Forums
This topic is locked
Sessions
Posted 10 May 2002 00:47:25
1
has voted
10 May 2002 00:47:25 aegis kleais posted:
Ok. In short. I password protect a file, and depedning on the ID given, data is polled from the DB.If upon successfull entry the page shows this:
page.asp?id=myloginname
And he gets his company's info. Which is good and all. what stops him from removing his name from the URL addy and guessing another name, and upon the chance of finding a name, then pulls information from the DB that is not his....
So I've seen these pages like:
page.asp?id=myloginname&Session=@@@@@@@@@@DFDDDDDDDDDDKJKJKJSDOUI38473928934234
There are these long session IDs and such. Can someone explain in full what session IDs are? How they are stored in
reference to the person using them and such?
Replies
Replied 10 May 2002 02:09:46
10 May 2002 02:09:46 David Thomas replied:
I'd also like to know about this.
Im okay with setting a session variable per login name, but the url's that "Aegis.." describes are usually application variables arent they???
Come on guys, explain this in some detail for us...
<img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle> But the easiest way around this is just to give them each a unique password, and then it wont matter if they change the addy, it will just deny them access.
"Nobody ever said this stuff was easy"}
Edited by - DavieT on 10 May 2002 02:13:53
Im okay with setting a session variable per login name, but the url's that "Aegis.." describes are usually application variables arent they???
Come on guys, explain this in some detail for us...
<img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle> But the easiest way around this is just to give them each a unique password, and then it wont matter if they change the addy, it will just deny them access.
"Nobody ever said this stuff was easy"}
Edited by - DavieT on 10 May 2002 02:13:53
Replied 10 May 2002 10:24:39
10 May 2002 10:24:39 Julio Taylor replied:
i ain't some mega-expert geek genius boy, but
Normally i use PHP to do this, to filter news and other general information on a page, but i use the PHP built-in variable 'KT_Username' which is a session variable storing the login name of the user vurrently logged in.
what i suggest you do is either store the user's name in a temporary cookie which then serves all the sunsequent pages, or you specify a session variable that will remain populated until the browser is closed or the user logs out.
if you are using PHP (if not, you should be! <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>
you must specify this code at the top of your documents
<?php
session_start();
?>
and you can use the KT_Username session varible are criteria for all your SQL queries and recordsets.
the point of this whole discussion is that session variables and cookies are not shown in the URL line, and you can thus avoid people trying to guess other people's information...
oh yeah, you also have to make sure you request the variable using the 'environment variable' option in the Data Bindings panel.
i hope this helps.
-- J
Normally i use PHP to do this, to filter news and other general information on a page, but i use the PHP built-in variable 'KT_Username' which is a session variable storing the login name of the user vurrently logged in.
what i suggest you do is either store the user's name in a temporary cookie which then serves all the sunsequent pages, or you specify a session variable that will remain populated until the browser is closed or the user logs out.
if you are using PHP (if not, you should be! <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>
you must specify this code at the top of your documents<?php
session_start();
?>
and you can use the KT_Username session varible are criteria for all your SQL queries and recordsets.
the point of this whole discussion is that session variables and cookies are not shown in the URL line, and you can thus avoid people trying to guess other people's information...
oh yeah, you also have to make sure you request the variable using the 'environment variable' option in the Data Bindings panel.
i hope this helps.
-- J
Replied 10 May 2002 17:49:49
10 May 2002 17:49:49 Andrew Watson replied:
A Session is a single visit to a website. It is started when they enter your domain and ended when they leave it or close their browser.
A SessionID is simply a Unique Identifier that is used to identify the session. It is usually used for statistics logging and the like.
The reason they are so long is that they have to be totally unique, so the longer the string the less chance of duplicating a SessionID.
You dont have to display the password in the URL string, it can be posted by a form and is then invisible.
Or at least thats how i look at it....<img src=../images/dmxzone/forum/icon_smile_tongue.gif border=0 align=middle>
:: Son, im Thirty.... ::
A SessionID is simply a Unique Identifier that is used to identify the session. It is usually used for statistics logging and the like.
The reason they are so long is that they have to be totally unique, so the longer the string the less chance of duplicating a SessionID.
You dont have to display the password in the URL string, it can be posted by a form and is then invisible.
Or at least thats how i look at it....<img src=../images/dmxzone/forum/icon_smile_tongue.gif border=0 align=middle>
:: Son, im Thirty.... ::