pages after the user has logged in , in the following manner.<BR><BR>I am creating a session variable on the StudentID which is the primary key of the database, like so:<BR><BR>&#060;%Session(StudentID)="logged"%&#06 2;<BR>&#060;p&#062; Menu &#060;/p&#062;<BR>&#060;a href="change.asp?StudentID="&StudentID&#062; Change user password &#060;/a&#062;<BR><BR><BR>In each of the above links, i pass the &#039;StudentID&#039; in the query string.<BR><BR>Thereafter, in the pages that the user can visit after having logged in, i pass the "StudentID" via a querystring, the following code check if the user has logged or not, like so:<BR><BR>&#060;%<BR>vStudentID=request.querystri ng("StudentID")<BR><BR>if (session(vStudentID)="logged") then<BR><BR> response.write("valid user")<BR><BR>else<BR><BR> response.write("invalid user")<BR><BR>endif<BR>%&#062;<BR><BR>Finally, when the user wishes to log out, i use the &#060;%session.abandon()%&#062; in the .asp page that is called when logging out.<BR><BR>Is this the way to go about it? Any security concerns I should read about?<BR><BR>rupesh

  2. #2
    Join Date
    Dec 1969

    Default I would not pass that value on a querystring.

    That allows your visitor to see the ID you are passing which means they can change it. This would be very easy to hack. I would just retrieve the value from the session at the top of every page you need it on. Here&#039;s a couple articles:<BR><BR><BR><BR><BR>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts