Re: The concept of using your own SessionID
- From: "Laphan" <info@xxxxxxxxxxxxx>
- Date: Wed, 26 Oct 2005 20:55:52 +0100
Hi Chris
Thanks for the response. OK, I may not have completely taken in what Aaron
is suggesting, but you can see it from my point of view can't you?
The site does appear to work OK, I just want to make sure that I'm using the
most cast iron approach I can when tracking state back and forth between the
http and https parts of the site.
Rgds Laphan
"Chris Hohmann" <nospam@xxxxxxxxxxxx> wrote in message
news:OL5lDHk2FHA.2600@xxxxxxxxxxxxxxxxxxxxxxx
"Laphan" <info@xxxxxxxxxxxxx> wrote in message
news:OS08I7h2FHA.1188@xxxxxxxxxxxxxxxxxxxxxxx
> Hi All
>
> Just been looking through the excellent ASPFaq site and wanted to dissucss
> Aaron's (??) comments re better to create your own session ID rather than
> use ASP classic's in-built one and then use this through various posts and
> gets to keep the state.
>
> Only issue I've got with this is that won't this number, which to me looks
> like it will be sequential, be picked up by would-be hacker and used in
> his/her http pandemonium to try and hack other people's sessions. With
> them
> seeing it in the querystring and forms they will surely pick up on it and
> play with it, whereas the in-built session ID can be relatively invisible.
>
> I'm probably completely wrong with this, but I would really like to get to
> grips with the concept as I too am trying to find a cast-iron way to
> manage
> session state between http and https sites as the user flips between the
> 2,
> probably at lightening speed!!
>
> Thanks
>
> Laphan
Please include the article number and/or a link when referencing an ASPFaq
article. Here's the article I think you're talking about:
http://aspfaq.com/show.asp?id=2054
A closer reading of the article would reveal that Aaron is not advocating
the role-your-own database session method. He is simply opining that said
method is the best/simplest alternative when the session mechanism built
into ASP is not suitable; for example when the pointy-haired-boss says so.
Also note, that the article never mentions _sequential_ identifiers. While
identity columns are usually sequential by default, most databases support
some form of randomized identifier, whether that be the random auto-number
in Access, the globally unique identifier in SQL Server or whatever
implementations exist on other platforms.
--
May you be touched by His noodly appendage. RAmen.
http://venganza.org
.
- References:
- The concept of using your own SessionID
- From: Laphan
- Re: The concept of using your own SessionID
- From: Chris Hohmann
- The concept of using your own SessionID
- Prev by Date: Re: SQL Runs in Access and not in ASP: 0x80040E10 Too few parameters
- Next by Date: Re: HTTP 401.2 problems when writing data to SQL server
- Previous by thread: Re: The concept of using your own SessionID
- Next by thread: SQL Runs in Access and not in ASP: 0x80040E10 Too few parameters
- Index(es):
Relevant Pages
|
