login and sessions
in [ASP]
|
From: Ricardo Furtado on 2 Sep 2010 02:54 Ok, thank you all for your answers. I'll do that, Bwig Zomberi. Great tip "Bwig Zomberi" wrote: > Ricardo Furtado wrote: > > When developing web pages i usualy check if the user is logged by using > > sessions. > > Yesterday i read something about the down sides of sessions and one of them > > is when computers don't allow sessions. > > What should be the best way to check if a user is logged? > > > Use session variables to maintain login details. Use response.cookies to > maintain other details such user preferences, shopping cart details... > > -- > Bwig Zomberi > . >
From: Evertjan. on 2 Sep 2010 03:29 Bwig Zomberi wrote on 02 sep 2010 in microsoft.public.inetserver.asp.general: > Ricardo Furtado wrote: >> When developing web pages i usualy check if the user is logged by >> using sessions. >> Yesterday i read something about the down sides of sessions and one >> of them is when computers don't allow sessions. >> What should be the best way to check if a user is logged? > > > Use session variables to maintain login details. Use response.cookies > to maintain other details such user preferences, shopping cart > details... Why? It seems ridiculous if [as you should] you want to keep those details only for the session. Shopping cart details are part of the session and can better be kept on the server to prevent malicious use. Preferences could be kept in persistant cookies between sessions, if you want to save them for future use, however since you would keep login details on a serverside database, they are better kept in that database, to prevent another user on the same browser to be presented with another's preferences, and the same user on another browser or pc without his [or her's] preferences. So all in all, no, don't use cookies in a shopping cart environment, but for the asp automatic session.id cookie. -- Evertjan. The Netherlands. (Please change the x'es to dots in my emailaddress)
From: Bwig Zomberi on 6 Sep 2010 04:36 Evertjan. wrote: > Bwig Zomberi wrote on 02 sep 2010 in > microsoft.public.inetserver.asp.general: > >> Ricardo Furtado wrote: >>> When developing web pages i usualy check if the user is logged by >>> using sessions. >>> Yesterday i read something about the down sides of sessions and one >>> of them is when computers don't allow sessions. >>> What should be the best way to check if a user is logged? >> >> >> Use session variables to maintain login details. Use response.cookies >> to maintain other details such user preferences, shopping cart >> details... > > Why? > > It seems ridiculous if [as you should] you want to keep those details only > for the session. > > Shopping cart details are part of the session and can better be kept on the > server to prevent malicious use. > > Preferences could be kept in persistant cookies between sessions, if you > want to save them for future use, however since you would keep login > details on a serverside database, they are better kept in that database, to > prevent another user on the same browser to be presented with another's > preferences, and the same user on another browser or pc without his [or > her's] preferences. > > So all in all, no, don't use cookies in a shopping cart environment, but > for the asp automatic session.id cookie. > Cookies can be made to expire. Details stored in the cookie should be mapped to the user id and should be used only if the user is logged in. You can of course store shopping cart and other details on the server but that is a lot of work.;-) It is easier to maintain an activity log in ASP.NET. Session variables are a limited resource. Most websites are on shared servers. So, it is best to limit the use of session variables. -- Bwig Zomberi
From: Evertjan. on 6 Sep 2010 17:59
Bwig Zomberi wrote on 06 sep 2010 in microsoft.public.inetserver.asp.general: >> So all in all, no, don't use cookies in a shopping cart environment, >> but for the asp automatic session.id cookie. >> > > Cookies can be made to expire. Details stored in the cookie should be > mapped to the user id and should be used only if the user is logged > in. Wait! Do not discuss session cookies and expiring cookies in the same way. While the latter often are disallowed by users, the session cookies, that only live till the browser has stopped or the domain is no longer accessed are most often allowed, making the ASP session.id cookie possible and so the ASP session. > You can of course store shopping cart and other details on the server > but that is a lot of work.;-) You can see that as a joke, but it is not. The only safe programming is serverside programming, and a shopping cart should not be influenced by interfering code on the browser, like the firefox and chrome extensions. > It is easier to maintain an activity log > in ASP.NET. Off topic, this is a classic ASP NG. > Session variables are a limited resource. Most websites are on shared > servers. So, it is best to limit the use of session variables. No it is not, because of the simple truth that "is best" does not exist in programming. Having a shopping cart without enough resources asks for more resources in professional surrounding, not for unsave escape practices. -- Evertjan. The Netherlands. (Please change the x'es to dots in my emailaddress) |