Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Standard Cookies over Session vars for classic asp site security

12 views
Skip to first unread message

Mojo

unread,
Sep 20, 2012, 11:15:54 AM9/20/12
to
Hi

I've always used session vars to create secure parts to my web sites/apps
becuase I can simply add a value to a session var on successful login and
then every secure page has at the top of it:

IF Session("check") <> "fred" THEN redirect..... url

Prob with this is that now that I've gone a bit ajax-ie with my pages users
are spending a lot of time on the same page rather than going through pages
and making page requests, which means I'm really getting caught out with the
old session timeout problem.

Although I thought the solution would be to just increase the session
timeout and app pool idle time to something like 50 mins or so (am I bad??),
a few have said that I should be using standard cookies rather than session
vars.

I know how the response.cookies thing works, but how can I leave login
details in a cookie so that the site picks them up? Surely this is a
massive breach of security. For example, my user logs on and does their
thing. They come off the machine and some unscru goes into Temp Internet
Files, grabs the cookie file and then either puts it into their Temp
Internet Files folder or simply opens it up to see the contents. Security
breached!!!

Even if I encrypted the content surely if they copied and pasted it into the
same cookie file on their computer then they could get straight into the
system?

Is this a complete no-no??

Thanks


0 new messages