You are right! It's been too long since I worked with Authentication and Authorization. I was just thinking of the HomePage after logging on. On that page he could have dynamically added links to the secure areas of the site but if he wanted to carry the Session Id or something it would involve a messy process, the URL might be comprimised etc... as you already mentioned, sigh. Sorry. Anyway, the subject of Authorization and Authentication using ASP gets very complicated. I used a Session Variable for another purpose. My site is hosted on a IP Server Farm and it was getting dropped for some reason. I have tried everything but nothing has kept it valid. The only thing I might try would be to set up the Session Variables to be maintained on a seperat DataBase and modify my application accordingly. This is way more work than my app occasionally dropping a Session Variable is worth to me for my personal use but would be a problem for others if they did not want this problem. It might be a Microsoft Problem, don't know, but it is a hassle sometimes. Anyway, this might not be a problem in non MS Based operations. I'm glad I'm not messing with that bloody Auth stuff or Sessions any longer unless necessary, the work is done and working pretty well!
Rick USA----- Original Message ----- From: "Octavian Rasnita" <orasnita@xxxxxxxxx>
To: <programmingblind@xxxxxxxxxxxxx> Sent: Friday, December 05, 2008 5:45 AM Subject: Re: sessions on websites Sorry but this is not true.It requires much more work to add the session ID in the query string for absolutely all the requests to your site, and it may also be a security problem, because if someone copies and pastes an URL to your site in an email and send it to someone else, that URL will contain the session ID, and any other visitor that would use that link will have access with the permissions of the authorized user.
Of course, you can set the session to accept requests only from the same IP address that was used for creating the session, but that might create other problems for the users which are behind a server that change the IP address possibly on each request for the same user.
The best way is to use session cookies, and this means cookies which don't have an expiration date, so they won't be saved on the visitor's computer and will be lost when closing the browser.
Octavian----- Original Message ----- From: "Ricks Place" <OFBGMail@xxxxxxxxx>
To: <programmingblind@xxxxxxxxxxxxx> Sent: Friday, December 05, 2008 12:17 PM Subject: Re: sessions on websites
Hi: This is called Security. To do what you want you would have the pages you want displayed flagged in some way so that when you display the links for those pages only those pages allowed based on some kind of security level will be displayed to each user. Typically you would keep a list of user Id's and Passwords in a file or DataBase. Then before creating the page with the list of links you would check the currently logged in user against that list. If they are on thelist you display the secure links along with the non-secure or often calledlinks for quote Anonymus Users.That whole subject can be as simple as a text file with some codes you check at Page Load time or as complex as using a DataBase driven Security System. The Session Variable would just be a place to hold a value like a UserId orKey Code which would follow the currently logged-in user around your site and used like any other variable. Session variables do have some nasty problems though and you might just put your security key or code or otherindication of successful login in the Page Query String. This is much easierand poses many fewer problems. Rick USA .----- Original Message ----- From: "Alex Hall" <mehgcap@xxxxxxx>To: <programmingblind@xxxxxxxxxxxxx> Sent: Thursday, December 04, 2008 2:53 PM Subject: sessions on websitesHi all,This is more on-topic than my last post, but still regarding the internet.I am doing a project for web programming and will get extra credit if I can use a session to let the user go to some places and not others. For example, anyone can go to index.html but only logged-in members can go to welcome.html or contact_manager.php. I know I can use either cookies (which I would like to avoid as there seems to be no definitive, easy-to-understand tutorial on them) or I could use session variables inphp (the only server-side language I know). I do not understand how I canuse either of these to restrict access. For an example, go to Bookshare.org. If you do not log in, every page offers a login form. If you are logged in, you can visit the member homepage and you do not see the login form unless you close the browser; even going to another siteand coming back will keep you logged in. All the pages, though, are html,not php or another language. HOW???? Thanks for any help/info. I just want to know how to do this, I do not expect the code written for me, especially as this is a project and not something I am doing for my own education on my own time. Have a great day, Alex __________ View the list's information and change your settings at //www.freelists.org/list/programmingblind __________ Information from ESET NOD32 Antivirus, version of virus signature database 3663 (20081204) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com__________ View the list's information and change your settings at //www.freelists.org/list/programmingblind
__________ View the list's information and change your settings at //www.freelists.org/list/programmingblind__________ Information from ESET NOD32 Antivirus, version of virus signature database 3666 (20081205) __________
The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________View the list's information and change your settings at //www.freelists.org/list/programmingblind
