Are Session Variables More Secure Then Cookies?

Are session variables more secure then cookies?

Session cookies (cookies with no expiration) are destroyed when the browser is destroyed.

Session variables are destroyed when the browser is destroyed OR after a time period.

So, in that way, they are secure from the data persisting on the client.

However, while they are in use, can cookies and/or session variables be made secure without encryption?

How much more secure are session variables than cookies?

View Replies


ADVERTISEMENT

Secure Session Variables

I am trying to develop a forum in asp. I want to try and make it as secure as possible. I understand that if someone knows or guesses a session ID they can post requests to the server and potentially gain unauthorised access. How can I go about doing this securely?

I did think about using random strings as session id's but then how could i check to see if the user is logged in if i dont know what the session id is.

View Replies View Related

Secure Are Session Variables

Example:
session("IsLoggedIn")=false

Can this be changed on the user's machine by editing the cookie directly? (Please tell me it can't!). If so, will ASP know it has been tampered with, and refuse to "accept" it if changed to "true" ?

View Replies View Related

Session Variables And Cookies

We've just started getting a weird (and serious) problem with our ecommerce website.

Customers are logging in, which sets a session variable to their username (retrieved from the db). Then for no apparent reason at all, they'll be asked to login again a couple of minutes later.

e.g. Customer logs in, gets told they've logged in successfully, and they can access pages that require them to be logged in. Then, for example, they go to their 'My Account' page and are able to view it with no problems...simply refreshing the page a few times suddenly brings them back to the login page. Then a few more clicks on the 'My Account' button (without logging in a second time) and they're able to view it again.

It's really strange, it's as though the server loses track of the session for a moment, and then finds it again.

We're also getting problems with the shopping cart cookie that can display different quantities in the 'View Cart' page at different times without the customer actually changing the cart contents. Even after the customer completes an order and the cart contents are destroyed, the 'View Cart' page can continue to display the items they just purchased when it should be saying 'Your cart is empty'.

Given that we're having problems with both the cart cookie AND the login session variable (which also uses a cookie), and I'm almost 100% certain I've not touched any code that could interfere with either of these, I'm guessing that this is probably a problem with our ISP's web server but I'm not really sure. I really just want to see what you all think - if you think it's server related then I'll stop tearing my hair out going through all my code to see if it's our problem.

View Replies View Related

Session Variables And Cookies Breaking

The login state in my site relies on a combination of session variables and encrypted cookies. Some of my users are reporting that they are being "logged out" by the system - which seems to be related to their cookies being blanked out. I've checked all of the code and now that it's not being overwritten by my ASP.

The weird thing is that my site has two domain names, both pointing to the same pages and directories (no redirect). If this problem is happening to them and they switch to the other domain name and log back into the site, they stay logged in no problem. It also seems to not recur if the person is "logged out" and then logs back into the site on their own.

I had one problem like this in the past, because I had a tracking cookie that was being written on every page, and found that some browsers (don't remember which) had a limit of how many cookies could be written - and when they hit the limit the oldest cookie was tossed out. However, I don't have any code doing this now.

Anybody have any ideas what could be going on? Are there any session variable/cookie limits on the server side?

View Replies View Related

Setting Session Variables In Cookies For Personalized Content

I have these 3 tabs that I want the user to be able to select, a variable to be set, and then each page they visit in the site to read that variable and subsequently display content based on the variable that is set. So, Sheridan tab sees "Sheridan" variable content, Gillette sees "Gillette" variable content, etc.....

View Replies View Related

Enable Permanent Cookies But Disable Session Cookies

Is it possible for a user to enable permanent cookies but disable session cookies.....this seems like a contradition yet this is what I appear to be
reading in online articles?

View Replies View Related

Are Server Variables Secure?

I'm working on a shopping cart page. In page A (checkout) the user
enters their credit card information. On postback, if everything is
correct, it sends the user to page B (confirmation). My question is,
can I (or should I) use server variables to send CC information to page
B?

My boss doesn't want me to store this information in the SQL
database we're using. Obviously cookies are out of the question and so
is passing info through request.querystring, so I was thinking on using
session variables for this, but not sure if it's safe.
What should I do?

View Replies View Related

Session Secure

Is it safe to store credit card information in the ASP session state to be ultimately transmitted to VeriSign? I have a set of forms that are in the format of a wizard and I need to maintain the information through the pages. I know cookies are potentially unsafe, and I don't want to be responsible for credit card information being stored in my databases. I would use this type of method...

Code:
<% Session("CCNumber") = Request.Form("CCNumber") %>
If it helps, I have a VeriSign SSL certificate.

View Replies View Related

Secure Session Keys

I would like to implement user authentication and session management for my
applications. I've been using solution 1 (below) for most of my
applications in the past since the target audience is mostly intranet based.

Now that I'm creating a more global application, I want to use a method that
does not require cookies, yet maintain a farily high level of security and
fault tolerance.

Is there a better way to handle this problem? What method does the big
Internet shopping companies use?

Scenario:

A user is authenticated and is given a session key. The session key is
passed to the user in an HTML page and returned to the server using a query
string. The user then copies the URL and gives it to his friend to see.
Since the URL now contains the session key, how does the server distinguish
between the authenticated user and his friend?

Solution 1:

Use an ASP session variable to store the session key between page requests.
This solution requires that the client have session cookies enabled. If the
session is not encrypted (i.e. SSL), the ASP session id is still passed via.
clear text, and is vulnerable.

Solution 2:

Use a session key that identifies the location (IP address) of the user. If
the submitted session key doesn't match the user's location, then the
session key is invalid. The session key can be passed as part of the URL
and does not require cookies. This method is vulnerable to IP spoofing, and
breaks if the user is behind a NAT server, or web caching server that masks
the true IP address.

Solution 3:

Have the session key returned to the server via an HTTP POST request. This
method does not require cookies, but is clear text and vulnerable if the
session is not encrypted. The session key is lost if the user navigates to
a page manually issuing an HTTP GET request.

View Replies View Related

Cookies & Variables

My goal is this - to use cookies to remember items viewed by a specific user.

There is no registration process so need to identify each visitor & was thinking about using the session ID of the first visit as the identifier, is this okay?

So now I've identified a user I wish to attach to the cookie the imageID of every item that person has viewed i.e.

response.cookies("Mysite")(SessionID)=1.jpg

then

response.cookies("Mysite")(SessionID)=2.jpg

View Replies View Related

Cookies And Session

Can cookies or session can be set to expired after the page closed, or page being refresh, or new uRL are enter to it?

View Replies View Related

Cookies , Session Which Is Better?

I need some help regarding cookies and session objects and also
global.asa file

I am creating one cookie when a user logs in on my website.
The cookie stores the login name of the user. I want that cookie
should get deleted when user closes the browser without signing out.

I think it is done in global.asa file . But i don;t know how to do it?
Please Explain me the working of global.asa file.

Also If I am creating a cookie and other site is also creating a
cookie of same name then does this will create a problem?.

which is safe and better .. creating cookies or creating session
variables.

View Replies View Related

Session Cookies

I narrowed down with the shopping cart system on my site to the fact that session cookies are not enabled (or being allowed) in IE on some browsers...

I guess the default setting is "Automatic Cookie Handling"

it says that it uses P3P(W3C standard) to determine what cookies should be allowed and what should not...

what is the criteria to allow or block the acceptance of the cookie? I guess I will have to modify the site accordingly? Also what about older browsers...

I need to be able to user session variables on the site..

obviously if users disables cookies all together it will not work.. but it should allow for session cookies to be used.. no?

View Replies View Related

ServerXMLHTTP, Session And Cookies

I try to use ServerXMLHTTP object to get the session infomation from a
remote webpage, but it always returns nothing.

the follwoing is my code:

*local.asp*
url = "http://domain/remote.asp"
set xmlhttp = Server.CreateObject("MSXML2.ServerXMLHTTP")
xmlhttp.open "GET", url, false
xmlhttp.send ""
Response.write xmlhttp.responseText
set xmlhttp = nothing

*remote.asp*
bLogin = Session("login")
sUserName = Request.Cookies("username")
Response.Write(nUserID & " " & sUserName)

although the session and cookie are not blank, but I cannot received any
info.

View Replies View Related

Session With Cookies Disabled?

I am using a couple of session variables in my site. From what I can figure
out, session information is stored on the users computer in a cookie -

If the user has cookies disabled, do session variables still work - just
without the option of setting the Timeout property, as I'm assuming?

View Replies View Related

Session Cookies Disappear!

I recently discovered that my session cookies on the web host disappear within 30 seconds. I created some very simple asp scripts (it took me a while until I
discovered why my shopping cart acts very weird...) to check the session
cookies.

On one asp page I set up cookies:

setcookie.asp
<%
Session("TransactionID") = 15
Session("CustomerID") = 1
%>

and on

readcookie.asp
<%
response.write "Session(""TransactionID"")=" & Session("TransactionID") &
"<br>"
response.write "Session(""CustomerID"")=" & Session("CustomerID") & "<br>"
%>

The same asp pages run on my XP Pro show that the session cookies don't
expire as long as I close the browser, while on the remote web server, if I
do a refresh on readcookie.asp after 30 seconds, they are gone.

I run ASP on the server and all I know is that it is a Plesk server. No idea
if it actually a Linux server or a Windows one...

Do I have to setup expiry time or something for session cookies?

View Replies View Related

Session Management With Cookies

we are having a form where i can add products to my cart. so the user here can go on to no of pages giving details like no of products . i am using cookies for mantaining the session information like no of productds, product name, item price etc. now after all these process a page will apear where there wil be a button called "Pay Now". When the user clicks this button i should be able to clear all the cookies that are stored in the client side....

View Replies View Related

Using Cookies & Session Vars In Asp

I'm involved in quite a large project which has a slightly unusual
form of login (at least I think it's unusual!). I'm creating a site in
ASP (actually Chilisoft ASP) where access to all pages has to be
secured via login. The odd bit is that while the login page will be on
this site, the login process itself will be carried out on a
completely separate domain - this is the client's requirement so I
have no choice.

On login, the user will be assigned a 24 hour cookie by this 2nd
domain and then be passed back to the site I'm involved with. My site
then needs to assign a similar cookie (I'm assming that I won't be
able to read the other domain's cookie) and allow access to the site
for 24 hours.

I'm wondering if it's most efficient to assign a session variable to
indicate the user is logged in once my cookie has been generated
(rather than have every page check for a cookie again) and on
subsequent sessions during the 24 hour period to 1st check for session
var, then the cookie and then, if cookie exists, to assign the session
variable again.

View Replies View Related

[poll]session Or Cookies

what do you prefer ?

1. using session or cookies?
2. why?
3. how long the expired time?

View Replies View Related

How To Send Session Cookies

Anyone know how to send ASP Session cookies like the following:

'Set-Cookie: ASPSESSIONIDCSBRSDCT=IOLJEPNDANEDGDFGPEKLNGEA; path=/'

using WinInet?

View Replies View Related

Stylesheet Switching, Session/cookies

Code:

<%
Dim currentDesign, tempCSS
currentDesign = "default.css"
tempCSS = Request.QueryString("cssfile")
If tempCSS <> "" Then currentDesign = tempCSS
%>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>West Cheshire College</title>
<link rel="stylesheet" type="text/css" href="<%=currentDesign%>" title="default" media="screen" />
</head>
<body>
<div class="content">chaaaaaaaaannnnnnnnggggggggeeee</div>
<p>
<a href="default.asp?cssfile=bluetext.css">Change Style</a>
</body>
</html>

So I have the two style sheets, default and blue text...the asp switches the style sheets around.

What I need now is for the var to be remembered...any suggestions?

View Replies View Related

VBScript Session() And Cookies Disabled

I am encountering errors with some legacy asp scripts. The erorr returned when accessing these pages is:

Error Type:

(0x80004005)
Unspecified error

and occurrs when cookies are disabled on the client's browser. Note, if cookies are enabled but no cookie exists, the script does not die, it is only when cookies are completely disabled. Code:

View Replies View Related

Display Session Objects, Cookies From App On Other Server

I'm writing a reporting application in ASP.

I want to have links to a CF app - specifically VeriSign's eCommerce
Manager (on VeriSign's server).

The links in my app will need current values for CFID and CFTOKEN in
their HREFs - I think these are cookies or session objects the
VeriSign/CF app sets once logged in, they appear on the url.

Assume user has logged into VeriSign manager before my app.

View Replies View Related

ASP Session/Cookies, Help To Protect Page From Non Users

ASP Session/Cookies, Help to Protect Page from Non users I am a beginner and very urgently need some help

I have created a asp page, that takes in a username and password and validates it as follows and then if true continues to the pages requested.

Code:

'Read in the password for the user from the database
If (((Request.Form("txtUser")) = rsCheckUser("User_pass")) and (rsCheckUser("User_lev") = 1) ) Then
'If rsCheckUser("User_level") = 1 Then
'THE ABOVE CHECKS THE INFO IS CORRECT AND IT REDIRECTS TO THE PAGE BELOW and Session=True

'If the password is correct then set the session variable to True
Session("blnIsUserGood") = "True"

'Redirect to the authorised user page and send the users name
Response.Redirect"user_self_update_form.asp?ID=" & rsCheckUser("ID") & ""


'Close Objects before redirecting
Set adoCon = Nothing
Set strCon = Nothing
Set rsCheckUser = Nothing


End If

Now this code takes you to page :Response.Redirect"user_self_update_form.asp?ID=" & rsCheckUser("ID") & ""
Which is something like /project/user_self_update_form.asp?ID=1

Since after the login you do to this, you are allowed to see this page.

But The page user_self_update_form.asp?ID= can also be access if you just put the link on the browser. Lets say i log in as ID 2, and just change the ID to 3 on the address bar in the browser, i will log into someone elses page.

How to i block this from random access and only the SPECIFIC USER?

Code for user_self_update_form.asp (the protected page unless you are logged it):
The Session = False part just does not work here, so if you get this link of someone, you can just get it, and you are not redirected.

<%
'If the session variable is False or does not exsist then redirect the user to the unauthorised user page
If Session("blnIsUserGood") = False or IsNull(Session("blnIsUserGood")) = True then
'Redirect to unathorised user page
Response.Redirect"unauthorised_user_page.htm"
End If
%>

<%
'Dimension variables
Dim adoCon 'Holds the Database Connection Object
Dim rsGuestbook 'Holds the recordset for the record to be updated
Dim strSQL 'Holds the SQL query for the database
Dim lngRecordNo 'Holds the record number to be updated
'Read in the record number to be updated
lngRecordNo = CLng(Request.QueryString("ID"))

and all the other protected into here:

View Replies View Related

Username/Password Form And Session Cookies

I am new to asp. I am trying to setup a log-in screen and am having trouble figuring out how to set the session cookie. I found the bit of code below, and it works if I enter a specific 'email' and 'password' into the "if" statement, however we have multiple users logging into the section. How can I set it up so that if the form is successfully submitted using any of the multiple email/password combos then it creates the session?

Example found...

<%
Username=Request.Form("email")
Password=Request.Form("Password")
If email="emailaddress" AND Password="password" Then
Session("Loggedin")=True
End If
%>

View Replies View Related

Accept /decline Page - Session Cookies

I need help with setting up a page where the viewer has to accept terms before they can access the rest of the website.

The page will have a bit of text explaining why they need to accept oor decline the terms and then have 2 buttons. ie. accept or decline.

What I need to be able to do is set this up so that if the viewer tries to bypass the accept/ decline page they will get re-directed to it. If they have clicked the accept button then they can view anywhere on the site.

I understand that 'sessions' in IIS don't actually close until about 20 mins after the user has left the site and can live with that. But if they come back the next day they must go through the accept/decline page to get into the site. It doesn't have to have usernames or password, they just have to accept.

I understand that you set up several pages to do this, i.e. the accept/decline page, a 'checkterms' page (which sets the session cookie?) and then some code on every other page on the site to check for the presence of the session cookie and let you view if it is there. If not, redirects you to the Accept/Decline page.

The problem I have is I don't know what code to write and where to put it into the page.

View Replies View Related

Tracking Session Variables From Outside The Session

I want to create an administration page which lists all the current users who are on the site at the moment.

I know coldfusion has this feature built in using the SessionTracker class... does ASP have something similar? If not... is there any way I can just iterate through all the session files on the server...?

View Replies View Related

Session Cookies - Detecting Specific User-agent/IP?

I'm new to using session cookies and need just a bit of help. On the introduction page to my project, I'm setting:

<%@ Language=VBScript %>
<%
response.cookies("user")="authenticated"
%>

Then, on subsequent pages, I'm checking for the cookie, and redirecting if it's not there:

<%@ Language=VBScript %>
<%
If NOT request.cookies("user") = "authenticated" Then
response.redirect "http://somepage"
End If
%>

What I need to do is incorporate an ignore element (by user-agent or IP) into where it checks for the cookie. For instance, if a user has an IP of 127.0.0.1, it ignores whether they have the cookie or not and lets them view the page.

The reason I'm doing this is I have a search engine that's crawling the site and it doesn't always go through the front page - therefore, it's getting redirected on most of the pages it sees. So what I'd like to do is have the script see that user-agent or IP, then ignore the cookie requirement.

Is that possible?

View Replies View Related

Session Variables...

I am using Session variables in my ASP application. I have tested the
application on a Win2k professional and it works fine. When the same web
app is installed on a win2k advanced server from the client browser when the
app is accessed the session variable returns null inspite of a value being
already set. I have checked the IIS enable session state settings. When i
use the server machine as client and access the app as localhost then the
session variable has correct value.

How can this be solved? What other settings if any, need to be changed to
get it work.

View Replies View Related

Session Variables

Do session variables carry over if you've left your site and come back?

My shopping cart uses PayPal/IPN to transact and then enter details of the transaction into my database. All of the data entry takes place after IPN has returned all of the data to my site.

A couple of the fields I need to populate are held in session variables throughout the application. When the customer clicks on the checkout button, and is sent over to PayPal's server to complete the transaction, will the session variables still be available to me upon returning to my site?

View Replies View Related

Session Variables

Is there a way to close a single session variable, once it's been created? I have an application that requires a several session variables to be created once a person enteres a certian section of my site. When they leave the variables are set to nothing, as they are no longer needed. I'd like to just close them out, but I will still need to keep the session open, so Session.Abandon will not work in this case.

View Replies View Related

IIS And Session Variables

I recently reformatted my PC and reinstalled ISS onto Windows 2000.

Since I have done that, my local sites don't work as they used to.

By that I mean, if I have a login page, such as this: Code:

View Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved