Standard Cookies over Session vars for classic asp site security

Skip to first unread message


Sep 20, 2012, 11:15:54 AM9/20/12

I've always used session vars to create secure parts to my web sites/apps
becuase I can simply add a value to a session var on successful login and
then every secure page has at the top of it:

IF Session("check") <> "fred" THEN redirect..... url

Prob with this is that now that I've gone a bit ajax-ie with my pages users
are spending a lot of time on the same page rather than going through pages
and making page requests, which means I'm really getting caught out with the
old session timeout problem.

Although I thought the solution would be to just increase the session
timeout and app pool idle time to something like 50 mins or so (am I bad??),
a few have said that I should be using standard cookies rather than session

I know how the response.cookies thing works, but how can I leave login
details in a cookie so that the site picks them up? Surely this is a
massive breach of security. For example, my user logs on and does their
thing. They come off the machine and some unscru goes into Temp Internet
Files, grabs the cookie file and then either puts it into their Temp
Internet Files folder or simply opens it up to see the contents. Security

Even if I encrypted the content surely if they copied and pasted it into the
same cookie file on their computer then they could get straight into the

Is this a complete no-no??


Nov 7, 2012, 6:07:04 AM11/7/12
Store the username and a "logged in" cookie on the user's machine. When the user enters their password correctly, send out the cookie to indicate the user is logged on. When the user logs out, delete the cookie. Also set a timeout on the cookie of an hour or two.

I think you're overreacting with the whole idea of someone copying a cookie from someone's machine though.

Mike Lalonde (chef)
sudbury ontario
Reply all
Reply to author
0 new messages